facility(kern) not working? Syslog-ng 2.0.7
Hi, I am using 2.0.7 and it seems that facility(kern) does not match messages from "logger -p kern.info". I am trying to filter kernel messages into a file but nothing goes there. Below are details of the test. Joe. [root@node1 ~]# cat /etc/syslog-ng/syslog-ng.conf options { sync (0); time_reopen (10); log_fifo_size (1000); long_hostnames (off); use_dns (no); use_fqdn (no); create_dirs (no); keep_hostname (yes); stats_freq(2592000); mark_freq(0); }; source s_sys { file ("/proc/kmsg" log_prefix("kernel: ")); unix-stream ("/dev/log"); internal(); # udp(ip(0.0.0.0) port(514)); # tcp(ip(0.0.0.0) port(514)); }; template t_withsev { template("${DATE} ${HOST} ${PRI} ${PRIORITY} ${MSG}\n"); }; destination d_klog { file("/var/log/klog"); }; destination d_mesg { file("/var/log/messages" template(t_withsev)); }; destination d_auth { file("/var/log/secure"); }; destination d_mail { file("/var/log/maillog" sync(10)); }; destination d_spol { file("/var/log/spooler"); }; destination d_boot { file("/var/log/boot.log"); }; destination d_cron { file("/var/log/cron"); }; destination d_mlal { usertty("*"); }; filter f_filter1 { facility(kern); }; filter f_filter2 { level(info..emerg) and not facility(mail,authpriv,cron); }; filter f_filter3 { facility(authpriv); }; filter f_filter4 { facility(mail); }; filter f_filter5 { level(emerg); }; filter f_filter6 { facility(uucp) or (facility(news) and level(crit..emerg)); }; filter f_filter7 { facility(local7); }; filter f_filter8 { facility(cron); }; log { source(s_sys); filter(f_filter1); destination(d_klog); }; log { source(s_sys); filter(f_filter2); destination(d_mesg); }; log { source(s_sys); filter(f_filter3); destination(d_auth); }; log { source(s_sys); filter(f_filter4); destination(d_mail); }; log { source(s_sys); filter(f_filter5); destination(d_mlal); }; log { source(s_sys); filter(f_filter6); destination(d_spol); }; log { source(s_sys); filter(f_filter7); destination(d_boot); }; log { source(s_sys); filter(f_filter8); destination(d_cron); }; [root@node1 ~]# logger -i -p kern.info "hello from kern" [root@node1 ~]# tail -2 /var/log/messages Nov 17 12:40:45 dizzyfive1 189 notice syslog-ng: syslog-ng startup succeeded Nov 17 12:41:40 dizzyfive1 14 info root[19336]: hello from kern [root@node1 ~]# ls -l /var/log/klog ls: /var/log/klog: No such file or directory [root@node1 ~]#
Hi,
I am using 2.0.7 and it seems that facility(kern) does not match messages from "logger -p kern.info". I am trying to filter kernel messages into a file but nothing goes there.
[ cut ]
Nov 17 12:40:45 dizzyfive1 189 notice syslog-ng: syslog-ng startup succeeded Nov 17 12:41:40 dizzyfive1 14 info root[19336]: hello from kern
$PRI being 14 indicates user.info, not kern.info Regards, Sandor -------------------------------------------------------- NOTICE: If received in error, please destroy and notify sender. Sender does not intend to waive confidentiality or privilege. Use of this email is prohibited when received in error.
OK thanks, I see that. 14 = 16 octal = facility 1 (user) severity 6 (info). So even though I specify kern.info on the command line, the message comes through as user.info [root@node1 ~]# logger -i -p kern.info "hello world" [root@node1 ~]# tail -1 /var/log/messages Nov 17 13:39:17 node1 14 info root[7402]: hello world [root@node1 ~]# -----Original Message----- From: syslog-ng-bounces@lists.balabit.hu [mailto:syslog-ng-bounces@lists.balabit.hu] On Behalf Of Geller, Sandor (IT) Sent: 17 November 2008 13:02 To: 'Syslog-ng users' and developers' mailing list' Subject: Re: [syslog-ng] facility(kern) not working? Syslog-ng 2.0.7 Hi,
I am using 2.0.7 and it seems that facility(kern) does not match messages from "logger -p kern.info". I am trying to filter kernel messages into a file but nothing goes there.
