<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
I suppose you could force it to write logs that match that facility
filter to a different destination where that destination hard codes
whatever name you want for that facility.<br>
<br>
Jim<br>
<br>
<div class="moz-cite-prefix">On 03/06/2014 07:02 PM, Feroz Basir
wrote:<br>
</div>
<blockquote
cite="mid:C90C642E-69CA-4BAF-9D36-064FC64D0953@gmail.com"
type="cite">
<meta http-equiv="content-type" content="text/html;
charset=ISO-8859-1">
<div>Hi,</div>
<div><br>
</div>
<div>I didn't use any custom name. I used $FACILITY variable in my
filename. As I stated on my first email, for some reason this
variable got a value of 'a'. Then Jim suggested that this is due
to Solaris OS didn't have authpriv facility defined. He was
right about that. Jim also suggested that I use filter to write
to appropriate file. I did use filter to separate my log
messages based on facility. So I'm back to original problem
where I still going to get $FACILITY variable as 'a'.</div>
<div><br>
</div>
<div>As you suggested, I can use conditional rewrite to rename the
$FACILITY variable. I think this would work by the look at it.
Will test it first. Does this setting apply globally or can be
based on OS type, in this case If the messages coming from
Solaris OS?</div>
<div><br>
</div>
<div>Thank you.<br>
<br>
Regards,
<div>Feroz Basir</div>
</div>
<div><br>
On 7 Mar 2014, at 03:50, Balazs Scheidler <<a
moz-do-not-send="true" href="mailto:bazsi77@gmail.com">bazsi77@gmail.com</a>>
wrote:<br>
<br>
</div>
<blockquote type="cite">
<div>
<p dir="ltr">If I understand you correctly you used a custom
name-value pair in the message (called facility in lower
case, syslog-ng has a similar macro named FACILITY in upper
case).</p>
<p dir="ltr">You can initialize this value using $FACILITY and
then use a conditional rewrite.</p>
<p dir="ltr">set('authpriv' value('facility')
condition(facility(10)));</p>
<p dir="ltr">You should probably use a less confusing name for
this purpose though.</p>
<div class="gmail_quote">On Mar 6, 2014 7:21 PM, "Feroz Basir"
<<a moz-do-not-send="true"
href="mailto:feroz.basir@gmail.com">feroz.basir@gmail.com</a>>
wrote:<br type="attribution">
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
Hi,<br>
<br>
Just got me thinking. I did use filter by facility and
insert facility variable on the filename. Due to this, I
still going to get 'a' from facility variable. Why it uses
'a' instead of other facility? maybe due to authpriv
facility from remote server.<br>
<br>
How do I change 'a' to more meaningful name for facility
then?"<br>
<br>
Regards,<br>
Feroz Basir<br>
<br>
> On 7 Mar 2014, at 00:59, <<a
moz-do-not-send="true"
href="mailto:jrhendri@roadrunner.com">jrhendri@roadrunner.com</a>>
wrote:<br>
><br>
> If you look at the filters below, I think they are
filtering on facility *number* as seen in the syslog
stream.<br>
><br>
> You may need to test / play with this a bit to get it
right, but I think that is the direction I would look.<br>
><br>
> Jim<br>
><br>
><br>
> ---- Feroz Basir <<a moz-do-not-send="true"
href="mailto:feroz.basir@gmail.com">feroz.basir@gmail.com</a>>
wrote:<br>
>> Hi,<br>
>><br>
>> Thanks for replying. Yes, you are right Solaris
has no authpriv facility. If I use filter, it still cannot
determine the facility variable since Solaris has no
authpriv. Are we saying that the filter will send the log
to known facility available on Solaris?<br>
>><br>
>><br>
>><br>
>> Regards,<br>
>> Feroz Basir<br>
>><br>
>>> On 6 Mar 2014, at 02:26, <<a
moz-do-not-send="true"
href="mailto:jrhendri@roadrunner.com">jrhendri@roadrunner.com</a>>
wrote:<br>
>>><br>
>>> It's a bit subtle (and I may not have the
details exactly correct)<br>
>>><br>
>>> The facility is set by the sending server in
the syslog packet, but interpreted on the receiving server
according to what is defined in local system headers.<br>
>>><br>
>>> I think what you may be seeing is a remote
server setting a value that the Solaris box does not have
defined. (possibly authpriv, which is normally 10 or 0x0a
-- but that's a total guess :-)<br>
>>><br>
>>> You might need to put in a local filter to
get the logs to go to the right place.<br>
>>> If I were you I would look for the local
system syslog.h (there may be several places) and see what
is defined locally.<br>
>>> something like<br>
>>> find /usr -name \*syslog\*.h -exec grep -il
facility {} \;<br>
>>> should get you the filename(s)<br>
>>><br>
>>> You may need to implement something like this
