<div dir="ltr"><div>I see AUDIT facility defined in /usr/include/sys/syslog.h on syslog-ng server side and the sending server as well.</div><div><br></div><div>#define LOG_KERN        (0&lt;&lt;3)  /* kernel messages */<br>#define LOG_USER        (1&lt;&lt;3)  /* random user-level messages */<br>#define LOG_MAIL        (2&lt;&lt;3)  /* mail system */<br>#define LOG_DAEMON      (3&lt;&lt;3)  /* system daemons */<br>#define LOG_AUTH        (4&lt;&lt;3)  /* security/authorization messages */<br>#define LOG_SYSLOG      (5&lt;&lt;3)  /* messages generated internally by syslogd */<br>#define LOG_LPR         (6&lt;&lt;3)  /* line printer subsystem */<br>#define LOG_NEWS        (7&lt;&lt;3)  /* netnews subsystem */<br>#define LOG_UUCP        (8&lt;&lt;3)  /* uucp subsystem */<br><strong>#define LOG_AUDIT       (13&lt;&lt;3) /* audit subsystem */</strong><br>#define LOG_CRON        (15&lt;&lt;3) /* cron/at subsystem */<br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Jul 28, 2015 at 12:41 PM, Evan Rempel <span dir="ltr">&lt;<a href="mailto:erempel@uvic.ca" target="_blank">erempel@uvic.ca</a>&gt;</span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
  
    
  
  <div text="#000000" bgcolor="#FFFFFF">
    <div>Can you look at the syslog facility
      definitions<br>
      <br>
      /usr/include/sys/syslog.h<br>
      <br>
      or<br>
      <br>
      /usr/include/syslog.h<br>
      <br>
      to see if audit is a defined facility?<div><div class="h5"><br>
      <br>
      <br>
      On 07/28/2015 09:32 AM, Justin Kala wrote:<br>
    </div></div></div><div><div class="h5">
    <blockquote type="cite">
      
