<html>
  <head>
    <meta content="text/html; charset=utf-8" http-equiv="Content-Type">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    <div class="moz-cite-prefix">Can you look at the syslog facility
      definitions<br>
      <br>
      /usr/include/sys/syslog.h<br>
      <br>
      or<br>
      <br>
      /usr/include/syslog.h<br>
      <br>
      to see if audit is a defined facility?<br>
      <br>
      <br>
      On 07/28/2015 09:32 AM, Justin Kala wrote:<br>
    </div>
    <blockquote
cite="mid:CACLzEeKySt37-4PQNu-EWUQWFB0paNeJ+b=vt6KsXYxqs7P1wg@mail.gmail.com"
      type="cite">
      <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
      <p dir="ltr">Hi Evan..thanks for the reply but both sending and
        receiving servers are same OS.. Solaris 10</p>
      <div class="gmail_quote">On Jul 28, 2015 12:18 PM, "Evan Rempel"
        &lt;<a moz-do-not-send="true" href="mailto:erempel@uvic.ca">erempel@uvic.ca</a>&gt;
        wrote:<br type="attribution">
        <blockquote class="gmail_quote" style="margin:0 0 0
          .8ex;border-left:1px #ccc solid;padding-left:1ex">
          <div bgcolor="#FFFFFF" text="#000000">
            <div>Well, that is probably because the host where syslog-ng
              was compiled is a different OS than that where the "audit"
              facility log line was created.<br>
              <br>
              For instance, on a Linux host, the syslog.h file from the
              system only has these facilities defined.<br>
              <br>
              CODE facilitynames[] =<br>
                {<br>
                  { "auth", LOG_AUTH },<br>
                  { "authpriv", LOG_AUTHPRIV },<br>
                  { "cron", LOG_CRON },<br>
                  { "daemon", LOG_DAEMON },<br>
                  { "ftp", LOG_FTP },<br>
                  { "kern", LOG_KERN },<br>
                  { "lpr", LOG_LPR },<br>
                  { "mail", LOG_MAIL },<br>
                  { "mark", INTERNAL_MARK },          /* INTERNAL */<br>
                  { "news", LOG_NEWS },<br>
                  { "security", LOG_AUTH },           /* DEPRECATED */<br>
                  { "syslog", LOG_SYSLOG },<br>
                  { "user", LOG_USER },<br>
                  { "uucp", LOG_UUCP },<br>
                  { "local0", LOG_LOCAL0 },<br>
                  { "local1", LOG_LOCAL1 },<br>
                  { "local2", LOG_LOCAL2 },<br>
                  { "local3", LOG_LOCAL3 },<br>
                  { "local4", LOG_LOCAL4 },<br>
                  { "local5", LOG_LOCAL5 },<br>
                  { "local6", LOG_LOCAL6 },<br>
                  { "local7", LOG_LOCAL7 },<br>
              <br>
              <br>
              with values of<br>
              <br>
              /* facility codes */<br>
              #define LOG_KERN        (0&lt;&lt;3)  /* kernel messages
              */<br>
              #define LOG_USER        (1&lt;&lt;3)  /* random user-level
              messages */<br>
              #define LOG_MAIL        (2&lt;&lt;3)  /* mail system */<br>
              #define LOG_DAEMON      (3&lt;&lt;3)  /* system daemons */<br>
              #define LOG_AUTH        (4&lt;&lt;3)  /*
              security/authorization messages */<br>
              #define LOG_SYSLOG      (5&lt;&lt;3)  /* messages
              generated internally by syslogd */<br>
              #define LOG_LPR         (6&lt;&lt;3)  /* line printer
              subsystem */<br>
              #define LOG_NEWS        (7&lt;&lt;3)  /* network news
              subsystem */<br>
              #define LOG_UUCP        (8&lt;&lt;3)  /* UUCP subsystem */<br>
              #define LOG_CRON        (9&lt;&lt;3)  /* clock daemon */<br>
              #define LOG_AUTHPRIV    (10&lt;&lt;3) /*
              security/authorization messages (private) */<br>
              #define LOG_FTP         (11&lt;&lt;3) /* ftp daemon */<br>
              <br>
                      /* other codes through 15 reserved for system use
              */<br>
              #define LOG_LOCAL0      (16&lt;&lt;3) /* reserved for
              local use */<br>
              #define LOG_LOCAL1      (17&lt;&lt;3) /* reserved for
              local use */<br>
              #define LOG_LOCAL2      (18&lt;&lt;3) /* reserved for
              local use */<br>
              #define LOG_LOCAL3      (19&lt;&lt;3) /* reserved for
