<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">Well, that is probably because the host
where syslog-ng was compiled is a different OS than that where the
"audit" facility log line was created.<br>
<br>
For instance, on a Linux host, the syslog.h file from the system
only has these facilities defined.<br>
<br>
CODE facilitynames[] =<br>
{<br>
{ "auth", LOG_AUTH },<br>
{ "authpriv", LOG_AUTHPRIV },<br>
{ "cron", LOG_CRON },<br>
{ "daemon", LOG_DAEMON },<br>
{ "ftp", LOG_FTP },<br>
{ "kern", LOG_KERN },<br>
{ "lpr", LOG_LPR },<br>
{ "mail", LOG_MAIL },<br>
{ "mark", INTERNAL_MARK }, /* INTERNAL */<br>
{ "news", LOG_NEWS },<br>
{ "security", LOG_AUTH }, /* DEPRECATED */<br>
{ "syslog", LOG_SYSLOG },<br>
{ "user", LOG_USER },<br>
{ "uucp", LOG_UUCP },<br>
{ "local0", LOG_LOCAL0 },<br>
{ "local1", LOG_LOCAL1 },<br>
{ "local2", LOG_LOCAL2 },<br>
{ "local3", LOG_LOCAL3 },<br>
{ "local4", LOG_LOCAL4 },<br>
{ "local5", LOG_LOCAL5 },<br>
{ "local6", LOG_LOCAL6 },<br>
{ "local7", LOG_LOCAL7 },<br>
<br>
<br>
with values of<br>
<br>
/* facility codes */<br>
#define LOG_KERN (0<<3) /* kernel messages */<br>
#define LOG_USER (1<<3) /* random user-level
messages */<br>
#define LOG_MAIL (2<<3) /* mail system */<br>
#define LOG_DAEMON (3<<3) /* system daemons */<br>
#define LOG_AUTH (4<<3) /* security/authorization
messages */<br>
#define LOG_SYSLOG (5<<3) /* messages generated
internally by syslogd */<br>
#define LOG_LPR (6<<3) /* line printer subsystem */<br>
#define LOG_NEWS (7<<3) /* network news subsystem */<br>
#define LOG_UUCP (8<<3) /* UUCP subsystem */<br>
#define LOG_CRON (9<<3) /* clock daemon */<br>
#define LOG_AUTHPRIV (10<<3) /* security/authorization
messages (private) */<br>
#define LOG_FTP (11<<3) /* ftp daemon */<br>
<br>
/* other codes through 15 reserved for system use */<br>
#define LOG_LOCAL0 (16<<3) /* reserved for local use */<br>
#define LOG_LOCAL1 (17<<3) /* reserved for local use */<br>
#define LOG_LOCAL2 (18<<3) /* reserved for local use */<br>
#define LOG_LOCAL3 (19<<3) /* reserved for local use */<br>
#define LOG_LOCAL4 (20<<3) /* reserved for local use */<br>
#define LOG_LOCAL5 (21<<3) /* reserved for local use */<br>
#define LOG_LOCAL6 (22<<3) /* reserved for local use */<br>
#define LOG_LOCAL7 (23<<3) /* reserved for local use */<br>
<br>
<br>
so there is no audit facility.<br>
<br>
Hope that explains it.<br>
<br>
<br>
On 07/28/2015 09:08 AM, Justin Kala wrote:<br>
</div>
<blockquote
cite="mid:CACLzEe+C26yTHHSiDjPQUK-O5yGXOeRa9Sdv65v2seocyDneLQ@mail.gmail.com"
type="cite">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<div dir="ltr">
<div><br clear="all">
Hi</div>
<div><br>
</div>
<div>Syslog-ng is unable to recognize the facility audit. When I
put filter as audit and restart syslog-ng it errors out. When
I put the facility code as 13 ,it does not error on restarting
the service but does not capture the syslog message received
through this filter code 13 as well.</div>
<div><br>
</div>
<div>Please advise.<br>
-- <br>
</div>
<div class="gmail_signature">Kaladhar</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">______________________________________________________________________________
Member info: <a class="moz-txt-link-freetext" href="https://lists.balabit.hu/mailman/listinfo/syslog-ng">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a>
Documentation: <a class="moz-txt-link-freetext" href="http://www.balabit.com/support/documentation/?product=syslog-ng">http://www.balabit.com/support/documentation/?product=syslog-ng</a>
FAQ: <a class="moz-txt-link-freetext" href="http://www.balabit.com/wiki/syslog-ng-faq">http://www.balabit.com/wiki/syslog-ng-faq</a>
</pre>
</blockquote>
<br>
<br>
<pre class="moz-signature" cols="500">--
Evan Rempel <a class="moz-txt-link-abbreviated" href="mailto:erempel@uvic.ca">erempel@uvic.ca</a>
Senior Systems Administrator 250.721.7691
Data Centre Services, University Systems, University of Victoria
</pre>
</body>
</html>