[syslog-ng] $facility variable not working in filename - Solaris OS

Feroz Basir feroz.basir at gmail.com
Thu Mar 6 16:07:33 CET 2014 

Hi,

Thanks for replying. Yes, you are right Solaris has no authpriv facility. If I use filter, it still cannot determine the facility variable since Solaris has no authpriv. Are we saying that the filter will send the log to known facility available on Solaris?



Regards,
Feroz Basir

> On 6 Mar 2014, at 02:26, <jrhendri at roadrunner.com> wrote:
> 
> It's a bit subtle (and I may not have the details exactly correct)
> 
> The facility is set by the sending server in the syslog packet, but interpreted on the receiving server according to what is defined in local system headers.
> 
> I think what you may be seeing is a remote server setting a value that the Solaris box does not have defined. (possibly authpriv, which is normally 10 or 0x0a -- but that's a total guess :-)
> 
> You might need to put in a local filter to get the logs to go to the right place.
> If I were you I would look for the local system syslog.h (there may be several places) and see what is defined locally.
> something like
> find /usr -name \*syslog\*.h -exec grep -il facility {} \;
> should get you the filename(s)
> 
> You may need to implement something like this and uncommend the appropriate line(s)
> 
> 
> ###############################
> # Facility Filters
> ################################
> 
> #filter f_kern   { facility (0); };
> #filter f_user   { facility (1); };
> filter f_mail   { facility (2); };
> #filter f_daemon { facility (3); };
> #filter f_auth   { facility (4); };
> #filter f_syslog { facility (5); };
> #filter f_lpr    { facility (6); };
> #filter f_news   { facility (7); };
> #filter f_uucp   { facility (8); };
> #filter f_audit  { facility (13); };
> #filter f_cron   { facility (15); };
> #filter f_local0 { facility (16); };
> #filter f_local1 { facility (17); };
> #filter f_local2 { facility (18); };
> #filter f_local3 { facility (19); };
> #filter f_local4 { facility (20); };
> #filter f_local5 { facility (21); };
> #filter f_local6 { facility (22); };
> #filter f_local7 { facility (23); };
> 
> 
> Best,
> Jim
> 
> 
> 
> ---- Feroz Basir <feroz.basir at gmail.com> wrote: 
>> Hi all,
>> 
>> Need some help regarding filename that use $facility variable. For some reason the facility variable was set to 'a' during file naming convention. I don't recall to have 'a' as a facility on remote server. What could be the issue here? This only happen on Solaris syslog-ng server. Others OS seem ok. 
>> 
>> Config sample:
>> destination d_remoteall {file ("/syslog/$sourceip@$facility@$r_year:$r_month:$r_day:" create_dirs(yes) perm(0644));};
>> 
>> Sample output:
>> 10.10.10.1 at a@2014:03:05.gz
>> 
>> I'm running syslog-ng version 3.0.2.
>> 
>> Thanks.
>> 
>> Regards,
>> Feroz Basir
>> ______________________________________________________________________________
>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
>> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>

More information about the syslog-ng mailing list