[syslog-ng] facility 10 plus?

Balazs Scheidler bazsi at balabit.hu
Tue Mar 23 10:42:30 CET 2010


On Mon, 2010-03-22 at 23:46 +0200, Alan McKinnon wrote:
> On Monday 22 March 2010 18:55:59 Balazs Scheidler wrote:
> > On Mon, 2010-03-22 at 08:50 -0500, fedora fedora wrote:
> > > Hi, I have some odd devices using syslog facility 24, and there is no
> > > way I can change it!
> > > 
> > > In this case, is it possible letting syslog-ng use facility 24? right
> > > now it gives me, 24 is not supported error and quits.
> > 
> > It should be possible to reference facility 24 this way:
> > 
> > filter f_fac24 { facility(24); };
> > 
> > If you specify a facility by number, it is not possible to use a range,
> > but otherwise it should work. Does it for you?
> 
> Baszi,
> 
> How high can one take these undefined facilities? 
> 
> I've always found it incredibly annoying that the standard facilities are so 
> limited, that apart from local0-7 there's no way to extend them, and that the 
> latest standards didn't define any new ones.

There's no real limit, only the fact that no devices allow you to define
new numbers. I guess the original intention was to allow several
facilities, but no process was defined to do so, and the current set is
quite hardwired in implementations.

syslog-ng does allow you to filter based on up to 13 bits worth of
facility codes (that's about 8192 different codes), but I doubt you can
configure those in your client devices.

Use something else for the same purpose: host name, application name,
structured data, or for the better: classify messages using patterndb,
assign a tag and use that for filtering.

-- 
Bazsi




More information about the syslog-ng mailing list