<html>

  <head>

    <meta content="text/html; charset=windows-1252"

      http-equiv="Content-Type">

  </head>

  <body bgcolor="#FFFFFF" text="#000000">

    <div class="moz-cite-prefix">Then this needs to go back to whomever

      compiled the release of syslog-ng that you are using.<br>

      Perhaps it was compiled on a different release of Solaris or

      something. Only the group that compiled the release can give you

      more answers.<br>

      <br>

      Evan.<br>

      <br>

      On 07/28/2015 11:08 AM, Justin Kala wrote:<br>

    </div>

    <blockquote

cite="mid:CACLzEe+aTEdyfYWwN4+LeZ-+EvhuAY18wnyc2WRKzFkV5kCftA@mail.gmail.com"

      type="cite">

      <meta http-equiv="Content-Type" content="text/html;

        charset=windows-1252">

      <div dir="ltr">

        <div>I see AUDIT facility defined in /usr/include/sys/syslog.h

          on syslog-ng server side and the sending server as well.</div>

        <div><br>

        </div>

        <div>#define LOG_KERN        (0&lt;&lt;3)  /* kernel messages */<br>

          #define LOG_USER        (1&lt;&lt;3)  /* random user-level

          messages */<br>

          #define LOG_MAIL        (2&lt;&lt;3)  /* mail system */<br>

          #define LOG_DAEMON      (3&lt;&lt;3)  /* system daemons */<br>

          #define LOG_AUTH        (4&lt;&lt;3)  /*

          security/authorization messages */<br>

          #define LOG_SYSLOG      (5&lt;&lt;3)  /* messages generated

          internally by syslogd */<br>

          #define LOG_LPR         (6&lt;&lt;3)  /* line printer

          subsystem */<br>

          #define LOG_NEWS        (7&lt;&lt;3)  /* netnews subsystem */<br>

          #define LOG_UUCP        (8&lt;&lt;3)  /* uucp subsystem */<br>

          <strong>#define LOG_AUDIT       (13&lt;&lt;3) /* audit

            subsystem */</strong><br>

          #define LOG_CRON        (15&lt;&lt;3) /* cron/at subsystem */<br>

        </div>

      </div>

      <div class="gmail_extra"><br>

        <div class="gmail_quote">On Tue, Jul 28, 2015 at 12:41 PM, Evan

          Rempel <span dir="ltr">&lt;<a moz-do-not-send="true"

              href="mailto:erempel@uvic.ca" target="_blank">erempel@uvic.ca</a>&gt;</span>

          wrote:<br>

          <blockquote class="gmail_quote" style="margin:0 0 0

            .8ex;border-left:1px #ccc solid;padding-left:1ex">

            <div text="#000000" bgcolor="#FFFFFF">

              <div>Can you look at the syslog facility definitions<br>

                <br>

                /usr/include/sys/syslog.h<br>

                <br>

                or<br>

                <br>

                /usr/include/syslog.h<br>

                <br>

                to see if audit is a defined facility?

                <div>

                  <div class="h5"><br>

                    <br>

                    <br>

                    On 07/28/2015 09:32 AM, Justin Kala wrote:<br>

                  </div>

                </div>

              </div>

              <div>

                <div class="h5">

                  <blockquote type="cite">

                    <p dir="ltr">Hi Evan..thanks for the reply but both

                      sending and receiving servers are same OS..

                      Solaris 10</p>

                    <div class="gmail_quote">On Jul 28, 2015 12:18 PM,

                      "Evan Rempel" &lt;<a moz-do-not-send="true"

                        href="mailto:erempel@uvic.ca" target="_blank">erempel@uvic.ca</a>&gt;

                      wrote:<br type="attribution">

                      <blockquote class="gmail_quote" style="margin:0px

                        0px 0px

0.8ex;padding-left:1ex;border-left-color:rgb(204,204,204);border-left-width:1px;border-left-style:solid">

