[syslog-ng] $facility variable not working in filename - Solaris OS

jrhendri at roadrunner.com jrhendri at roadrunner.com
Thu Mar 6 17:59:46 CET 2014


If you look at the filters below, I think they are filtering on facility *number* as seen in the syslog stream.

You may need to test / play with this a bit to get it right, but I think that is the direction I would look.

Jim


---- Feroz Basir <feroz.basir at gmail.com> wrote: 
> Hi,
> 
> Thanks for replying. Yes, you are right Solaris has no authpriv facility. If I use filter, it still cannot determine the facility variable since Solaris has no authpriv. Are we saying that the filter will send the log to known facility available on Solaris?
> 
> 
> 
> Regards,
> Feroz Basir
> 
> > On 6 Mar 2014, at 02:26, <jrhendri at roadrunner.com> wrote:
> > 
> > It's a bit subtle (and I may not have the details exactly correct)
> > 
> > The facility is set by the sending server in the syslog packet, but interpreted on the receiving server according to what is defined in local system headers.
> > 
> > I think what you may be seeing is a remote server setting a value that the Solaris box does not have defined. (possibly authpriv, which is normally 10 or 0x0a -- but that's a total guess :-)
> > 
> > You might need to put in a local filter to get the logs to go to the right place.
> > If I were you I would look for the local system syslog.h (there may be several places) and see what is defined locally.
> > something like
> > find /usr -name \*syslog\*.h -exec grep -il facility {} \;
> > should get you the filename(s)
> > 
> > You may need to implement something like this and uncommend the appropriate line(s)
> > 
> > 
> > ###############################
> > # Facility Filters
> > ################################
> > 
> > #filter f_kern   { facility (0); };
> > #filter f_user   { facility (1); };
> > filter f_mail   { facility (2); };
> > #filter f_daemon { facility (3); };
> > #filter f_auth   { facility (4); };
> > #filter f_syslog { facility (5); };
> > #filter f_lpr    { facility (6); };
> > #filter f_news   { facility (7); };
> > #filter f_uucp   { facility (8); };
> > #filter f_audit  { facility (13); };
> > #filter f_cron   { facility (15); };
> > #filter f_local0 { facility (16); };
> > #filter f_local1 { facility (17); };
> > #filter f_local2 { facility (18); };
> > #filter f_local3 { facility (19); };
> > #filter f_local4 { facility (20); };
> > #filter f_local5 { facility (21); };
> > #filter f_local6 { facility (22); };
> > #filter f_local7 { facility (23); };
> > 
> > 
> > Best,
> > Jim
> > 
> > 
> > 
> > ---- Feroz Basir <feroz.basir at gmail.com> wrote: 
> >> Hi all,
> >> 
> >> Need some help regarding filename that use $facility variable. For some reason the facility variable was set to 'a' during file naming convention. I don't recall to have 'a' as a facility on remote server. What could be the issue here? This only happen on Solaris syslog-ng server. Others OS seem ok. 
> >> 
> >> Config sample:
> >> destination d_remoteall {file ("/syslog/$sourceip@$facility@$r_year:$r_month:$r_day:" create_dirs(yes) perm(0644));};
> >> 
> >> Sample output:
> >> 10.10.10.1 at a@2014:03:05.gz
> >> 
> >> I'm running syslog-ng version 3.0.2.
> >> 
> >> Thanks.
> >> 
> >> Regards,
> >> Feroz Basir
> >> ______________________________________________________________________________
> >> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> >> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
> >> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
> > 



More information about the syslog-ng mailing list