<div dir="ltr">Also current operating system is Solaris 11 SPARC 64-bit</div><div class="gmail_extra"><br><div class="gmail_quote">On Mon, Feb 22, 2016 at 11:46 AM, Justin Kala <span dir="ltr"><<a href="mailto:justinkala@gmail.com" target="_blank">justinkala@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div>Somehow facility 13 is unable to accept Audit Logs.</div><div> syslog-names.c does have audit facility.</div><div>Please let me know what else can be done</div></div><div class="HOEnZb"><div class="h5"><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Jul 29, 2015 at 5:14 PM, Scheidler, Balázs <span dir="ltr"><<a href="mailto:balazs.scheidler@balabit.com" target="_blank">balazs.scheidler@balabit.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;padding-left:1ex;border-left-color:rgb(204,204,204);border-left-width:1px;border-left-style:solid"><p dir="ltr">It doesn't matter, the on wire format is the same. Syslog-ng on the server prints the facility in debug mode.</p><div><div>
<div class="gmail_quote">On Jul 29, 2015 9:07 PM, "Justin Kala" <<a href="mailto:justinkala@gmail.com" target="_blank">justinkala@gmail.com</a>> wrote:<br type="attribution"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;padding-left:1ex;border-left-color:rgb(204,204,204);border-left-width:1px;border-left-style:solid"><div dir="ltr"><div>Bazsi</div><div> </div><div>We do not have syslog-ng agents on the sending server side .Using the capabilities of syslog.conf only where I put the line " audit.notice @Syslog-NG-server "</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Jul 29, 2015 at 4:25 AM, Scheidler, Balázs <span dir="ltr"><<a href="mailto:balazs.scheidler@balabit.com" target="_blank">balazs.scheidler@balabit.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;padding-left:1ex;border-left-color:rgb(204,204,204);border-left-width:1px;border-left-style:solid"><p dir="ltr">Syslog-ng does have a private facility registry to make the codes more portable accross OS-es. It is in syslog-names.c in the lib/ directory. Can you check if audit is listed there?</p>
<p dir="ltr">If it's not feel free to submit a patch to add that.</p>
<p dir="ltr">Also, on a related note, if syslog-ng doesnt match by facility code, pls confirm that the message was indeed submitted with the facility code you are expecting. You can do that by looking at raw syslog traffic (using a sniffer or merely looking at syslog-ng debug output). There you will see a number in brackets as the first thing in a message.</p>
<p dir="ltr">E.g. </p>
<p dir="ltr"><55>date host msg</p>
<p dir="ltr">There 55 equals to 8 times facility plus the severity level, in this example 6*8+7, eg. Facility 6, severity 7.<br>
Hope this helps.<br>
Bazsi</p><div><div>
<div class="gmail_quote">On Jul 28, 2015 8:36 PM, "Evan Rempel" <<a href="mailto:erempel@uvic.ca" target="_blank">erempel@uvic.ca</a>> wrote:<br type="attribution"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;padding-left:1ex;border-left-color:rgb(204,204,204);border-left-width:1px;border-left-style:solid">
<div text="#000000" bgcolor="#FFFFFF">
<div>Then this needs to go back to whomever
compiled the release of syslog-ng that you are using.<br>
Perhaps it was compiled on a different release of Solaris or
something. Only the group that compiled the release can give you
more answers.<br>
<br>
Evan.<br>
<br>
On 07/28/2015 11:08 AM, Justin Kala wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">
<div>I see AUDIT facility defined in /usr/include/sys/syslog.h
on syslog-ng server side and the sending server as well.</div>
<div><br>
</div>
<div>#define LOG_KERN (0<<3) /* kernel messages */<br>
#define LOG_USER (1<<3) /* random user-level
messages */<br>
#define LOG_MAIL (2<<3) /* mail system */<br>
#define LOG_DAEMON (3<<3) /* system daemons */<br>
#define LOG_AUTH (4<<3) /*
security/authorization messages */<br>
#define LOG_SYSLOG (5<<3) /* messages generated
internally by syslogd */<br>
#define LOG_LPR (6<<3) /* line printer
subsystem */<br>
#define LOG_NEWS (7<<3) /* netnews subsystem */<br>
#define LOG_UUCP (8<<3) /* uucp subsystem */<br>
<strong>#define LOG_AUDIT (13<<3) /* audit
subsystem */</strong><br>
#define LOG_CRON (15<<3) /* cron/at subsystem */<br>
</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Tue, Jul 28, 2015 at 12:41 PM, Evan
Rempel <span dir="ltr"><<a href="mailto:erempel@uvic.ca" target="_blank">erempel@uvic.ca</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;padding-left:1ex;border-left-color:rgb(204,204,204);border-left-width:1px;border-left-style:solid">
<div text="#000000" bgcolor="#FFFFFF">
<div>Can you look at the syslog facility definitions<br>
<br>
/usr/include/sys/syslog.h<br>
<br>
or<br>
<br>
/usr/include/syslog.h<br>
<br>
to see if audit is a defined facility?