                        <div text="#000000" bgcolor="#FFFFFF">

                          <div>Well, that is probably because the host

                            where syslog-ng was compiled is a different

                            OS than that where the "audit" facility log

                            line was created.<br>

                            <br>

                            For instance, on a Linux host, the syslog.h

                            file from the system only has these

                            facilities defined.<br>

                            <br>

                            CODE facilitynames[] =<br>

                              {<br>

                                { "auth", LOG_AUTH },<br>

                                { "authpriv", LOG_AUTHPRIV },<br>

                                { "cron", LOG_CRON },<br>

                                { "daemon", LOG_DAEMON },<br>

                                { "ftp", LOG_FTP },<br>

                                { "kern", LOG_KERN },<br>

                                { "lpr", LOG_LPR },<br>

                                { "mail", LOG_MAIL },<br>

                                { "mark", INTERNAL_MARK },          /*

                            INTERNAL */<br>

                                { "news", LOG_NEWS },<br>

                                { "security", LOG_AUTH },           /*

                            DEPRECATED */<br>

                                { "syslog", LOG_SYSLOG },<br>

                                { "user", LOG_USER },<br>

                                { "uucp", LOG_UUCP },<br>

                                { "local0", LOG_LOCAL0 },<br>

                                { "local1", LOG_LOCAL1 },<br>

                                { "local2", LOG_LOCAL2 },<br>

                                { "local3", LOG_LOCAL3 },<br>

                                { "local4", LOG_LOCAL4 },<br>

                                { "local5", LOG_LOCAL5 },<br>

                                { "local6", LOG_LOCAL6 },<br>

                                { "local7", LOG_LOCAL7 },<br>

                            <br>

                            <br>

                            with values of<br>

                            <br>

                            /* facility codes */<br>

                            #define LOG_KERN        (0&lt;&lt;3)  /*

                            kernel messages */<br>

                            #define LOG_USER        (1&lt;&lt;3)  /*

                            random user-level messages */<br>

                            #define LOG_MAIL        (2&lt;&lt;3)  /*

                            mail system */<br>

                            #define LOG_DAEMON      (3&lt;&lt;3)  /*

                            system daemons */<br>

                            #define LOG_AUTH        (4&lt;&lt;3)  /*

                            security/authorization messages */<br>

                            #define LOG_SYSLOG      (5&lt;&lt;3)  /*

                            messages generated internally by syslogd */<br>

                            #define LOG_LPR         (6&lt;&lt;3)  /*

                            line printer subsystem */<br>

                            #define LOG_NEWS        (7&lt;&lt;3)  /*

                            network news subsystem */<br>

                            #define LOG_UUCP        (8&lt;&lt;3)  /*

                            UUCP subsystem */<br>

                            #define LOG_CRON        (9&lt;&lt;3)  /*

                            clock daemon */<br>

                            #define LOG_AUTHPRIV    (10&lt;&lt;3) /*

                            security/authorization messages (private) */<br>

                            #define LOG_FTP         (11&lt;&lt;3) /* ftp

                            daemon */<br>

                            <br>

                                    /* other codes through 15 reserved

                            for system use */<br>

                            #define LOG_LOCAL0      (16&lt;&lt;3) /*

                            reserved for local use */<br>

                            #define LOG_LOCAL1      (17&lt;&lt;3) /*

                            reserved for local use */<br>

                            #define LOG_LOCAL2      (18&lt;&lt;3) /*

                            reserved for local use */<br>

                            #define LOG_LOCAL3      (19&lt;&lt;3) /*

                            reserved for local use */<br>

                            #define LOG_LOCAL4      (20&lt;&lt;3) /*

                            reserved for local use */<br>

                            #define LOG_LOCAL5      (21&lt;&lt;3) /*

                            reserved for local use */<br>

                            #define LOG_LOCAL6      (22&lt;&lt;3) /*

                            reserved for local use */<br>

                            #define LOG_LOCAL7      (23&lt;&lt;3) /*

                            reserved for local use */<br>

                            <br>

                            <br>

                            so there is no audit facility.<br>

                            <br>

                            Hope that explains it.<br>

                            <br>

                            <br>

                            On 07/28/2015 09:08 AM, Justin Kala wrote:<br>

                          </div>

                          <blockquote type="cite">

                            <div dir="ltr">

                              <div><br clear="all">

                                Hi</div>

                              <div><br>

                              </div>

                              <div>Syslog-ng is unable to recognize the

                                facility audit. When I put filter as

                                audit and restart syslog-ng it errors

                                out. When I put the facility code as 13

                                ,it does not error on restarting the

                                service but does not capture the syslog

                                message received through this filter

                                code  13 as well.</div>

                              <div><br>

                              </div>

                              <div>Please advise.<br>

                                -- <br>

                              </div>

                              <div>Kaladhar</div>

                            </div>

                            <br>

                            <fieldset></fieldset>

                            <br>

                            <pre>______________________________________________________________________________

