<html>
  <head>
    <meta content="text/html; charset=ISO-8859-1"
      http-equiv="Content-Type">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    I suppose you could force it to write logs that match that facility
    filter to a different destination where that destination hard codes
    whatever name you want for that facility.<br>
    <br>
    Jim<br>
    <br>
    <div class="moz-cite-prefix">On 03/06/2014 07:02 PM, Feroz Basir
      wrote:<br>
    </div>
    <blockquote
      cite="mid:C90C642E-69CA-4BAF-9D36-064FC64D0953@gmail.com"
      type="cite">
      <meta http-equiv="content-type" content="text/html;
        charset=ISO-8859-1">
      <div>Hi,</div>
      <div><br>
      </div>
      <div>I didn't use any custom name. I used $FACILITY variable in my
        filename. As I stated on my first email, for some reason this
        variable got a value of 'a'. Then Jim suggested that this is due
        to Solaris OS didn't have authpriv facility defined. He was
        right about that. Jim also suggested that I use filter to write
        to appropriate file. I did use filter to separate my log
        messages based on facility. So I'm back to original problem
        where I still going to get $FACILITY variable as 'a'.</div>
      <div><br>
      </div>
      <div>As you suggested, I can use conditional rewrite to rename the
        $FACILITY variable. I think this would work by the look at it.
        Will test it first. Does this setting apply globally or can be
        based on OS type, in this case If the messages coming from
        Solaris OS?</div>
      <div><br>
      </div>
      <div>Thank you.<br>
        <br>
        Regards,
        <div>Feroz Basir</div>
      </div>
      <div><br>
        On 7 Mar 2014, at 03:50, Balazs Scheidler &lt;<a
          moz-do-not-send="true" href="mailto:bazsi77@gmail.com">bazsi77@gmail.com</a>&gt;
        wrote:<br>
        <br>
      </div>
      <blockquote type="cite">
        <div>
          <p dir="ltr">If I understand you correctly you used a custom
            name-value pair in the message (called facility in lower
            case, syslog-ng has&nbsp; a similar macro named FACILITY in upper
            case).</p>
          <p dir="ltr">You can initialize this value using $FACILITY and
            then use a conditional rewrite.</p>
          <p dir="ltr">set('authpriv' value('facility')
            condition(facility(10)));</p>
          <p dir="ltr">You should probably use a less confusing name for
            this purpose though.</p>
          <div class="gmail_quote">On Mar 6, 2014 7:21 PM, "Feroz Basir"
            &lt;<a moz-do-not-send="true"
              href="mailto:feroz.basir@gmail.com">feroz.basir@gmail.com</a>&gt;
            wrote:<br type="attribution">
            <blockquote class="gmail_quote" style="margin:0 0 0
              .8ex;border-left:1px #ccc solid;padding-left:1ex">
              Hi,<br>
              <br>
              Just got me thinking. I did use filter by facility and
              insert facility variable on the filename. Due to this, I
              still going to get 'a' from facility variable. Why it uses
              'a' instead of other facility? maybe due to authpriv
              facility from remote server.<br>
              <br>
              How do I change 'a' to more meaningful name for facility
              then?"<br>
              <br>
              Regards,<br>
              Feroz Basir<br>
              <br>
              &gt; On 7 Mar 2014, at 00:59, &lt;<a
                moz-do-not-send="true"
                href="mailto:jrhendri@roadrunner.com">jrhendri@roadrunner.com</a>&gt;
              wrote:<br>
              &gt;<br>
              &gt; If you look at the filters below, I think they are
              filtering on facility *number* as seen in the syslog
              stream.<br>
              &gt;<br>
              &gt; You may need to test / play with this a bit to get it
              right, but I think that is the direction I would look.<br>
              &gt;<br>
              &gt; Jim<br>
              &gt;<br>
              &gt;<br>
              &gt; ---- Feroz Basir &lt;<a moz-do-not-send="true"
                href="mailto:feroz.basir@gmail.com">feroz.basir@gmail.com</a>&gt;
              wrote:<br>
              &gt;&gt; Hi,<br>
              &gt;&gt;<br>
              &gt;&gt; Thanks for replying. Yes, you are right Solaris