<div>
<div><br>
<br>
<br>
On 07/28/2015 09:32 AM, Justin Kala wrote:<br>
</div>
</div>
</div>
<div>
<div>
<blockquote type="cite">
<p dir="ltr">Hi Evan..thanks for the reply but both
sending and receiving servers are same OS..
Solaris 10</p>
<div class="gmail_quote">On Jul 28, 2015 12:18 PM,
"Evan Rempel" <<a href="mailto:erempel@uvic.ca" target="_blank">erempel@uvic.ca</a>>
wrote:<br type="attribution">
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;padding-left:1ex;border-left-color:rgb(204,204,204);border-left-width:1px;border-left-style:solid">
<div text="#000000" bgcolor="#FFFFFF">
<div>Well, that is probably because the host
where syslog-ng was compiled is a different
OS than that where the "audit" facility log
line was created.<br>
<br>
For instance, on a Linux host, the syslog.h
file from the system only has these
facilities defined.<br>
<br>
CODE facilitynames[] =<br>
{<br>
{ "auth", LOG_AUTH },<br>
{ "authpriv", LOG_AUTHPRIV },<br>
{ "cron", LOG_CRON },<br>
{ "daemon", LOG_DAEMON },<br>
{ "ftp", LOG_FTP },<br>
{ "kern", LOG_KERN },<br>
{ "lpr", LOG_LPR },<br>
{ "mail", LOG_MAIL },<br>
{ "mark", INTERNAL_MARK }, /*
INTERNAL */<br>
{ "news", LOG_NEWS },<br>
{ "security", LOG_AUTH }, /*
DEPRECATED */<br>
{ "syslog", LOG_SYSLOG },<br>
{ "user", LOG_USER },<br>
{ "uucp", LOG_UUCP },<br>
{ "local0", LOG_LOCAL0 },<br>
{ "local1", LOG_LOCAL1 },<br>
{ "local2", LOG_LOCAL2 },<br>
{ "local3", LOG_LOCAL3 },<br>
{ "local4", LOG_LOCAL4 },<br>
{ "local5", LOG_LOCAL5 },<br>
{ "local6", LOG_LOCAL6 },<br>
{ "local7", LOG_LOCAL7 },<br>
<br>
<br>
with values of<br>
<br>
/* facility codes */<br>
#define LOG_KERN (0<<3) /*
kernel messages */<br>
#define LOG_USER (1<<3) /*
random user-level messages */<br>
#define LOG_MAIL (2<<3) /*
mail system */<br>
#define LOG_DAEMON (3<<3) /*
system daemons */<br>
#define LOG_AUTH (4<<3) /*
security/authorization messages */<br>
#define LOG_SYSLOG (5<<3) /*
messages generated internally by syslogd */<br>
#define LOG_LPR (6<<3) /*
line printer subsystem */<br>
#define LOG_NEWS (7<<3) /*
network news subsystem */<br>
#define LOG_UUCP (8<<3) /*
UUCP subsystem */<br>
#define LOG_CRON (9<<3) /*
clock daemon */<br>
#define LOG_AUTHPRIV (10<<3) /*
security/authorization messages (private) */<br>
#define LOG_FTP (11<<3) /* ftp
daemon */<br>
<br>
/* other codes through 15 reserved
for system use */<br>
#define LOG_LOCAL0 (16<<3) /*
reserved for local use */<br>
#define LOG_LOCAL1 (17<<3) /*
reserved for local use */<br>
#define LOG_LOCAL2 (18<<3) /*
reserved for local use */<br>
#define LOG_LOCAL3 (19<<3) /*
reserved for local use */<br>
#define LOG_LOCAL4 (20<<3) /*
reserved for local use */<br>
#define LOG_LOCAL5 (21<<3) /*
reserved for local use */<br>
#define LOG_LOCAL6 (22<<3) /*
reserved for local use */<br>
#define LOG_LOCAL7 (23<<3) /*
reserved for local use */<br>
<br>
<br>
so there is no audit facility.<br>
<br>
Hope that explains it.<br>
<br>
<br>
On 07/28/2015 09:08 AM, Justin Kala wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">
<div><br clear="all">
Hi</div>
<div><br>
</div>
<div>Syslog-ng is unable to recognize the
facility audit. When I put filter as
audit and restart syslog-ng it errors
out. When I put the facility code as 13
,it does not error on restarting the
service but does not capture the syslog
message received through this filter
code 13 as well.</div>
<div><br>
</div>
<div>Please advise.<br>
-- <br>
</div>
<div>Kaladhar</div>
</div>
<br>
<fieldset></fieldset>
<br>
<pre>______________________________________________________________________________
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" target="_blank">http://www.balabit.com/wiki/syslog-ng-faq</a>
</pre>
</blockquote>
<br>
<br>
<pre cols="500">--
Evan Rempel <a href="mailto:erempel@uvic.ca" target="_blank">erempel@uvic.ca</a>
Senior Systems Administrator <a href="tel:250.721.7691" target="_blank" value="+12507217691">250.721.7691</a>
Data Centre Services, University Systems, University of Victoria
