You should run one instance of syslogd per z/OS® image under a user ID with the SYSMULTI security label. The AF_UNIX socket (default name /dev/log) created by syslogd must have a security label of SYSMULTI, so that applications running under various security labels can log to it.
Syslogd routes application log messages according to filters configured in /etc/syslog.conf. Log messages from applications running under different security labels can be mixed into an output log file by a filter rule. Each output log file created by syslogd should be configured in a directory with a SYSHIGH security label.