[ cut ]
Nov 17 12:40:45 dizzyfive1 189 notice syslog-ng: syslog-ng startup succeeded Nov 17 12:41:40 dizzyfive1 14 info root[19336]: hello from kern
$PRI being 14 indicates user.info, not kern.info Regards, Sandor -------------------------------------------------------- NOTICE: If received in error, please destroy and notify sender. Sender does not intend to waive confidentiality or privilege. Use of this email is prohibited when received in error. ______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
Just wanted to record the outcome of this for posterity. You can't use logger to generate messages with a facility of kern (zero) for test purposes. It will accept "kern" as a facility name on its command line but the messages will actually get logged with a facility of "user". Joe. -----Original Message----- From: syslog-ng-bounces@lists.balabit.hu [mailto:syslog-ng-bounces@lists.balabit.hu] On Behalf Of Fegan, Joe Sent: 17 November 2008 14:01 To: Syslog-ng users' and developers' mailing list Subject: Re: [syslog-ng] facility(kern) not working? Syslog-ng 2.0.7 OK thanks, I see that. 14 = 16 octal = facility 1 (user) severity 6 (info). So even though I specify kern.info on the command line, the message comes through as user.info [root@node1 ~]# logger -i -p kern.info "hello world" [root@node1 ~]# tail -1 /var/log/messages Nov 17 13:39:17 node1 14 info root[7402]: hello world [root@node1 ~]# -----Original Message----- From: syslog-ng-bounces@lists.balabit.hu [mailto:syslog-ng-bounces@lists.balabit.hu] On Behalf Of Geller, Sandor (IT) Sent: 17 November 2008 13:02 To: 'Syslog-ng users' and developers' mailing list' Subject: Re: [syslog-ng] facility(kern) not working? Syslog-ng 2.0.7 Hi,
I am using 2.0.7 and it seems that facility(kern) does not match messages from "logger -p kern.info". I am trying to filter kernel messages into a file but nothing goes there.
[ cut ]
Nov 17 12:40:45 dizzyfive1 189 notice syslog-ng: syslog-ng startup succeeded Nov 17 12:41:40 dizzyfive1 14 info root[19336]: hello from kern
$PRI being 14 indicates user.info, not kern.info Regards, Sandor -------------------------------------------------------- NOTICE: If received in error, please destroy and notify sender. Sender does not intend to waive confidentiality or privilege. Use of this email is prohibited when received in error. ______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html ______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
Hi, It's not logger but glibc: static int LogFacility = LOG_USER; /* default facility code */ ... /* Set default facility if none specified. */ if ((pri & LOG_FACMASK) == 0) pri |= LogFacility; As LOG_KERN is 0 the above code sets the facility to LOG_USER. Regards, Sandor
Just wanted to record the outcome of this for posterity.
You can't use logger to generate messages with a facility of kern (zero) for test purposes. It will accept "kern" as a facility name on its command line but the messages will actually get logged with a facility of "user".
Joe.
-----Original Message----- From: syslog-ng-bounces@lists.balabit.hu [mailto:syslog-ng-bounces@lists.balabit.hu] On Behalf Of Fegan, Joe Sent: 17 November 2008 14:01 To: Syslog-ng users' and developers' mailing list Subject: Re: [syslog-ng] facility(kern) not working? Syslog-ng 2.0.7
OK thanks, I see that. 14 = 16 octal = facility 1 (user) severity 6 (info).
So even though I specify kern.info on the command line, the message comes through as user.info
[root@node1 ~]# logger -i -p kern.info "hello world" [root@node1 ~]# tail -1 /var/log/messages Nov 17 13:39:17 node1 14 info root[7402]: hello world [root@node1 ~]#
-----Original Message----- From: syslog-ng-bounces@lists.balabit.hu [mailto:syslog-ng-bounces@lists.balabit.hu] On Behalf Of Geller, Sandor (IT) Sent: 17 November 2008 13:02 To: 'Syslog-ng users' and developers' mailing list' Subject: Re: [syslog-ng] facility(kern) not working? Syslog-ng 2.0.7
Hi,
I am using 2.0.7 and it seems that facility(kern) does not match messages from "logger -p kern.info". I am trying to filter kernel messages into a file but nothing goes there.
