Standardized syslog local facility usage in common applications: Best practices for choosing LOCAL[0-7]


2 views

Syslog's local facilities (LOCAL0 through LOCAL7) provide flexible logging channels for applications, but many well-known programs have established default usage patterns. Here's a comprehensive breakdown based on real-world deployments:

  • LOCAL0: PostgreSQL's default facility (configured in postgresql.conf)
  • LOCAL2: sudo's traditional facility (set via /etc/sudoers with Defaults syslog=local2)
  • LOCAL4: OpenLDAP's slapd daemon default
  • LOCAL5: Frequently used by network security tools like Snort IDS
  • LOCAL7: Boot messages facility in many Linux distributions

Based on widespread usage patterns, these facilities typically have lower adoption:

LOCAL1 - Rarely used by major applications
LOCAL3 - Occasionally used by mail filters (SpamAssassin)
LOCAL6 - Generally available

To audit current local facility usage on a Linux system:

grep -r "local[0-7]" /etc/{rsyslog,syslog,syslog-ng}*
grep -r "facility.local" /etc/* 2>/dev/null

For a Python application using LOCAL6 (typically available):

import syslog
syslog.openlog(ident='myapp', logoption=syslog.LOG_PID, facility=syslog.LOG_LOCAL6)
syslog.syslog(syslog.LOG_INFO, 'Application started')

Corresponding rsyslog configuration (/etc/rsyslog.d/myapp.conf):

local6.*    /var/log/myapp.log
& stop
  • Document facility assignments in your configuration management system
  • Consider using structured logging (JSON) when available
  • Test facility availability during deployment
  • Monitor for logging conflicts

In Unix-like systems, syslog provides 8 local facilities (LOCAL0 through LOCAL7) specifically designed for custom application logging. These exist alongside the standard facilities like mail, auth, and daemon.

Through years of convention and package defaults, certain applications have claimed specific local facilities:


# Common application defaults:
# LOCAL0 - PostgreSQL
# LOCAL2 - sudo
# LOCAL3 - SpamAssassin (some versions)
# LOCAL4 - OpenLDAP (slapd)
# LOCAL5 - Snort IDS
# LOCAL7 - Boot messages (Fedora/RHEL)

To check which facilities are already in use on your system:


# Check syslog configuration for local facility usage
grep "local[0-7]" /etc/rsyslog.conf /etc/rsyslog.d/*.conf

Here's how to configure a Python application to use LOCAL6 (typically less used):


import syslog

# Initialize logging to LOCAL6 facility
syslog.openlog(ident='myapp', facility=syslog.LOG_LOCAL6)

# Example log message
syslog.syslog(syslog.LOG_INFO, "Application started successfully")

Add this to /etc/rsyslog.d/30-myapp.conf:


# Route LOCAL6 messages to separate file
local6.*    /var/log/myapp.log

While local facilities work, consider these alternatives for new projects:

  • Structured logging (JSON format)
  • Direct logging to files with logrotate
  • Systemd journal for services

However, local facilities remain valuable for legacy integration and simple deployments.