Hello, It appears that syslog-ng does not correctly identify the 'security' facility: $ logger -p security.info oink yields: Aug 25 10:46:43 <d.info> syslog1 oink Note the false facility "d". In src/syslog-names.c, the mapping for 'security' is done thusly: {"security", LOG_AUTH}, /* DEPRECATED */ FreeBSD, however, appears to still use LOG_SECURITY, which leads to syslog-ng falsely categorizing the incoming messages. I'd be able to deal with this if it actually did fall back to LOG_AUTH, but for some reason it shows up as facility "d" (which seems like a string comparison gone awry). -Jan
Hi, It does work for me in 3.1. What version do you run, what is your destination template? Do you use any rewrite in your config? Marton On Tue, 2009-08-25 at 13:53 -0400, Jan Schaumann wrote:
Hello,
It appears that syslog-ng does not correctly identify the 'security' facility:
$ logger -p security.info oink
yields:
Aug 25 10:46:43 <d.info> syslog1 oink
Note the false facility "d".
In src/syslog-names.c, the mapping for 'security' is done thusly:
{"security", LOG_AUTH}, /* DEPRECATED */
FreeBSD, however, appears to still use LOG_SECURITY, which leads to syslog-ng falsely categorizing the incoming messages. I'd be able to deal with this if it actually did fall back to LOG_AUTH, but for some reason it shows up as facility "d" (which seems like a string comparison gone awry).
-Jan ______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
-- Key fingerprint = F78C 25CA 5F88 6FAF EA21 779D 3279 9F9E 1155 670D
"ILLES, Marton" <illes.marton@balabit.hu> wrote:
It does work for me in 3.1. What version do you run, what is your destination template? Do you use any rewrite in your config?
I run syslog-ng 3.0.2 -- I didn't know there was a 3.1, and I can't seem to find it on the website, either... The destination template is: template("${DATE} <${FACILITY}.${PRIORITY}> ${HOST} ${MSG}\n"); I'm not rewriting anything. -Jan
Jan Schaumann <jschauma@netmeister.org> wrote:
It appears that syslog-ng does not correctly identify the 'security' facility:
$ logger -p security.info oink
yields:
Aug 25 10:46:43 <d.info> syslog1 oink
Note the false facility "d".
In src/syslog-names.c, the mapping for 'security' is done thusly:
{"security", LOG_AUTH}, /* DEPRECATED */
FreeBSD, however, appears to still use LOG_SECURITY, which leads to syslog-ng falsely categorizing the incoming messages. I'd be able to deal with this if it actually did fall back to LOG_AUTH, but for some reason it shows up as facility "d" (which seems like a string comparison gone awry).
As a temporary workaround until this is either fixed or the cause of the problem is shown to be in my configuration or something :-), I'm using the following patch: --- src/syslog-names.c.orig Tue Aug 25 14:52:31 2009 +++ src/syslog-names.c Tue Aug 25 14:54:41 2009 @@ -45,6 +45,9 @@ #ifdef LOG_AUTHPRIV {"authpriv", LOG_AUTHPRIV}, #endif +#ifdef LOG_CONSOLE + {"console", LOG_CONSOLE}, +#endif #ifdef LOG_CRON {"cron", LOG_CRON}, #endif @@ -56,7 +59,14 @@ {"lpr", LOG_LPR}, {"mail", LOG_MAIL}, {"news", LOG_NEWS}, +#ifdef LOG_NTP + {"ntp", LOG_NTP}, +#endif +#ifdef LOG_SECURITY + {"security", LOG_SECURITY}, +#else {"security", LOG_AUTH}, /* DEPRECATED */ +#endif {"syslog", LOG_SYSLOG}, {"user", LOG_USER}, {"uucp", LOG_UUCP}, I don't know if you guys want to consider using this, too, to allow FreeBSD users to continue to use the facilities they are used to. If you do, I can open a bug for this. -Jan
Hi, This makes sense, thus I've committed the following patch to the syslog-ng 3.1 branch (which had no releases so far). It should be applicable to 3.0 as well, but I don't intend to backport it. commit 8a0commit 8a02601f81791a519de568f900276ceedd3ca6c9 Author: Balazs Scheidler <bazsi@balabit.hu> Date: Fri Sep 4 09:55:18 2009 +0200 [syslog-names] decouple the facility/severity codes known by syslog-ng from the system defined codes Until now syslog-ng depended on the values defined in <syslog.h> to implement the severity/facility name lookups. Since BSD uses a couple of new facility codes which are not defined on other system, this patch removes this dependency and hard-codes the values defined by RFC3164, the Linux syslog.h header and the BSD syslog.h header. This makes syslog-ng know about "ntp", "security" and "console" facilities. Even on non-BSD systems. On Tue, 2009-08-25 at 15:23 -0400, Jan Schaumann wrote:
Jan Schaumann <jschauma@netmeister.org> wrote:
It appears that syslog-ng does not correctly identify the 'security' facility:
$ logger -p security.info oink
yields:
Aug 25 10:46:43 <d.info> syslog1 oink
Note the false facility "d".
In src/syslog-names.c, the mapping for 'security' is done thusly:
{"security", LOG_AUTH}, /* DEPRECATED */
FreeBSD, however, appears to still use LOG_SECURITY, which leads to syslog-ng falsely categorizing the incoming messages. I'd be able to deal with this if it actually did fall back to LOG_AUTH, but for some reason it shows up as facility "d" (which seems like a string comparison gone awry).
As a temporary workaround until this is either fixed or the cause of the problem is shown to be in my configuration or something :-), I'm using the following patch:
--- src/syslog-names.c.orig Tue Aug 25 14:52:31 2009 +++ src/syslog-names.c Tue Aug 25 14:54:41 2009 @@ -45,6 +45,9 @@ #ifdef LOG_AUTHPRIV {"authpriv", LOG_AUTHPRIV}, #endif +#ifdef LOG_CONSOLE + {"console", LOG_CONSOLE}, +#endif #ifdef LOG_CRON {"cron", LOG_CRON}, #endif @@ -56,7 +59,14 @@ {"lpr", LOG_LPR}, {"mail", LOG_MAIL}, {"news", LOG_NEWS}, +#ifdef LOG_NTP + {"ntp", LOG_NTP}, +#endif +#ifdef LOG_SECURITY + {"security", LOG_SECURITY}, +#else {"security", LOG_AUTH}, /* DEPRECATED */ +#endif {"syslog", LOG_SYSLOG}, {"user", LOG_USER}, {"uucp", LOG_UUCP},
I don't know if you guys want to consider using this, too, to allow FreeBSD users to continue to use the facilities they are used to. If you do, I can open a bug for this.
-Jan ______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
-- Bazsi
participants (3)
-
Balazs Scheidler
-
ILLES, Marton
-
Jan Schaumann