Description
This article describes how to use the facility function of syslogd. 'Facility' is a value that indicates the source of the Syslog entry.
Scope
FortiGate.
Solution
On a log server that receives logs from many devices, this is a separator to identify the source of the log.
config log syslogd setting
...
set facility [kernel|user|...]
...
All facility config options are listed below:
|
Option |
Description |
|---|---|
|
kernel |
Kernel messages. |
|
user |
Random user-level messages. |
|
|
Mail system. |
|
daemon |
System daemons. |
|
auth |
Security/authorization messages. |
|
syslog |
Messages generated internally by syslog. |
|
lpr |
Line printer subsystem. |
|
news |
Network news subsystem. |
|
uucp |
Network news subsystem. |
|
cron |
Clock daemon. |
|
authpriv |
Security/authorization messages (private). |
|
ftp |
FTP daemon. |
|
ntp |
NTP daemon. |
|
audit |
Log audit. |
|
alert |
Log alert. |
|
clock |
Clock daemon. |
|
local0 |
Reserved for local use. |
|
local1 |
Reserved for local use. |
|
local2 |
Reserved for local use. |
|
local3 |
Reserved for local use. |
|
local4 |
Reserved for local use. |
|
local5 |
Reserved for local use. |
|
local6 |
Reserved for local use. |
|
local7 |
Reserved for local use. |
Each one of the above categories has a predefined value.The logs are sent to the Syslog server with the following calculation:
<Facility value>*8 + <Severity of the log>
When the log has a leading <189>, it means that it has been calculated as 23*8+5 (23 = local7, 5 = Notice).
These values can be found in the Syslog RFC.
Changing the category of the log in FortiGate can facilitate a separation of the logs.
For example, to distinguish between syslogd and syslogd2:
Related document:
config log syslogd setting
