Which program defaults uses syslog local[0-7] facilities?
The LOCALn facilities are available for any local use and can vary pretty widely from site to site.
I guarantee every one of the 8 available are used by something, so if you want to avoid conflicts my best advice is to log all 7 to separate logs and pick the one that nothing else seems to be using.
Some you missed (program defaults - may be changed locally so double-check):
-
LOCAL0is used by postgresql (if configured to log to syslog) -
LOCAL2is used by sudo (if configured to log to syslog) -
LOCAL3is used by some versions of SpamAssassin- This is often changed by the local admin to log to
mailinstead
- This is often changed by the local admin to log to
-
LOCAL5is sometimes used by the Snort IDS- I don't know if this is a default or just coincidence, but I've seen it on several Snort installations
There is no standard for the LOCAL0-LOCAL7 Syslog facilities. By design, you cannot count on whether they'll be used by anything. Particular distros or organizations might have their own conventions, but that's up to distro or organization policy, not any broader standard.
As an alternative, have you considered using Syslog "tags"? Tags are free-form strings that are prepended to log messages to identify specific applications or log channels. By default, the tag is usually formed from the process name and ID (e.g., 'httpd[2839]') that generated the log data. The 'logger' command-line utility and most Syslog APIs support specifying whatever tags you want to use for your applications.
For instance, I personally like using 'http-access' for my Apache web server access logs, which I send to Syslog by piping Apache's log output to the command 'logger -p local7.info -t 'http-access'.