      <p dir="ltr">Hi Evan..thanks for the reply but both sending and
        receiving servers are same OS.. Solaris 10</p>
      <div class="gmail_quote">On Jul 28, 2015 12:18 PM, &quot;Evan Rempel&quot;
        &lt;<a href="mailto:erempel@uvic.ca" target="_blank">erempel@uvic.ca</a>&gt;
        wrote:<br type="attribution">
        <blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;padding-left:1ex;border-left-color:rgb(204,204,204);border-left-width:1px;border-left-style:solid">
          <div text="#000000" bgcolor="#FFFFFF">
            <div>Well, that is probably because the host where syslog-ng
              was compiled is a different OS than that where the &quot;audit&quot;
              facility log line was created.<br>
              <br>
              For instance, on a Linux host, the syslog.h file from the
              system only has these facilities defined.<br>
              <br>
              CODE facilitynames[] =<br>
                {<br>
                  { &quot;auth&quot;, LOG_AUTH },<br>
                  { &quot;authpriv&quot;, LOG_AUTHPRIV },<br>
                  { &quot;cron&quot;, LOG_CRON },<br>
                  { &quot;daemon&quot;, LOG_DAEMON },<br>
                  { &quot;ftp&quot;, LOG_FTP },<br>
                  { &quot;kern&quot;, LOG_KERN },<br>
                  { &quot;lpr&quot;, LOG_LPR },<br>
                  { &quot;mail&quot;, LOG_MAIL },<br>
                  { &quot;mark&quot;, INTERNAL_MARK },          /* INTERNAL */<br>
                  { &quot;news&quot;, LOG_NEWS },<br>
                  { &quot;security&quot;, LOG_AUTH },           /* DEPRECATED */<br>
                  { &quot;syslog&quot;, LOG_SYSLOG },<br>
                  { &quot;user&quot;, LOG_USER },<br>
                  { &quot;uucp&quot;, LOG_UUCP },<br>
                  { &quot;local0&quot;, LOG_LOCAL0 },<br>
                  { &quot;local1&quot;, LOG_LOCAL1 },<br>
                  { &quot;local2&quot;, LOG_LOCAL2 },<br>
                  { &quot;local3&quot;, LOG_LOCAL3 },<br>
                  { &quot;local4&quot;, LOG_LOCAL4 },<br>
                  { &quot;local5&quot;, LOG_LOCAL5 },<br>
                  { &quot;local6&quot;, LOG_LOCAL6 },<br>
                  { &quot;local7&quot;, LOG_LOCAL7 },<br>
              <br>
              <br>
              with values of<br>
              <br>
              /* facility codes */<br>
              #define LOG_KERN        (0&lt;&lt;3)  /* kernel messages
              */<br>
              #define LOG_USER        (1&lt;&lt;3)  /* random user-level
              messages */<br>
              #define LOG_MAIL        (2&lt;&lt;3)  /* mail system */<br>
              #define LOG_DAEMON      (3&lt;&lt;3)  /* system daemons */<br>
              #define LOG_AUTH        (4&lt;&lt;3)  /*
              security/authorization messages */<br>
              #define LOG_SYSLOG      (5&lt;&lt;3)  /* messages
              generated internally by syslogd */<br>
              #define LOG_LPR         (6&lt;&lt;3)  /* line printer
              subsystem */<br>
              #define LOG_NEWS        (7&lt;&lt;3)  /* network news
              subsystem */<br>
              #define LOG_UUCP        (8&lt;&lt;3)  /* UUCP subsystem */<br>
              #define LOG_CRON        (9&lt;&lt;3)  /* clock daemon */<br>
              #define LOG_AUTHPRIV    (10&lt;&lt;3) /*
              security/authorization messages (private) */<br>
              #define LOG_FTP         (11&lt;&lt;3) /* ftp daemon */<br>
              <br>
                      /* other codes through 15 reserved for system use
              */<br>
              #define LOG_LOCAL0      (16&lt;&lt;3) /* reserved for
              local use */<br>
              #define LOG_LOCAL1      (17&lt;&lt;3) /* reserved for
              local use */<br>
              #define LOG_LOCAL2      (18&lt;&lt;3) /* reserved for
              local use */<br>
              #define LOG_LOCAL3      (19&lt;&lt;3) /* reserved for
              local use */<br>
              #define LOG_LOCAL4      (20&lt;&lt;3) /* reserved for
              local use */<br>
              #define LOG_LOCAL5      (21&lt;&lt;3) /* reserved for
              local use */<br>
              #define LOG_LOCAL6      (22&lt;&lt;3) /* reserved for
              local use */<br>
              #define LOG_LOCAL7      (23&lt;&lt;3) /* reserved for
              local use */<br>
              <br>
              <br>
              so there is no audit facility.<br>
              <br>
              Hope that explains it.<br>
              <br>
              <br>
              On 07/28/2015 09:08 AM, Justin Kala wrote:<br>
            </div>
            <blockquote type="cite">
              <div dir="ltr">
                <div><br clear="all">
                  Hi</div>
                <div><br>
                </div>
                <div>Syslog-ng is unable to recognize the facility
                  audit. When I put filter as audit and restart
                  syslog-ng it errors out. When I put the facility code
                  as 13 ,it does not error on restarting the service but
                  does not capture the syslog message received through
                  this filter code  13 as well.</div>
                <div><br>
                </div>
                <div>Please advise.<br>
                  -- <br>
                </div>
                <div>Kaladhar</div>
              </div>
              <br>
              <fieldset></fieldset>
              <br>
              <pre>______________________________________________________________________________
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" target="_blank">http://www.balabit.com/wiki/syslog-ng-faq</a>

</pre>
            </blockquote>
            <br>
            <br>
            <pre cols="500">-- 
Evan Rempel                                      <a href="mailto:erempel@uvic.ca" target="_blank">erempel@uvic.ca</a>
Senior Systems Administrator                        <a href="tel:250.721.7691" target="_blank" value="+12507217691">250.721.7691</a>
Data Centre Services, University Systems, University of Victoria 
</pre>
          </div>
          <br>
______________________________________________________________________________<br>
          Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" target="_blank" rel="noreferrer">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
          Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" target="_blank" rel="noreferrer">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
          FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" target="_blank" rel="noreferrer">http://www.balabit.com/wiki/syslog-ng-faq</a><br>
          <br>
          <br>
        </blockquote>
      </div>
      <br>
      <fieldset></fieldset>
      <br>
      <pre>______________________________________________________________________________
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" target="_blank">http://www.balabit.com/wiki/syslog-ng-faq</a>

</pre>
    </blockquote>
    <br>
    <br>
    <pre cols="500">-- 
Evan Rempel                                      <a href="mailto:erempel@uvic.ca" target="_blank">erempel@uvic.ca</a>
Senior Systems Administrator                        <a href="tel:250.721.7691" target="_blank" value="+12507217691">250.721.7691</a>
Data Centre Services, University Systems, University of Victoria 
</pre>
  </div></div></div>

<br>______________________________________________________________________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" target="_blank" rel="noreferrer">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" target="_blank" rel="noreferrer">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" target="_blank" rel="noreferrer">http://www.balabit.com/wiki/syslog-ng-faq</a><br>
<br>
<br></blockquote></div><br><br clear="all"><br>-- <br><div class="gmail_signature">Kaladhar</div>
</div>