</pre>
</div>
<br>
______________________________________________________________________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" target="_blank" rel="noreferrer">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" target="_blank" rel="noreferrer">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" target="_blank" rel="noreferrer">http://www.balabit.com/wiki/syslog-ng-faq</a><br>
<br>
<br>
</blockquote>
</div>
<br>
<fieldset></fieldset>
<br>
<pre>______________________________________________________________________________
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" target="_blank">http://www.balabit.com/wiki/syslog-ng-faq</a>
</pre>
</blockquote>
<br>
<br>
<pre cols="500">--
Evan Rempel <a href="mailto:erempel@uvic.ca" target="_blank">erempel@uvic.ca</a>
Senior Systems Administrator <a href="tel:250.721.7691" target="_blank" value="+12507217691">250.721.7691</a>
Data Centre Services, University Systems, University of Victoria
</pre>
</div>
</div>
</div>
<br>
______________________________________________________________________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" target="_blank" rel="noreferrer">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" target="_blank" rel="noreferrer">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" target="_blank" rel="noreferrer">http://www.balabit.com/wiki/syslog-ng-faq</a><br>
<br>
<br>
</blockquote>
</div>
<br>
<br clear="all">
<br>
-- <br>
<div>Kaladhar</div>
</div>
<br>
<fieldset></fieldset>
<br>
<pre>______________________________________________________________________________
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" target="_blank">http://www.balabit.com/wiki/syslog-ng-faq</a>
</pre>
</blockquote>
<br>
<br>
<pre cols="500">--
Evan Rempel <a href="mailto:erempel@uvic.ca" target="_blank">erempel@uvic.ca</a>
Senior Systems Administrator <a href="tel:250.721.7691" target="_blank" value="+12507217691">250.721.7691</a>
Data Centre Services, University Systems, University of Victoria
</pre>
</div>
<br>______________________________________________________________________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" target="_blank" rel="noreferrer">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" target="_blank" rel="noreferrer">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" target="_blank" rel="noreferrer">http://www.balabit.com/wiki/syslog-ng-faq</a><br>
<br>
<br></blockquote></div>
</div></div><br>______________________________________________________________________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" target="_blank" rel="noreferrer">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" target="_blank" rel="noreferrer">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" target="_blank" rel="noreferrer">http://www.balabit.com/wiki/syslog-ng-faq</a><br>
<br>
<br></blockquote></div><br><br clear="all"><br>-- <br><div>Kaladhar</div>
</div>
<br>______________________________________________________________________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" target="_blank" rel="noreferrer">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" target="_blank" rel="noreferrer">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" target="_blank" rel="noreferrer">http://www.balabit.com/wiki/syslog-ng-faq</a><br>
<br>
<br></blockquote></div>
</div></div><br>______________________________________________________________________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" target="_blank" rel="noreferrer">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" target="_blank" rel="noreferrer">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" target="_blank" rel="noreferrer">http://www.balabit.com/wiki/syslog-ng-faq</a><br>
<br>
<br></blockquote></div><br><br clear="all"><br>-- <br><div>Kaladhar</div>
</div>
</div></div></blockquote></div><br><br clear="all"><br>-- <br><div class="gmail_signature">Kaladhar</div>
</div>