              local use */<br>
              #define LOG_LOCAL4      (20&lt;&lt;3) /* reserved for
              local use */<br>
              #define LOG_LOCAL5      (21&lt;&lt;3) /* reserved for
              local use */<br>
              #define LOG_LOCAL6      (22&lt;&lt;3) /* reserved for
              local use */<br>
              #define LOG_LOCAL7      (23&lt;&lt;3) /* reserved for
              local use */<br>
              <br>
              <br>
              so there is no audit facility.<br>
              <br>
              Hope that explains it.<br>
              <br>
              <br>
              On 07/28/2015 09:08 AM, Justin Kala wrote:<br>
            </div>
            <blockquote type="cite">
              <div dir="ltr">
                <div><br clear="all">
                  Hi</div>
                <div><br>
                </div>
                <div>Syslog-ng is unable to recognize the facility
                  audit. When I put filter as audit and restart
                  syslog-ng it errors out. When I put the facility code
                  as 13 ,it does not error on restarting the service but
                  does not capture the syslog message received through
                  this filter code  13 as well.</div>
                <div><br>
                </div>
                <div>Please advise.<br>
                  -- <br>
                </div>
                <div>Kaladhar</div>
              </div>
              <br>
              <fieldset></fieldset>
              <br>
              <pre>______________________________________________________________________________
Member info: <a moz-do-not-send="true" href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a>
Documentation: <a moz-do-not-send="true" href="http://www.balabit.com/support/documentation/?product=syslog-ng" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a>
FAQ: <a moz-do-not-send="true" href="http://www.balabit.com/wiki/syslog-ng-faq" target="_blank">http://www.balabit.com/wiki/syslog-ng-faq</a>

</pre>
            </blockquote>
            <br>
            <br>
            <pre cols="500">-- 
Evan Rempel                                      <a moz-do-not-send="true" href="mailto:erempel@uvic.ca" target="_blank">erempel@uvic.ca</a>
Senior Systems Administrator                        <a moz-do-not-send="true" href="tel:250.721.7691" value="+12507217691" target="_blank">250.721.7691</a>
Data Centre Services, University Systems, University of Victoria 
</pre>
          </div>
          <br>
______________________________________________________________________________<br>
          Member info: <a moz-do-not-send="true"
            href="https://lists.balabit.hu/mailman/listinfo/syslog-ng"
            rel="noreferrer" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
          Documentation: <a moz-do-not-send="true"
            href="http://www.balabit.com/support/documentation/?product=syslog-ng"
            rel="noreferrer" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
          FAQ: <a moz-do-not-send="true"
            href="http://www.balabit.com/wiki/syslog-ng-faq"
            rel="noreferrer" target="_blank">http://www.balabit.com/wiki/syslog-ng-faq</a><br>
          <br>
          <br>
        </blockquote>
      </div>
      <br>
      <fieldset class="mimeAttachmentHeader"></fieldset>
      <br>
      <pre wrap="">______________________________________________________________________________
Member info: <a class="moz-txt-link-freetext" href="https://lists.balabit.hu/mailman/listinfo/syslog-ng">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a>
Documentation: <a class="moz-txt-link-freetext" href="http://www.balabit.com/support/documentation/?product=syslog-ng">http://www.balabit.com/support/documentation/?product=syslog-ng</a>
FAQ: <a class="moz-txt-link-freetext" href="http://www.balabit.com/wiki/syslog-ng-faq">http://www.balabit.com/wiki/syslog-ng-faq</a>

</pre>
    </blockquote>
    <br>
    <br>
    <pre class="moz-signature" cols="500">-- 
Evan Rempel                                      <a class="moz-txt-link-abbreviated" href="mailto:erempel@uvic.ca">erempel@uvic.ca</a>
Senior Systems Administrator                        250.721.7691
Data Centre Services, University Systems, University of Victoria 
</pre>
  </body>
</html>