Fwd: [syslog-ng]Logging Remotely from Solaris to Linux

Ron Braley braley@aero.und.edu
Fri, 31 May 2002 11:27:49 -0500 

Bazsi

I've tested every facility and priority, and present the final results
of testing facilities and priorities from the Solaris box to the Linux
log host:

- The only cron facility from the Solaris box recorded at the Linux log
host was cron.emerg.  No other cron priorities would show up  at the log
host, but they did log locally OK.

- Two daemon facility priorities would not get recorded at the loghost
from the Solaris server:  daemon.info and daemon. debug.  All other
daemon priorities worked fine.

All other facilities and priorities worked fine from the Solaris box to
the Linux log host (except kern, which you addressed earlier).

All facility and priorities work fine from the Linux servers to the log
host.

Thoughts?

rb



Ron Braley
Network Team Leader - CCNP
Systems Team Leader - MCSE, CNE
University of North Dakota (Aerospace College)
braley@aero.und.edu
701-777-2964 (work) / 2940 (fax)

>>> bazsi@balabit.hu 05/31/02 02:45AM >>>
On Thu, May 30, 2002 at 09:58:23PM -0500, Ron Braley wrote:
> Hi Bazsi.
> 
> Here's where things are with the syslog-ng and Solaris vs Linux:
> 
> Using facility filters (i.e. f_cron) on the Linux box will result in
> not logging any messages from the Solaris box.  Other Linux boxes
work
> fine with the facility filters, though.

Here's the list of facilities that Solaris uses, and the same on
Linux:

Solaris:
#define LOG_KERN        (0<<3)  /* kernel messages */
#define LOG_USER        (1<<3)  /* random user-level messages */
#define LOG_MAIL        (2<<3)  /* mail system */
#define LOG_DAEMON      (3<<3)  /* system daemons */
#define LOG_AUTH        (4<<3)  /* security/authorization messages */
#define LOG_SYSLOG      (5<<3)  /* messages generated internally by
syslogd */
#define LOG_LPR         (6<<3)  /* line printer subsystem */
#define LOG_NEWS        (7<<3)  /* netnews subsystem */
#define LOG_UUCP        (8<<3)  /* uucp subsystem */
#define LOG_CRON        (15<<3) /* cron/at subsystem */
        /* other codes through 15 reserved for system use */
#define LOG_LOCAL0      (16<<3) /* reserved for local use */
#define LOG_LOCAL1      (17<<3) /* reserved for local use */
#define LOG_LOCAL2      (18<<3) /* reserved for local use */
#define LOG_LOCAL3      (19<<3) /* reserved for local use */
#define LOG_LOCAL4      (20<<3) /* reserved for local use */
#define LOG_LOCAL5      (21<<3) /* reserved for local use */
#define LOG_LOCAL6      (22<<3) /* reserved for local use */
#define LOG_LOCAL7      (23<<3) /* reserved for local use */

Linux:
#define LOG_KERN        (0<<3)  /* kernel messages */
#define LOG_USER        (1<<3)  /* random user-level messages */
#define LOG_MAIL        (2<<3)  /* mail system */
#define LOG_DAEMON      (3<<3)  /* system daemons */
#define LOG_AUTH        (4<<3)  /* security/authorization messages */
#define LOG_SYSLOG      (5<<3)  /* messages generated internally by
syslogd */
#define LOG_LPR         (6<<3)  /* line printer subsystem */
#define LOG_NEWS        (7<<3)  /* network news subsystem */
#define LOG_UUCP        (8<<3)  /* UUCP subsystem */
#define LOG_CRON        (9<<3)  /* clock daemon */
#define LOG_AUTHPRIV    (10<<3) /* security/authorization messages
(private) */
#define LOG_FTP         (11<<3) /* ftp daemon */

        /* other codes through 15 reserved for system use */
#define LOG_LOCAL0      (16<<3) /* reserved for local use */
#define LOG_LOCAL1      (17<<3) /* reserved for local use */
#define LOG_LOCAL2      (18<<3) /* reserved for local use */
#define LOG_LOCAL3      (19<<3) /* reserved for local use */
#define LOG_LOCAL4      (20<<3) /* reserved for local use */
#define LOG_LOCAL5      (21<<3) /* reserved for local use */
#define LOG_LOCAL6      (22<<3) /* reserved for local use */
#define LOG_LOCAL7      (23<<3) /* reserved for local use */

You can define facilities by their number, so if you want to select
CRON
messages from a Solaris box, you can use the filter:

filter f_cron { facility(15); };

> On a non-Solaris related issue, if I try to test the kern facility
by
> doing a command like "logger -p kern.crit TEST" nothing happens
locally
> or on the loghost.  Is there a reason why that should act
differently
> than other facilities?

kernel messages are read from a special file (/proc/kmsg on linux), I
suppose logger refuses to send a message with facility=kern from
userspace.
Try using truss on logger to see whether logger sends the message at
all.

(it does work on Linux however as strace shows)

-- 
Bazsi
PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C
8EB1

_______________________________________________
syslog-ng maillist  -  syslog-ng@lists.balabit.hu 
https://lists.balabit.hu/mailman/listinfo/syslog-ng