Technical Documentation

Changing the Alternative Facility Name for Remote Messages

Some facilities assigned to messages logged on the local routing platform have JUNOS-specific names (see Table JUNOS System Logging Facilities in Specifying the Facility and Severity of Messages to Include in the Log. In the recommended configuration, a remote machine designated at the [edit system syslog host hostname] hierarchy level is not a Juniper Networks routing platform, so its syslogd utility cannot interpret the JUNOS-specific names. To enable the standard syslogd utility to handle messages from these facilities, when messages are directed to a remote machine a standard localX facility name is used instead of the JUNOS-specific facility name.

Table 1 lists the default alternative facility name used for each JUNOS-specific facility name. For facilities that are not listed, the default alternative name is the same as the local facility name.

Table 1: Default Facilities for Messages Directed to a Remote Destination

JUNOS-Specific Local FacilityDefault Facility When Directed to Remote Destination













The syslogd utility on a remote machine handles all messages that belong to a facility in the same way, regardless of the source of the message (the Juniper Networks routing platform or the remote machine itself). For example, the following statements in the configuration of the routing platform called local-router direct messages from the authorization facility to the remote machine called

[edit system syslog]
host {
	authorization info;

The default alternative facility for the local authorization facility is also authorization. If the syslogd utility on monitor is configured to write messages belonging to the authorization facility to the file /var/log/auth-attempts, the file contains both the messages generated when users log in to local-router and the messages generated when users log in to monitor. Although the name of the source machine appears in each system log message, the mixing of messages from multiple machines can make it more difficult to analyze the contents of the auth-attempts file.

To make it easier to separate the messages from each source, you can assign an alternative facility to all messages generated on local-router when they are directed to monitor. You can then configure the syslogd utility on monitor to write messages with the alternative facility to a different file from messages generated on monitor itself.

To change the facility used for all messages directed to a remote machine, include the facility-override statement at the [edit system syslog host hostname] hierarchy level:

[edit system syslog host hostname]
facility severity;
facility-override facility;

In general, it makes sense to specify an alternative facility that is not already in use on the remote machine, such as one of the localX facilities. On the remote machine, you must also configure the syslogd utility to handle the messages in the desired manner.

Table 2 lists the facilities that you can specify in the facility-override statement.

Table 2: Facilities for the facility-override Statement



Authentication and authorization attempts


Actions performed or errors encountered by system processes


Actions performed or errors encountered by the FTP process


Actions performed or errors encountered by the JUNOS kernel


Local facility number 0


Local facility number 1


Local facility number 2


Local facility number 3


Local facility number 4


Local facility number 5


Local facility number 6


Local facility number 7


Actions performed or errors encountered by user-space processes

We do not recommend including the facility-override statement at the [edit system syslog host other-routing-engine] hierarchy level. It is not necessary to use alternative facility names when directing messages to the other Routing Engine, because its JUNOS system logging utility can interpret the JUNOS-specific names.

Published: 2010-04-28