Facilities and Severities for Intrusion Syslog Alerts
Managed devices can send intrusion events as syslog alerts using a particular facility and Severity, so that the logging host can categorize the alerts. The facility specifies the subsystem that generated it. These facility and Severity values do not appear in the actual syslog messages.
Choose values that make sense based on your environment. Local configuration files (such as syslog.conf on UNIX-based logging hosts) may indicate which facilities are saved to which log files.
Syslog Alert Facilities
|
Facility |
Description |
|---|---|
|
AUTH |
A message associated with security and authorization. |
|
AUTHPRIV |
A restricted access message associated with security and authorization. On many systems, these messages are forwarded to a secure file. |
|
CONSOLE |
An alert message. |
|
CRON |
A message generated by the clock daemon. |
|
DAEMON |
A message generated by a system daemon. |
|
FTP |
A message generated by the FTP daemon. |
|
KERN |
A message generated by the kernel. On many systems, these messages are printed to the console when they appear. |
|
LOCAL0-LOCAL7 |
A message generated by an internal process. |
|
LPR |
A message generated by the printing subsystem. |
|
|
A message generated by a mail system. |
|
NEWS |
A message generated by the network news subsystem. |
|
SYSLOG |
A message generated by the syslog daemon. |
|
USER |
A message generated by a user-level process. |
|
UUCP |
A message generated by the UUCP subsystem. |
Syslog Alert Severities
|
Level |
Description |
|---|---|
|
EMERG |
A panic condition broadcast to all users |
|
ALERT |
A condition that should be corrected immediately |
|
CRIT |
A critical condition |
|
ERR |
An error condition |
|
WARNING |
Warning messages |
|
NOTICE |
Conditions that are not error conditions, but require attention |
|
INFO |
Informational messages |
|
DEBUG |
Messages that contain debug information |