• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 3429
  • Last Modified:

syslogd error, unknown facility name

I am trying to get my cisco pix firewall to write its logs to my linux rhes machine.  Of the 7 syslog facility options, I tried LOCAL0(16), LOCAL7(23) and LOCAL4(20).  I enabled trap logging at both informational and debugging levels.  On "show logging" I can see that messages are being logged (313684 and counting), but I don't know where these messages are going.
My latest pix config file shows:
logging on
logging timestamp
logging trap debugging
logging device-id hostname
logging host inside

When I select a facility other than LOCAL4(20), the config file also shows
logging facility 16 (or 23)
but this line does not appear in the config file if LOCAL4(20) is selected.  It may not appear due to some system default, more on this below.

My syslogd.conf file had only these lines:
Title = "Syslogd"
LogFile = messages
*OnlyService = syslogd

So I added:
local4.debug    /var/log/messages
that's the latest - I also tried
local0.info, local7.debug, and with a destination of /var/log/cisco/route,  a path/file I had created with 644 permissions.
I was careful to use no spaces, only tabs in this line of the syslogd.conf file, and restarted syslogd each time, looking for errors.
/var/log/messages shows no errors, but syslogd -d shows this error:
cfline(LOCAL(4)20.*               /var/log/cisco)/var/log/cisco)
symbolic name: * ==> 255
symbolic name: LOCAL(4)20Called logerr, msg: unknown facility name "LOCAL(4)20"
logmsg: syslog.err<43>, flags 4, from alice, msg syslogd: unknown facility name "LOCAL(4)20"

The same error shows up regardless of what's in my syslogd.conf file and regardless of the facility selected on the pix! I have tried to sync changes to the syslogd file with changes to the pix as follows:
change syslogd
reboot syslogd
change pix
apply changes to pix, check running config and/or reboot

Pls explain these errors and how to fix them, thanks


  • 4
  • 2
1 Solution
1. take a backup of /etc/syslog.conf

2. Add following to /etc/syslog.conf remove other newly configured options

*.*     /var/log/test.log

3. add -r to SYSLOGD_OPTIONS in file /etc/sysconfig/syslog


4. restart syslogd

5. check /var/log/test.log for logs from pix
Your latest pix syslog config does not include which logging facility you using. YOu must also use "logging facility localX"
to complete the config. Then on the syslog server you must make additions to the syslogd.conf file for that logging facility.
"localX.*"  will allow you to log any messages fro that facility.  You then must stop and restart syslogd ( kill -HUP <process id, syslogd>)

klukacAuthor Commented:
Thank you joju!  At some point I had made an error in /etc/syslog.conf and then forgot to check there, thinking the conf file was at
My log file for the pix now shows something (that syslogd was restarted) but I would like to see the rest of the files, so I'm ready for the next step here, thanks.
Cloud Class® Course: Microsoft Azure 2017

Azure has a changed a lot since it was originally introduce by adding new services and features. Do you know everything you need to about Azure? This course will teach you about the Azure App Service, monitoring and application insights, DevOps, and Team Services.

klukacAuthor Commented:
harbor, I changed the syslogd.conf file from local0.debug to local0.* and made sure the cisco reflects the same facility selection - which does show up in the config file.  It wasn't doing that consistently earlier, possibly due to errors which are now fixed.  

However there's no change to the cisco logfile on my linux host, just another entry for a syslogd restart.  syslogd -d shows no errors, but "show logging" continues to track an increasing number of messages, and I don't know where they're going.  Unfortunately, the pix device manager is not very helpful, it times out when I try to view some of the logging options, so I'll have to stick to the text of the config file for logging entries, which are:
logging on
logging timestamp
logging trap debugging
logging facility 16              #this corresponds to local0
logging device-id hostname
logging host inside alice        #alice is my linux hostname

Hope you have added -r to SYSLOGD_OPTIONS in file /etc/sysconfig/syslog


Note: -r option is for allowing remote logging in syslog server.

Also try giving syslog-server's IP address in pix rather than host name.

klukacAuthor Commented:
yep, I did add the -r option to SYSLOGD_OPTIONS
the pix shows the ip address or the host name, it's just a matter of whether you send the "no names" option to view the config file, which maps hostnames to ip addresses
the pix is directly connected to the linux host, not just via ethernet, but also through a serial connection which is my backup for pix configuration.  Of course, to activate that connection I have to launch minicom, which isn't running, so I don't think that this would interfere with syslog output.  
klukacAuthor Commented:
I rebooted my linux host, and the problem is fixed :)
now I'll proceed to limit the output to that file, or it'll get enormous before long
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Cloud Class® Course: Ruby Fundamentals

This course will introduce you to Ruby, as well as teach you about classes, methods, variables, data structures, loops, enumerable methods, and finishing touches.

  • 4
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now