<p dir="ltr">If I understand you correctly you used a custom name-value pair in the message (called facility in lower case, syslog-ng has a similar macro named FACILITY in upper case).</p>
<p dir="ltr">You can initialize this value using $FACILITY and then use a conditional rewrite.</p>
<p dir="ltr">set('authpriv' value('facility') condition(facility(10)));</p>
<p dir="ltr">You should probably use a less confusing name for this purpose though.</p>
<div class="gmail_quote">On Mar 6, 2014 7:21 PM, "Feroz Basir" <<a href="mailto:feroz.basir@gmail.com">feroz.basir@gmail.com</a>> wrote:<br type="attribution"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Hi,<br>
<br>
Just got me thinking. I did use filter by facility and insert facility variable on the filename. Due to this, I still going to get 'a' from facility variable. Why it uses 'a' instead of other facility? maybe due to authpriv facility from remote server.<br>
<br>
How do I change 'a' to more meaningful name for facility then?"<br>
<br>
Regards,<br>
Feroz Basir<br>
<br>
> On 7 Mar 2014, at 00:59, <<a href="mailto:jrhendri@roadrunner.com">jrhendri@roadrunner.com</a>> wrote:<br>
><br>
> If you look at the filters below, I think they are filtering on facility *number* as seen in the syslog stream.<br>
><br>
> You may need to test / play with this a bit to get it right, but I think that is the direction I would look.<br>
><br>
> Jim<br>
><br>
><br>
> ---- Feroz Basir <<a href="mailto:feroz.basir@gmail.com">feroz.basir@gmail.com</a>> wrote:<br>
>> Hi,<br>
>><br>
>> Thanks for replying. Yes, you are right Solaris has no authpriv facility. If I use filter, it still cannot determine the facility variable since Solaris has no authpriv. Are we saying that the filter will send the log to known facility available on Solaris?<br>
>><br>
>><br>
>><br>
>> Regards,<br>
>> Feroz Basir<br>
>><br>
>>> On 6 Mar 2014, at 02:26, <<a href="mailto:jrhendri@roadrunner.com">jrhendri@roadrunner.com</a>> wrote:<br>
>>><br>
>>> It's a bit subtle (and I may not have the details exactly correct)<br>
>>><br>
>>> The facility is set by the sending server in the syslog packet, but interpreted on the receiving server according to what is defined in local system headers.<br>
>>><br>
>>> I think what you may be seeing is a remote server setting a value that the Solaris box does not have defined. (possibly authpriv, which is normally 10 or 0x0a -- but that's a total guess :-)<br>
>>><br>
>>> You might need to put in a local filter to get the logs to go to the right place.<br>
>>> If I were you I would look for the local system syslog.h (there may be several places) and see what is defined locally.<br>
>>> something like<br>
>>> find /usr -name \*syslog\*.h -exec grep -il facility {} \;<br>
>>> should get you the filename(s)<br>
>>><br>
>>> You may need to implement something like this and uncommend the appropriate line(s)<br>
>>><br>
>>><br>
>>> ###############################<br>
>>> # Facility Filters<br>
>>> ################################<br>
>>><br>
>>> #filter f_kern { facility (0); };<br>
>>> #filter f_user { facility (1); };<br>
>>> filter f_mail { facility (2); };<br>
>>> #filter f_daemon { facility (3); };<br>
>>> #filter f_auth { facility (4); };<br>
>>> #filter f_syslog { facility (5); };<br>
>>> #filter f_lpr { facility (6); };<br>
>>> #filter f_news { facility (7); };<br>
>>> #filter f_uucp { facility (8); };<br>
>>> #filter f_audit { facility (13); };<br>
>>> #filter f_cron { facility (15); };<br>
>>> #filter f_local0 { facility (16); };<br>
>>> #filter f_local1 { facility (17); };<br>
>>> #filter f_local2 { facility (18); };<br>
>>> #filter f_local3 { facility (19); };<br>
>>> #filter f_local4 { facility (20); };<br>
>>> #filter f_local5 { facility (21); };<br>
>>> #filter f_local6 { facility (22); };<br>
>>> #filter f_local7 { facility (23); };<br>
>>><br>
>>><br>
>>> Best,<br>
>>> Jim<br>
>>><br>
>>><br>
>>><br>
>>> ---- Feroz Basir <<a href="mailto:feroz.basir@gmail.com">feroz.basir@gmail.com</a>> wrote:<br>
>>>> Hi all,<br>
>>>><br>
>>>> Need some help regarding filename that use $facility variable. For some reason the facility variable was set to 'a' during file naming convention. I don't recall to have 'a' as a facility on remote server. What could be the issue here? This only happen on Solaris syslog-ng server. Others OS seem ok.<br>
>>>><br>
>>>> Config sample:<br>
>>>> destination d_remoteall {file ("/syslog/$sourceip@$facility@$r_year:$r_month:$r_day:" create_dirs(yes) perm(0644));};<br>
>>>><br>
>>>> Sample output:<br>
>>>> 10.10.10.1@a@2014:03:05.gz<br>
>>>><br>
>>>> I'm running syslog-ng version 3.0.2.<br>
>>>><br>
>>>> Thanks.<br>
>>>><br>
>>>> Regards,<br>
>>>> Feroz Basir<br>
>>>> ______________________________________________________________________________<br>
>>>> Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
>>>> Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
>>>> FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" target="_blank">http://www.balabit.com/wiki/syslog-ng-faq</a><br>
><br>
______________________________________________________________________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" target="_blank">http://www.balabit.com/wiki/syslog-ng-faq</a><br>
<br>
</blockquote></div>