[ cut ]
Nov 17 12:40:45 dizzyfive1 189 notice syslog-ng: syslog-ng startup succeeded Nov 17 12:41:40 dizzyfive1 14 info root[19336]: hello from kern
$PRI being 14 indicates user.info, not kern.info
Regards,
Sandor --------------------------------------------------------
NOTICE: If received in error, please destroy and notify sender. Sender does not intend to waive confidentiality or privilege. Use of this email is prohibited when received in error. ______________________________________________________________ ________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
______________________________________________________________ ________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
______________________________________________________________ ________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
-------------------------------------------------------- NOTICE: If received in error, please destroy and notify sender. Sender does not intend to waive confidentiality or privilege. Use of this email is prohibited when received in error.
Hello, Have you tried to define your filter as: program("kernel") I am not sure if /proc/kmsg provide a facility code (PRI) with its logs. In your case the program field seems to be set as "kernel": file ("/proc/kmsg" log_prefix("kernel: ")); So the above filter (based on the program field) should help... Hope its help. Joël On Mon, 2008-11-17 at 12:46 +0000, Fegan, Joe wrote:
Hi,
I am using 2.0.7 and it seems that facility(kern) does not match messages from "logger -p kern.info". I am trying to filter kernel messages into a file but nothing goes there. Below are details of the test.
Joe.
[root@node1 ~]# cat /etc/syslog-ng/syslog-ng.conf options { sync (0); time_reopen (10); log_fifo_size (1000); long_hostnames (off); use_dns (no); use_fqdn (no); create_dirs (no); keep_hostname (yes); stats_freq(2592000); mark_freq(0); };
source s_sys { file ("/proc/kmsg" log_prefix("kernel: ")); unix-stream ("/dev/log"); internal(); # udp(ip(0.0.0.0) port(514)); # tcp(ip(0.0.0.0) port(514)); };
template t_withsev { template("${DATE} ${HOST} ${PRI} ${PRIORITY} ${MSG}\n"); };
destination d_klog { file("/var/log/klog"); }; destination d_mesg { file("/var/log/messages" template(t_withsev)); }; destination d_auth { file("/var/log/secure"); }; destination d_mail { file("/var/log/maillog" sync(10)); }; destination d_spol { file("/var/log/spooler"); }; destination d_boot { file("/var/log/boot.log"); }; destination d_cron { file("/var/log/cron"); }; destination d_mlal { usertty("*"); };
filter f_filter1 { facility(kern); }; filter f_filter2 { level(info..emerg) and not facility(mail,authpriv,cron); }; filter f_filter3 { facility(authpriv); }; filter f_filter4 { facility(mail); }; filter f_filter5 { level(emerg); }; filter f_filter6 { facility(uucp) or (facility(news) and level(crit..emerg)); }; filter f_filter7 { facility(local7); }; filter f_filter8 { facility(cron); };
log { source(s_sys); filter(f_filter1); destination(d_klog); }; log { source(s_sys); filter(f_filter2); destination(d_mesg); }; log { source(s_sys); filter(f_filter3); destination(d_auth); }; log { source(s_sys); filter(f_filter4); destination(d_mail); }; log { source(s_sys); filter(f_filter5); destination(d_mlal); }; log { source(s_sys); filter(f_filter6); destination(d_spol); }; log { source(s_sys); filter(f_filter7); destination(d_boot); }; log { source(s_sys); filter(f_filter8); destination(d_cron); };
[root@node1 ~]# logger -i -p kern.info "hello from kern" [root@node1 ~]# tail -2 /var/log/messages Nov 17 12:40:45 dizzyfive1 189 notice syslog-ng: syslog-ng startup succeeded Nov 17 12:41:40 dizzyfive1 14 info root[19336]: hello from kern [root@node1 ~]# ls -l /var/log/klog ls: /var/log/klog: No such file or directory [root@node1 ~]# ______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
participants (3)
-
Fegan, Joe
-
Geller, Sandor (IT)
-
joël Winteregg