and uncommend the appropriate line(s)<br>
>>><br>
>>><br>
>>> ###############################<br>
>>> # Facility Filters<br>
>>> ################################<br>
>>><br>
>>> #filter f_kern { facility (0); };<br>
>>> #filter f_user { facility (1); };<br>
>>> filter f_mail { facility (2); };<br>
>>> #filter f_daemon { facility (3); };<br>
>>> #filter f_auth { facility (4); };<br>
>>> #filter f_syslog { facility (5); };<br>
>>> #filter f_lpr { facility (6); };<br>
>>> #filter f_news { facility (7); };<br>
>>> #filter f_uucp { facility (8); };<br>
>>> #filter f_audit { facility (13); };<br>
>>> #filter f_cron { facility (15); };<br>
>>> #filter f_local0 { facility (16); };<br>
>>> #filter f_local1 { facility (17); };<br>
>>> #filter f_local2 { facility (18); };<br>
>>> #filter f_local3 { facility (19); };<br>
>>> #filter f_local4 { facility (20); };<br>
>>> #filter f_local5 { facility (21); };<br>
>>> #filter f_local6 { facility (22); };<br>
>>> #filter f_local7 { facility (23); };<br>
>>><br>
>>><br>
>>> Best,<br>
>>> Jim<br>
>>><br>
>>><br>
>>><br>
>>> ---- Feroz Basir <<a
moz-do-not-send="true"
href="mailto:feroz.basir@gmail.com">feroz.basir@gmail.com</a>>
wrote:<br>
>>>> Hi all,<br>
>>>><br>
>>>> Need some help regarding filename that
use $facility variable. For some reason the facility
variable was set to 'a' during file naming convention. I
don't recall to have 'a' as a facility on remote server.
What could be the issue here? This only happen on Solaris
syslog-ng server. Others OS seem ok.<br>
>>>><br>
>>>> Config sample:<br>
>>>> destination d_remoteall {file
("/syslog/$sourceip@$facility@$r_year:$r_month:$r_day:"
create_dirs(yes) perm(0644));};<br>
>>>><br>
>>>> Sample output:<br>
>>>> <a class="moz-txt-link-abbreviated" href="mailto:10.10.10.1@a@2014:03:05.gz">10.10.10.1@a@2014:03:05.gz</a><br>
>>>><br>
>>>> I'm running syslog-ng version 3.0.2.<br>
>>>><br>
>>>> Thanks.<br>
>>>><br>
>>>> Regards,<br>
>>>> Feroz Basir<br>
>>>>
______________________________________________________________________________<br>
>>>> Member info: <a moz-do-not-send="true"
href="https://lists.balabit.hu/mailman/listinfo/syslog-ng"
target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
>>>> Documentation: <a moz-do-not-send="true"
href="http://www.balabit.com/support/documentation/?product=syslog-ng"
target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
>>>> FAQ: <a moz-do-not-send="true"
href="http://www.balabit.com/wiki/syslog-ng-faq"
target="_blank">http://www.balabit.com/wiki/syslog-ng-faq</a><br>
><br>
______________________________________________________________________________<br>
Member info: <a moz-do-not-send="true"
href="https://lists.balabit.hu/mailman/listinfo/syslog-ng"
target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
Documentation: <a moz-do-not-send="true"
href="http://www.balabit.com/support/documentation/?product=syslog-ng"
target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
FAQ: <a moz-do-not-send="true"
href="http://www.balabit.com/wiki/syslog-ng-faq"
target="_blank">http://www.balabit.com/wiki/syslog-ng-faq</a><br>
<br>
</blockquote>
</div>
</div>
</blockquote>
<blockquote type="cite">
<div><span>______________________________________________________________________________</span><br>
<span>Member info: <a moz-do-not-send="true"
href="https://lists.balabit.hu/mailman/listinfo/syslog-ng">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a></span><br>
<span>Documentation: <a moz-do-not-send="true"
href="http://www.balabit.com/support/documentation/?product=syslog-ng">http://www.balabit.com/support/documentation/?product=syslog-ng</a></span><br>
<span>FAQ: <a moz-do-not-send="true"
href="http://www.balabit.com/wiki/syslog-ng-faq">http://www.balabit.com/wiki/syslog-ng-faq</a></span><br>
<span></span><br>
</div>
</blockquote>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">______________________________________________________________________________
Member info: <a class="moz-txt-link-freetext" href="https://lists.balabit.hu/mailman/listinfo/syslog-ng">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a>
Documentation: <a class="moz-txt-link-freetext" href="http://www.balabit.com/support/documentation/?product=syslog-ng">http://www.balabit.com/support/documentation/?product=syslog-ng</a>
FAQ: <a class="moz-txt-link-freetext" href="http://www.balabit.com/wiki/syslog-ng-faq">http://www.balabit.com/wiki/syslog-ng-faq</a>
</pre>
</blockquote>
<br>
</body>
</html>