For rsyslog - to what facility do ssh and scp belong to?

A Mere

5/8/24, 12:23 PM

I am trying to send all the ssh and scp error messages to a pipe and to configure this in the rsyslog.conf I need to know the facility for these services. Does anybody know this or a resource where there are exemples for the list of facilities? In the man pages the descriptions are very short.

1 + 0

ssh

logging

scp

rsyslog

Score:0

Server

HBruijn

5/8/24, 1:57 PM

TLDR: use whatever syslog facility works best for you.

You may want to assign one of the local use [0-7] facilities that isn't used in your environment (yet) to easily identify and isolate your specific messages from all other syslog traffic, or group them in one of the commonly used facilities.

Each message sent to the syslog server commonly has two labels associated with it that make the message easier to handle. The first label describes the function (Facility) of the application that generated it. The second is the Severity. The Facilities and Severities of the messages are numerically coded with decimal values and together they determine the Priority of a syslog message.

In the syslog protocol RFC 5424 their meanings are not rigidly defined:

Facility and Severity values are not normative but often used.  They
are described in the following tables for purely informational
purposes.  Facility values MUST be in the range of 0 to 23 inclusive.

With only 24 available facility numbers in the protocol you select whatever fits your needs "best". The conventional/traditional assignments are:

      Numerical             Facility
         Code

          0             kernel messages
          1             user-level messages
          2             mail system
          3             system daemons
          4             security/authorization messages
          5             messages generated internally by syslogd
          6             line printer subsystem
          7             network news subsystem
          8             UUCP subsystem
          9             clock daemon
         10             security/authorization messages
         11             FTP daemon
         12             NTP subsystem
         13             log audit
         14             log alert
         15             clock daemon (note 2)
         16             local use 0  (local0)
         17             local use 1  (local1)
         18             local use 2  (local2)
         19             local use 3  (local3)
         20             local use 4  (local4)
         21             local use 5  (local5)
         22             local use 6  (local6)
         23             local use 7  (local7)

          Table 1.  Syslog Message Facilities


       Numerical         Severity
         Code

          0       Emergency: system is unusable
          1       Alert: action must be taken immediately
          2       Critical: critical conditions
          3       Error: error conditions
          4       Warning: warning conditions
          5       Notice: normal but significant condition
          6       Informational: informational messages
          7       Debug: debug-level messages

          Table 2. Syslog Message Severities

The sylog Wikipedia entry also includes the commonly used keywords for each facility and severity as well some additional descriptions.

For the OpenSSH daemon the SyslogFacility directive allows you to specify the syslog facility that will be used . The default is AUTH, but you can use whatever best fits your needs. The other possible/supported keyword values are: DAEMON, USER, AUTH, AUTHPRIV, LOCAL0, LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.

+ 0

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: For rsyslog - to what facility do ssh and scp belong to?

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.