How do I know which Event log facility to choose when setting up a syslog server?
[Quick answer is in paragraph three (3) below.]
On the AMP Setup > General page, in the External Logging section, you can specify a syslog server. Once set up, everything written to the AMP Event Log and audit logs will be sent to the specified syslog server. (You can find the AMP Event Log at System > Event Log in the AMP web UI, and at /var/log/amp_events from the AMP command line. The audit logs can be found on a device's Monitor page.)
In case your syslog server is receiving messages from multiple sources, messages coming from AirWave are "tagged" with a facility identifier. You specify an identifier for Event messages and for Audit messages in the External Logging section mentioned above. By default both identifiers are set to local1.
Typically facility identifiers local0 - local7 are available to the admin to use as "custom" identifiers (see exception below for local5 and FTP). Messages "tagged" with these identifiers can be sorted by the syslog server into separate log files. You set this up on the syslog server in the /etc/syslog.conf file.
For further information on facility identifiers and priorities, please refer to the syslog man page. For information on further customizing syslog messages, please refer to the man page for the logger command (man logger).
Please note that on some systems ftpd defaults to using the local5 facility identifier. One way to see which identifiers are being used by which program is to restart the syslogd process with the -v option. A two-digit (hex) number identifies each source.