Syslog Facility and Priority Reference
Overview
Syslog is a standard protocol for transmitting log messages from network devices and systems. Each syslog message indicates priority through a combination of Facility and Severity, which is calculated as a PRI constant value.
PRI Constant Value Calculation Method
The PRI constant value is calculated using the following formula:
PRI = Facility × 8 + Severity
Calculation Example
- Facility: 16 (local0)
- Severity: 6 (info)
- PRI Constant Value: 16 × 8 + 6 = 134
Facility Codes
| Code | Facility | Description |
|---|---|---|
| 0 | kern | Kernel messages |
| 1 | user | User-level messages |
| 2 | Mail system | |
| 3 | daemon | System daemons |
| 4 | auth | Security/authorization messages |
| 5 | syslog | Messages generated internally by syslogd |
| 6 | lpr | Line printer subsystem |
| 7 | news | Network news subsystem |
| 8 | uucp | UUCP subsystem |
| 9 | clock | Clock daemon |
| 10 | authpriv | Security/authorization messages |
| 11 | ftp | FTP daemon |
| 12 | ntp | NTP subsystem |
| 13 | audit | Log audit |
| 14 | alert | Log alert |
| 15 | solaris-cron | Clock daemon (Solaris) |
| 16 | local0 | Local use facility 0 |
| 17 | local1 | Local use facility 1 |
| 18 | local2 | Local use facility 2 |
| 19 | local3 | Local use facility 3 |
| 20 | local4 | Local use facility 4 |
| 21 | local5 | Local use facility 5 |
| 22 | local6 | Local use facility 6 |
| 23 | local7 | Local use facility 7 |
Severity Codes
| Code | Severity | Description |
|---|---|---|
| 0 | emerg | Emergency: system is unusable |
| 1 | alert | Alert: action must be taken immediately |
| 2 | crit | Critical: critical conditions |
| 3 | error | Error: error conditions |
| 4 | warn | Warning: warning conditions |
| 5 | notice | Notice: normal but significant condition |
| 6 | info | Informational: informational messages |
| 7 | debug | Debug: debug-level messages |
PRI Constant Value Reference Table
| Facility(↓) Severity(→) | 0/Emer | 1/Alert | 2/Crit | 3/Error | 4/Warn | 5/Notice | 6/Info | 7/Debug |
|---|---|---|---|---|---|---|---|---|
| 0 / kern | 0 | 1 | 2 | 3 | 4 | 5 | 6 | 7 |
| 1 / user | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 |
| 2 / mail | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 |
| 3 / daemon | 24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 |
| 4 / auth | 32 | 33 | 34 | 35 | 36 | 37 | 38 | 39 |
| 5 / syslog | 40 | 41 | 42 | 43 | 44 | 45 | 46 | 47 |
| 6 / lpr | 48 | 49 | 50 | 51 | 52 | 53 | 54 | 55 |
| 7 / news | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 |
| 8 / uucp | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 |
| 9 / clock | 72 | 73 | 74 | 75 | 76 | 77 | 78 | 79 |
| 10 / authpriv | 80 | 81 | 82 | 83 | 84 | 85 | 86 | 87 |
| 11 / ftp | 88 | 89 | 90 | 91 | 92 | 93 | 94 | 95 |
| 12 / ntp | 96 | 97 | 98 | 99 | 100 | 101 | 102 | 103 |
| 13 / audit | 104 | 105 | 106 | 107 | 108 | 109 | 110 | 111 |
| 14 / alert | 112 | 113 | 114 | 115 | 116 | 117 | 118 | 119 |
| 15 / solaris-cron | 120 | 121 | 122 | 123 | 124 | 125 | 126 | 127 |
| 16 / local0 | 128 | 129 | 130 | 131 | 132 | 133 | 134 | 135 |
| 17 / local1 | 136 | 137 | 138 | 139 | 140 | 141 | 142 | 143 |
| 18 / local2 | 144 | 145 | 146 | 147 | 148 | 149 | 150 | 151 |
| 19 / local3 | 152 | 153 | 154 | 155 | 156 | 157 | 158 | 159 |
| 20 / local4 | 160 | 161 | 162 | 163 | 164 | 165 | 166 | 167 |
| 21 / local5 | 168 | 169 | 170 | 171 | 172 | 173 | 174 | 175 |
| 22 / local6 | 176 | 177 | 178 | 179 | 180 | 181 | 182 | 183 |
| 23 / local7 | 184 | 185 | 186 | 187 | 188 | 189 | 190 | 191 |
Usage
Using in Logpresso Sonar
Enter the desired PRI constant values in the Syslog Facility List field when configuring the syslog collector:
- Single value:
134(local0.info) - Multiple values:
134,135,136(local0's info, debug, local1's emerg) - All values: Leave empty.
Special Values
- Empty value: Equivalent to entering all facility values (collects all messages)