Updated: 2014-05-18
What Are Syslog Facility Codes?
In any networked environment—whether it’s a Cisco firewall, a Linux server, or a Windows host forwarding event data—Syslog is the de facto standard for event logging. Each Syslog message includes two key identifiers: a facility code and a severity level.
While severity tells you how important a message is (e.g., error vs. informational), facility tells you where it came from—the subsystem or process that generated it.
The Role of Facility Codes
Facility codes help network and security monitoring tools (like SolarWinds, Graylog, or Splunk) sort incoming logs into logical categories. This makes filtering, correlation, and alerting far easier.
For example, you can choose to alert only on messages from auth or local4, while ignoring generic daemon chatter. In large environments, this is critical for keeping your event streams organized and meaningful.
Common Syslog Facility Codes
| Facility Code | Name | Typical Use |
|---|---|---|
| 0 | kernel | Kernel messages (Linux/Unix) |
| 1 | user | User-level processes |
| 2 | Mail system logs | |
| 3 | daemon | Background daemons and services |
| 4 | auth | Authentication and security logs |
| 5 | syslog | Internal syslog messages |
| 6 | lpr | Printer subsystem |
| 7 | news | Network news (NNTP) |
| 8 | uucp | Unix-to-Unix copy protocol |
| 9 | cron | Scheduled jobs (cron or at) |
| 10 | authpriv | Private authentication logs |
| 11 | ftp | File transfer logs |
| 12 | ntp | Network Time Protocol service |
| 13 | security | Log audit events |
| 14 | console | System console messages |
| 15 | solaris-cron | Solaris cron jobs |
| 16–23 | local0–local7 | Custom or vendor-specific use |
Note: Many network devices (like Cisco ASA or Palo Alto firewalls) use local0–local7 for their syslog output. You can select which facility to use in the device’s logging configuration.
How It Works in Practice
When a Syslog message is sent, the facility and severity are combined into a priority value.
For example, a message from local4 with severity warning (level 4) produces a numeric priority calculated as:
PRI = (Facility × 8) + Severity
If local4 = 20, then PRI = (20 × 8) + 4 = 164.
This number helps Syslog receivers quickly determine both where the message originated and how urgent it is.
Why It Matters for Monitoring
Facility codes become especially useful when integrating devices into centralized logging or monitoring tools. You can:
-
Route specific facilities to different collectors or dashboards.
-
Filter alerts (e.g., only show
local4errors). -
Create per-facility retention rules—keeping security logs longer than debug traffic.
-
Test and tune alerts in lab environments like EVE-NG before deploying in production.
Summary
Syslog facility codes are simple but powerful—they define the origin of each log message and allow you to maintain clarity in complex environments. Once you understand how they work, you can build smarter filters, reduce noise, and make your monitoring systems far more efficient.
Whether you’re managing a handful of lab routers or a global enterprise network, knowing your facility codes is the first step toward clean, actionable logging.