<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">Can you look at the syslog facility
definitions<br>
<br>
/usr/include/sys/syslog.h<br>
<br>
or<br>
<br>
/usr/include/syslog.h<br>
<br>
to see if audit is a defined facility?<br>
<br>
<br>
On 07/28/2015 09:32 AM, Justin Kala wrote:<br>
</div>
<blockquote
cite="mid:CACLzEeKySt37-4PQNu-EWUQWFB0paNeJ+b=vt6KsXYxqs7P1wg@mail.gmail.com"
type="cite">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<p dir="ltr">Hi Evan..thanks for the reply but both sending and
receiving servers are same OS.. Solaris 10</p>
<div class="gmail_quote">On Jul 28, 2015 12:18 PM, "Evan Rempel"
<<a moz-do-not-send="true" href="mailto:erempel@uvic.ca">erempel@uvic.ca</a>>
wrote:<br type="attribution">
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<div>Well, that is probably because the host where syslog-ng
was compiled is a different OS than that where the "audit"
facility log line was created.<br>
<br>
For instance, on a Linux host, the syslog.h file from the
system only has these facilities defined.<br>
<br>
CODE facilitynames[] =<br>
{<br>
{ "auth", LOG_AUTH },<br>
{ "authpriv", LOG_AUTHPRIV },<br>
{ "cron", LOG_CRON },<br>
{ "daemon", LOG_DAEMON },<br>
{ "ftp", LOG_FTP },<br>
{ "kern", LOG_KERN },<br>
{ "lpr", LOG_LPR },<br>
{ "mail", LOG_MAIL },<br>
{ "mark", INTERNAL_MARK }, /* INTERNAL */<br>
{ "news", LOG_NEWS },<br>
{ "security", LOG_AUTH }, /* DEPRECATED */<br>
{ "syslog", LOG_SYSLOG },<br>
{ "user", LOG_USER },<br>
{ "uucp", LOG_UUCP },<br>
{ "local0", LOG_LOCAL0 },<br>
{ "local1", LOG_LOCAL1 },<br>
{ "local2", LOG_LOCAL2 },<br>
{ "local3", LOG_LOCAL3 },<br>
{ "local4", LOG_LOCAL4 },<br>
{ "local5", LOG_LOCAL5 },<br>
{ "local6", LOG_LOCAL6 },<br>
{ "local7", LOG_LOCAL7 },<br>
<br>
<br>
with values of<br>
<br>
/* facility codes */<br>
#define LOG_KERN (0<<3) /* kernel messages
*/<br>
#define LOG_USER (1<<3) /* random user-level
messages */<br>
#define LOG_MAIL (2<<3) /* mail system */<br>
#define LOG_DAEMON (3<<3) /* system daemons */<br>
#define LOG_AUTH (4<<3) /*
security/authorization messages */<br>
#define LOG_SYSLOG (5<<3) /* messages
generated internally by syslogd */<br>
#define LOG_LPR (6<<3) /* line printer
subsystem */<br>
#define LOG_NEWS (7<<3) /* network news
subsystem */<br>
#define LOG_UUCP (8<<3) /* UUCP subsystem */<br>
#define LOG_CRON (9<<3) /* clock daemon */<br>
#define LOG_AUTHPRIV (10<<3) /*
security/authorization messages (private) */<br>
#define LOG_FTP (11<<3) /* ftp daemon */<br>
<br>
/* other codes through 15 reserved for system use
*/<br>
#define LOG_LOCAL0 (16<<3) /* reserved for
local use */<br>
#define LOG_LOCAL1 (17<<3) /* reserved for
local use */<br>
#define LOG_LOCAL2 (18<<3) /* reserved for
local use */<br>
#define LOG_LOCAL3 (19<<3) /* reserved for
local use */<br>
#define LOG_LOCAL4 (20<<3) /* reserved for
local use */<br>
#define LOG_LOCAL5 (21<<3) /* reserved for
local use */<br>
#define LOG_LOCAL6 (22<<3) /* reserved for
local use */<br>
#define LOG_LOCAL7 (23<<3) /* reserved for
local use */<br>
<br>
<br>
so there is no audit facility.<br>
<br>
Hope that explains it.<br>
<br>
<br>
On 07/28/2015 09:08 AM, Justin Kala wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">
<div><br clear="all">
Hi</div>
<div><br>
</div>
<div>Syslog-ng is unable to recognize the facility
audit. When I put filter as audit and restart
syslog-ng it errors out. When I put the facility code
as 13 ,it does not error on restarting the service but
does not capture the syslog message received through
this filter code 13 as well.</div>
<div><br>
</div>
<div>Please advise.<br>
-- <br>
</div>
<div>Kaladhar</div>
</div>
<br>
<fieldset></fieldset>
<br>
<pre>______________________________________________________________________________
Member info: <a moz-do-not-send="true" href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a>
Documentation: <a moz-do-not-send="true" href="http://www.balabit.com/support/documentation/?product=syslog-ng" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a>
FAQ: <a moz-do-not-send="true" href="http://www.balabit.com/wiki/syslog-ng-faq" target="_blank">http://www.balabit.com/wiki/syslog-ng-faq</a>
</pre>
</blockquote>
<br>
<br>
<pre cols="500">--
Evan Rempel <a moz-do-not-send="true" href="mailto:erempel@uvic.ca" target="_blank">erempel@uvic.ca</a>
Senior Systems Administrator <a moz-do-not-send="true" href="tel:250.721.7691" value="+12507217691" target="_blank">250.721.7691</a>
Data Centre Services, University Systems, University of Victoria
</pre>
</div>
<br>
______________________________________________________________________________<br>
Member info: <a moz-do-not-send="true"
href="https://lists.balabit.hu/mailman/listinfo/syslog-ng"
rel="noreferrer" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
Documentation: <a moz-do-not-send="true"
href="http://www.balabit.com/support/documentation/?product=syslog-ng"
rel="noreferrer" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
FAQ: <a moz-do-not-send="true"
href="http://www.balabit.com/wiki/syslog-ng-faq"
rel="noreferrer" target="_blank">http://www.balabit.com/wiki/syslog-ng-faq</a><br>
<br>
<br>
</blockquote>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">______________________________________________________________________________
Member info: <a class="moz-txt-link-freetext" href="https://lists.balabit.hu/mailman/listinfo/syslog-ng">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a>
Documentation: <a class="moz-txt-link-freetext" href="http://www.balabit.com/support/documentation/?product=syslog-ng">http://www.balabit.com/support/documentation/?product=syslog-ng</a>
FAQ: <a class="moz-txt-link-freetext" href="http://www.balabit.com/wiki/syslog-ng-faq">http://www.balabit.com/wiki/syslog-ng-faq</a>
</pre>
</blockquote>
<br>
<br>
<pre class="moz-signature" cols="500">--
Evan Rempel <a class="moz-txt-link-abbreviated" href="mailto:erempel@uvic.ca">erempel@uvic.ca</a>
Senior Systems Administrator 250.721.7691
Data Centre Services, University Systems, University of Victoria
</pre>
</body>
</html>