This option allows us to split the network feed by the ‘selector’ field of the syslogd daemon.

Select the ‘Log File Splitting’ value of ‘Facility’ to filter on the part of the system generating the message, enabling you to split by one of the following keywords;

Keyword Options
auth mail
authpriv mark
cron news
daemon syslog
kern user
lpr uucp
local0 through to local7
All these keywords (with the exception of mark) correspond to the similar “LOG_” values specified to the openlog() and syslog() routines.

For more information on the subject of syslog.conf, please refer to the following reference;

Log Receiver requirement: To receive events over UDP:514 from various devices on the network and split by ‘Facility

Using the Log Receiver dashboard, we have created;

  • a Rule called Syslog Server
  • a Source called syslog_UDP
  • a Destination called syslog_UDP_dest
  • a Destination Filename called syslog_UDP.log

We have enabled the ‘Facility’ option from the Log File Splitting selector to create separate sub-directories containing events from different syslog daemon facility values (Note: there are case sensitive)

If the syslog message does not fall into another facility value, it will default to the ‘user’ facility. Otherwise, authentication events will find themselves in the ‘auth’ directory, kernel events in the ‘kern’ directory, etc. Example directories below;