              has no authpriv facility. If I use filter, it still cannot
              determine the facility variable since Solaris has no
              authpriv. Are we saying that the filter will send the log
              to known facility available on Solaris?<br>
              &gt;&gt;<br>
              &gt;&gt;<br>
              &gt;&gt;<br>
              &gt;&gt; Regards,<br>
              &gt;&gt; Feroz Basir<br>
              &gt;&gt;<br>
              &gt;&gt;&gt; On 6 Mar 2014, at 02:26, &lt;<a
                moz-do-not-send="true"
                href="mailto:jrhendri@roadrunner.com">jrhendri@roadrunner.com</a>&gt;
              wrote:<br>
              &gt;&gt;&gt;<br>
              &gt;&gt;&gt; It's a bit subtle (and I may not have the
              details exactly correct)<br>
              &gt;&gt;&gt;<br>
              &gt;&gt;&gt; The facility is set by the sending server in
              the syslog packet, but interpreted on the receiving server
              according to what is defined in local system headers.<br>
              &gt;&gt;&gt;<br>
              &gt;&gt;&gt; I think what you may be seeing is a remote
              server setting a value that the Solaris box does not have
              defined. (possibly authpriv, which is normally 10 or 0x0a
              -- but that's a total guess :-)<br>
              &gt;&gt;&gt;<br>
              &gt;&gt;&gt; You might need to put in a local filter to
              get the logs to go to the right place.<br>
              &gt;&gt;&gt; If I were you I would look for the local
              system syslog.h (there may be several places) and see what
              is defined locally.<br>
              &gt;&gt;&gt; something like<br>
              &gt;&gt;&gt; find /usr -name \*syslog\*.h -exec grep -il
              facility {} \;<br>
              &gt;&gt;&gt; should get you the filename(s)<br>
              &gt;&gt;&gt;<br>
              &gt;&gt;&gt; You may need to implement something like this
              and uncommend the appropriate line(s)<br>
              &gt;&gt;&gt;<br>
              &gt;&gt;&gt;<br>
              &gt;&gt;&gt; ###############################<br>
              &gt;&gt;&gt; # Facility Filters<br>
              &gt;&gt;&gt; ################################<br>
              &gt;&gt;&gt;<br>
              &gt;&gt;&gt; #filter f_kern &nbsp; { facility (0); };<br>
              &gt;&gt;&gt; #filter f_user &nbsp; { facility (1); };<br>
              &gt;&gt;&gt; filter f_mail &nbsp; { facility (2); };<br>
              &gt;&gt;&gt; #filter f_daemon { facility (3); };<br>
              &gt;&gt;&gt; #filter f_auth &nbsp; { facility (4); };<br>
              &gt;&gt;&gt; #filter f_syslog { facility (5); };<br>
              &gt;&gt;&gt; #filter f_lpr &nbsp; &nbsp;{ facility (6); };<br>
              &gt;&gt;&gt; #filter f_news &nbsp; { facility (7); };<br>
              &gt;&gt;&gt; #filter f_uucp &nbsp; { facility (8); };<br>
              &gt;&gt;&gt; #filter f_audit &nbsp;{ facility (13); };<br>
              &gt;&gt;&gt; #filter f_cron &nbsp; { facility (15); };<br>
              &gt;&gt;&gt; #filter f_local0 { facility (16); };<br>
              &gt;&gt;&gt; #filter f_local1 { facility (17); };<br>
              &gt;&gt;&gt; #filter f_local2 { facility (18); };<br>
              &gt;&gt;&gt; #filter f_local3 { facility (19); };<br>
              &gt;&gt;&gt; #filter f_local4 { facility (20); };<br>
              &gt;&gt;&gt; #filter f_local5 { facility (21); };<br>
              &gt;&gt;&gt; #filter f_local6 { facility (22); };<br>
              &gt;&gt;&gt; #filter f_local7 { facility (23); };<br>
              &gt;&gt;&gt;<br>
              &gt;&gt;&gt;<br>
              &gt;&gt;&gt; Best,<br>
              &gt;&gt;&gt; Jim<br>
              &gt;&gt;&gt;<br>
              &gt;&gt;&gt;<br>
              &gt;&gt;&gt;<br>
              &gt;&gt;&gt; ---- Feroz Basir &lt;<a
                moz-do-not-send="true"
                href="mailto:feroz.basir@gmail.com">feroz.basir@gmail.com</a>&gt;
              wrote:<br>
              &gt;&gt;&gt;&gt; Hi all,<br>
              &gt;&gt;&gt;&gt;<br>
              &gt;&gt;&gt;&gt; Need some help regarding filename that
              use $facility variable. For some reason the facility
              variable was set to 'a' during file naming convention. I
              don't recall to have 'a' as a facility on remote server.
