Rsyslog: Filtering, Facilities, Priorities

Please see Learning rsyslog for the introduction and index to this series of blog posts about rsyslog.

The next step in working with rsyslog is understanding "facilities" and "priorities". Happily, these seemed fairly straight forward to me - unlike much of the rest of the rsyslog setup. These concepts seem to predate rsyslog and go back to the early RFCs that defined the syslog standard. "Facilities" may be thought of as things that generate log messages. They each have numbers, but I find it easier to deal with the names (which both Fedora and Debian prefer in their configs). They are called things like "kern", "mail", "cron", and "authpriv". This isn't a complete list, but you should be getting the idea: the kernel generates logging messages, as do the mail system, cron, and authorization requests. Note that "auth" is a separate facility from "authpriv" - I haven't researched the distinction, but it appears to be between general authorization messages that are relatively safe for world viewing, and requests for privilege escalation that may include secrets and so should be logged either very securely or not at all.

"Priority" is the concept of how important a message is. These scale from most critical down to trivial, with the names "emerg", "alert", "crit", "err", "warn", "notice", "info", and "debug", in that order. I like examples, and found the config file (/etc/rsyslog.conf) pretty readable on the topic:

# Debian and Fedora's configs both include this line:
mail.*                          -/var/log/mail.log
# But Debian's config includes more, later:                       -/var/log/
mail.warn                       -/var/log/mail.warn
mail.err                        /var/log/mail.err

Two big take-aways here: one, you can control what types of messages go where, and two, because a message is logged one place doesn't mean it can't also be logged somewhere else. Comments in the Debian config clarify why you might do this: "Logging for the mail system. Split it up so that it is easy to write scripts to parse these files." It's important to understand that a specification like mail.warn means "all messages from facility 'mail' that have a priority of 'warn' or higher." Notice the "or higher" part there. The /var/log/ log is going to be very verbose, and include all the messages that also appear in /var/log/mail.err, but the /var/log/mail.err log will - we hope - be quite small and specific.

The leading dash before filenames seems to mean that rsyslog shouldn't sync after every write to the file ... but that's not its standard behaviour anyway so it appears to be ... meaningless? Perhaps, unless the global directive to always sync is given? Sorry, I'm not clear on this behaviour.

Debian and Fedora both create the /var/log/messages log, but they get there by somewhat different methods:

# Fedora:
# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none                /var/log/messages

# Debian:
    mail,news.none          -/var/log/messages

"*.info" means "informational messages or anything more important, from any facility." "*.=notice" means "all facilities, 'notice' messages only."

The last detail of importance - particularly for my plan to create my own logs - is that rsyslog provides a set of facilities called local0 through local7 which are, reasonably enough, meant for local use. On Fedora, one of these is in use:

# Save boot messages also to boot.log
local7.*                                                /var/log/boot.log

There are messages in that file, so I'm going to consider "local7" off limits.

'Learning rsyslog' Index