<div dir="ltr"><div>I see AUDIT facility defined in /usr/include/sys/syslog.h on syslog-ng server side and the sending server as well.</div><div><br></div><div>#define LOG_KERN (0<<3) /* kernel messages */<br>#define LOG_USER (1<<3) /* random user-level messages */<br>#define LOG_MAIL (2<<3) /* mail system */<br>#define LOG_DAEMON (3<<3) /* system daemons */<br>#define LOG_AUTH (4<<3) /* security/authorization messages */<br>#define LOG_SYSLOG (5<<3) /* messages generated internally by syslogd */<br>#define LOG_LPR (6<<3) /* line printer subsystem */<br>#define LOG_NEWS (7<<3) /* netnews subsystem */<br>#define LOG_UUCP (8<<3) /* uucp subsystem */<br><strong>#define LOG_AUDIT (13<<3) /* audit subsystem */</strong><br>#define LOG_CRON (15<<3) /* cron/at subsystem */<br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Jul 28, 2015 at 12:41 PM, Evan Rempel <span dir="ltr"><<a href="mailto:erempel@uvic.ca" target="_blank">erempel@uvic.ca</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF">
<div>Can you look at the syslog facility
definitions<br>
<br>
/usr/include/sys/syslog.h<br>
<br>
or<br>
<br>
/usr/include/syslog.h<br>
<br>
to see if audit is a defined facility?<div><div class="h5"><br>
<br>
<br>
On 07/28/2015 09:32 AM, Justin Kala wrote:<br>
</div></div></div><div><div class="h5">
<blockquote type="cite">
<p dir="ltr">Hi Evan..thanks for the reply but both sending and
receiving servers are same OS.. Solaris 10</p>
<div class="gmail_quote">On Jul 28, 2015 12:18 PM, "Evan Rempel"
<<a href="mailto:erempel@uvic.ca" target="_blank">erempel@uvic.ca</a>>
wrote:<br type="attribution">
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;padding-left:1ex;border-left-color:rgb(204,204,204);border-left-width:1px;border-left-style:solid">
<div text="#000000" bgcolor="#FFFFFF">
<div>Well, that is probably because the host where syslog-ng
was compiled is a different OS than that where the "audit"
facility log line was created.<br>
<br>
For instance, on a Linux host, the syslog.h file from the
system only has these facilities defined.<br>
<br>
CODE facilitynames[] =<br>
{<br>
{ "auth", LOG_AUTH },<br>
{ "authpriv", LOG_AUTHPRIV },<br>
{ "cron", LOG_CRON },<br>
{ "daemon", LOG_DAEMON },<br>
{ "ftp", LOG_FTP },<br>
{ "kern", LOG_KERN },<br>
{ "lpr", LOG_LPR },<br>
{ "mail", LOG_MAIL },<br>
{ "mark", INTERNAL_MARK }, /* INTERNAL */<br>
{ "news", LOG_NEWS },<br>
{ "security", LOG_AUTH }, /* DEPRECATED */<br>
{ "syslog", LOG_SYSLOG },<br>
{ "user", LOG_USER },<br>
{ "uucp", LOG_UUCP },<br>
{ "local0", LOG_LOCAL0 },<br>
{ "local1", LOG_LOCAL1 },<br>
{ "local2", LOG_LOCAL2 },<br>
{ "local3", LOG_LOCAL3 },<br>
{ "local4", LOG_LOCAL4 },<br>
{ "local5", LOG_LOCAL5 },<br>
{ "local6", LOG_LOCAL6 },<br>
{ "local7", LOG_LOCAL7 },<br>
<br>
<br>
with values of<br>
<br>
/* facility codes */<br>
#define LOG_KERN (0<<3) /* kernel messages
*/<br>
#define LOG_USER (1<<3) /* random user-level
messages */<br>
#define LOG_MAIL (2<<3) /* mail system */<br>
#define LOG_DAEMON (3<<3) /* system daemons */<br>
#define LOG_AUTH (4<<3) /*
security/authorization messages */<br>
#define LOG_SYSLOG (5<<3) /* messages
generated internally by syslogd */<br>
#define LOG_LPR (6<<3) /* line printer
subsystem */<br>
#define LOG_NEWS (7<<3) /* network news
subsystem */<br>
#define LOG_UUCP (8<<3) /* UUCP subsystem */<br>
#define LOG_CRON (9<<3) /* clock daemon */<br>
#define LOG_AUTHPRIV (10<<3) /*
security/authorization messages (private) */<br>
#define LOG_FTP (11<<3) /* ftp daemon */<br>
<br>
/* other codes through 15 reserved for system use
*/<br>
#define LOG_LOCAL0 (16<<3) /* reserved for
local use */<br>
#define LOG_LOCAL1 (17<<3) /* reserved for
local use */<br>
#define LOG_LOCAL2 (18<<3) /* reserved for
local use */<br>
#define LOG_LOCAL3 (19<<3) /* reserved for
local use */<br>
#define LOG_LOCAL4 (20<<3) /* reserved for
local use */<br>
#define LOG_LOCAL5 (21<<3) /* reserved for
local use */<br>
#define LOG_LOCAL6 (22<<3) /* reserved for
local use */<br>
#define LOG_LOCAL7 (23<<3) /* reserved for
local use */<br>
<br>
<br>
so there is no audit facility.<br>
<br>
Hope that explains it.<br>
<br>
<br>
On 07/28/2015 09:08 AM, Justin Kala wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">
<div><br clear="all">
Hi</div>
<div><br>
</div>
<div>Syslog-ng is unable to recognize the facility
audit. When I put filter as audit and restart
syslog-ng it errors out. When I put the facility code
as 13 ,it does not error on restarting the service but
does not capture the syslog message received through
this filter code 13 as well.</div>
<div><br>
</div>
<div>Please advise.<br>
-- <br>
</div>
<div>Kaladhar</div>
</div>
<br>
<fieldset></fieldset>
<br>
<pre>______________________________________________________________________________
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" target="_blank">http://www.balabit.com/wiki/syslog-ng-faq</a>
</pre>
</blockquote>
<br>
<br>
<pre cols="500">--
Evan Rempel <a href="mailto:erempel@uvic.ca" target="_blank">erempel@uvic.ca</a>
Senior Systems Administrator <a href="tel:250.721.7691" target="_blank" value="+12507217691">250.721.7691</a>
Data Centre Services, University Systems, University of Victoria
</pre>
</div>
<br>
______________________________________________________________________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" target="_blank" rel="noreferrer">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" target="_blank" rel="noreferrer">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" target="_blank" rel="noreferrer">http://www.balabit.com/wiki/syslog-ng-faq</a><br>
<br>
<br>
</blockquote>
</div>
<br>
<fieldset></fieldset>
<br>
<pre>______________________________________________________________________________
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" target="_blank">http://www.balabit.com/wiki/syslog-ng-faq</a>
</pre>
</blockquote>
<br>
<br>
<pre cols="500">--
Evan Rempel <a href="mailto:erempel@uvic.ca" target="_blank">erempel@uvic.ca</a>
Senior Systems Administrator <a href="tel:250.721.7691" target="_blank" value="+12507217691">250.721.7691</a>
Data Centre Services, University Systems, University of Victoria
</pre>
</div></div></div>
<br>______________________________________________________________________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" target="_blank" rel="noreferrer">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" target="_blank" rel="noreferrer">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" target="_blank" rel="noreferrer">http://www.balabit.com/wiki/syslog-ng-faq</a><br>
<br>
<br></blockquote></div><br><br clear="all"><br>-- <br><div class="gmail_signature">Kaladhar</div>
</div>