              What could be the issue here? This only happen on Solaris
              syslog-ng server. Others OS seem ok.<br>
              &gt;&gt;&gt;&gt;<br>
              &gt;&gt;&gt;&gt; Config sample:<br>
              &gt;&gt;&gt;&gt; destination d_remoteall {file
              ("/syslog/$sourceip@$facility@$r_year:$r_month:$r_day:"
              create_dirs(yes) perm(0644));};<br>
              &gt;&gt;&gt;&gt;<br>
              &gt;&gt;&gt;&gt; Sample output:<br>
              &gt;&gt;&gt;&gt; <a class="moz-txt-link-abbreviated" href="mailto:10.10.10.1@a@2014:03:05.gz">10.10.10.1@a@2014:03:05.gz</a><br>
              &gt;&gt;&gt;&gt;<br>
              &gt;&gt;&gt;&gt; I'm running syslog-ng version 3.0.2.<br>
              &gt;&gt;&gt;&gt;<br>
              &gt;&gt;&gt;&gt; Thanks.<br>
              &gt;&gt;&gt;&gt;<br>
              &gt;&gt;&gt;&gt; Regards,<br>
              &gt;&gt;&gt;&gt; Feroz Basir<br>
              &gt;&gt;&gt;&gt;
______________________________________________________________________________<br>
              &gt;&gt;&gt;&gt; Member info: <a moz-do-not-send="true"
                href="https://lists.balabit.hu/mailman/listinfo/syslog-ng"
                target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
              &gt;&gt;&gt;&gt; Documentation: <a moz-do-not-send="true"
href="http://www.balabit.com/support/documentation/?product=syslog-ng"
                target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
              &gt;&gt;&gt;&gt; FAQ: <a moz-do-not-send="true"
                href="http://www.balabit.com/wiki/syslog-ng-faq"
                target="_blank">http://www.balabit.com/wiki/syslog-ng-faq</a><br>
              &gt;<br>
______________________________________________________________________________<br>
              Member info: <a moz-do-not-send="true"
                href="https://lists.balabit.hu/mailman/listinfo/syslog-ng"
                target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
              Documentation: <a moz-do-not-send="true"
                href="http://www.balabit.com/support/documentation/?product=syslog-ng"
                target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
              FAQ: <a moz-do-not-send="true"
                href="http://www.balabit.com/wiki/syslog-ng-faq"
                target="_blank">http://www.balabit.com/wiki/syslog-ng-faq</a><br>
              <br>
            </blockquote>
          </div>
        </div>
      </blockquote>
      <blockquote type="cite">
        <div><span>______________________________________________________________________________</span><br>
          <span>Member info: <a moz-do-not-send="true"
              href="https://lists.balabit.hu/mailman/listinfo/syslog-ng">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a></span><br>
          <span>Documentation: <a moz-do-not-send="true"
              href="http://www.balabit.com/support/documentation/?product=syslog-ng">http://www.balabit.com/support/documentation/?product=syslog-ng</a></span><br>
          <span>FAQ: <a moz-do-not-send="true"
              href="http://www.balabit.com/wiki/syslog-ng-faq">http://www.balabit.com/wiki/syslog-ng-faq</a></span><br>
          <span></span><br>
        </div>
      </blockquote>
      <br>
      <fieldset class="mimeAttachmentHeader"></fieldset>
      <br>
      <pre wrap="">______________________________________________________________________________
Member info: <a class="moz-txt-link-freetext" href="https://lists.balabit.hu/mailman/listinfo/syslog-ng">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a>
Documentation: <a class="moz-txt-link-freetext" href="http://www.balabit.com/support/documentation/?product=syslog-ng">http://www.balabit.com/support/documentation/?product=syslog-ng</a>
FAQ: <a class="moz-txt-link-freetext" href="http://www.balabit.com/wiki/syslog-ng-faq">http://www.balabit.com/wiki/syslog-ng-faq</a>

</pre>
    </blockquote>
    <br>
  </body>
</html>