Member info: <a moz-do-not-send="true" href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a>

Documentation: <a moz-do-not-send="true" href="http://www.balabit.com/support/documentation/?product=syslog-ng" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a>

FAQ: <a moz-do-not-send="true" href="http://www.balabit.com/wiki/syslog-ng-faq" target="_blank">http://www.balabit.com/wiki/syslog-ng-faq</a>

</pre>

                          </blockquote>

                          <br>

                          <br>

                          <pre cols="500">-- 

Evan Rempel                                      <a moz-do-not-send="true" href="mailto:erempel@uvic.ca" target="_blank">erempel@uvic.ca</a>

Senior Systems Administrator                        <a moz-do-not-send="true" href="tel:250.721.7691" target="_blank" value="+12507217691">250.721.7691</a>

Data Centre Services, University Systems, University of Victoria 

</pre>

                        </div>

                        <br>

______________________________________________________________________________<br>

                        Member info: <a moz-do-not-send="true"

                          href="https://lists.balabit.hu/mailman/listinfo/syslog-ng"

                          target="_blank" rel="noreferrer">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>

                        Documentation: <a moz-do-not-send="true"

                          href="http://www.balabit.com/support/documentation/?product=syslog-ng"

                          target="_blank" rel="noreferrer">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>

                        FAQ: <a moz-do-not-send="true"

                          href="http://www.balabit.com/wiki/syslog-ng-faq"

                          target="_blank" rel="noreferrer">http://www.balabit.com/wiki/syslog-ng-faq</a><br>

                        <br>

                        <br>

                      </blockquote>

                    </div>

                    <br>

                    <fieldset></fieldset>

                    <br>

                    <pre>______________________________________________________________________________

Member info: <a moz-do-not-send="true" href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a>

Documentation: <a moz-do-not-send="true" href="http://www.balabit.com/support/documentation/?product=syslog-ng" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a>

FAQ: <a moz-do-not-send="true" href="http://www.balabit.com/wiki/syslog-ng-faq" target="_blank">http://www.balabit.com/wiki/syslog-ng-faq</a>

</pre>

                  </blockquote>

                  <br>

                  <br>

                  <pre cols="500">-- 

Evan Rempel                                      <a moz-do-not-send="true" href="mailto:erempel@uvic.ca" target="_blank">erempel@uvic.ca</a>

Senior Systems Administrator                        <a moz-do-not-send="true" href="tel:250.721.7691" target="_blank" value="+12507217691">250.721.7691</a>

Data Centre Services, University Systems, University of Victoria 

</pre>

                </div>

              </div>

            </div>

            <br>

______________________________________________________________________________<br>

            Member info: <a moz-do-not-send="true"

              href="https://lists.balabit.hu/mailman/listinfo/syslog-ng"

              target="_blank" rel="noreferrer">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>

            Documentation: <a moz-do-not-send="true"

              href="http://www.balabit.com/support/documentation/?product=syslog-ng"

              target="_blank" rel="noreferrer">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>

            FAQ: <a moz-do-not-send="true"

              href="http://www.balabit.com/wiki/syslog-ng-faq"

              target="_blank" rel="noreferrer">http://www.balabit.com/wiki/syslog-ng-faq</a><br>

            <br>

            <br>

          </blockquote>

        </div>

        <br>

        <br clear="all">

        <br>

        -- <br>

        <div class="gmail_signature">Kaladhar</div>

      </div>

      <br>

      <fieldset class="mimeAttachmentHeader"></fieldset>

      <br>

      <pre wrap="">______________________________________________________________________________

Member info: <a class="moz-txt-link-freetext" href="https://lists.balabit.hu/mailman/listinfo/syslog-ng">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a>

Documentation: <a class="moz-txt-link-freetext" href="http://www.balabit.com/support/documentation/?product=syslog-ng">http://www.balabit.com/support/documentation/?product=syslog-ng</a>

FAQ: <a class="moz-txt-link-freetext" href="http://www.balabit.com/wiki/syslog-ng-faq">http://www.balabit.com/wiki/syslog-ng-faq</a>

</pre>

    </blockquote>

    <br>

    <br>

    <pre class="moz-signature" cols="500">-- 

Evan Rempel                                      <a class="moz-txt-link-abbreviated" href="mailto:erempel@uvic.ca">erempel@uvic.ca</a>

Senior Systems Administrator                        250.721.7691

Data Centre Services, University Systems, University of Victoria 

</pre>

  </body>

</html>