Output Modules 141 Facility names that can be used with this module are: • LOG_AUTH • LOG_AUTHPRIV • LOG_DAEMON • LOG_LOCAL0 • LOG_LOCAL1 • LOG_LOCAL2 • LOG_LOCAL3 • LOG_LOCAL4 • LOG_LOCAL5 • LOG_LOCAL6 • LOG_LOCAL7 • LOG_USER Priorities that are available with this module are: • LOG_EMERG • LOG_ALERT • LOG_CRIT • LOG_ERR • LOG_WARNING • LOG_NOTICE • LOG_INFO • LOG_DEBUG Note that LOG_EMERG is the highest priority and LOG_DEBUG is the lowest priority. Options that you can use with this module are: • LOG_CONS • LOG_NDELAY • LOG_PERROR • LOG_PID Note that you have to configure Syslog daemon on your host to properly utilize this module. On Linux systems, read the manual pages for sysklogd for a detailed dis- cussion of how to configure and use the daemon. The configuration is done through the 142 Chapter 4 • Plugins, Preprocessors and Output Modules use of etcsyslog.conf file on UNIX systems. A typical syslog.conf file on RedHat Linux 7.3 system follows. As you can see from this file, a log file is defined for each type of facility. Most of the messages go into varlogmessages files. Log all kernel messages to the console. Logging much else clutters up the screen. kern. devconsole Log anything except mail of level info or higher. Dont log private authentication messages .info;mail.none;news.none;authpriv.none;cron.none var logmessages The authpriv file has restricted access. authpriv. varlogsecure Log all the mail messages in one place. mail. varlogmaillog Log cron stuff cron. varlogcron Everybody gets emergency messages .emerg Save news errors of level crit and higher in a special file. uucp,news.crit varlogspooler Save boot messages also to boot.log local7. varlogboot.log INN news.=crit varlognewsnews.crit news.=err varlognewsnews.err news.notice varlognewsnews.notice If you want to send different types of alerts using different facilities or priorities, you can define your own actions using the ruletype keyword as mentioned earlier. After defining these rule types, you can use them in your rules as actions. As you will remem- ber from previous discussions, the first word in each rule is the action part.