[syslog-ng] $facility variable not working in filename - Solaris OS

Thu Mar 6 19:20:57 CET 2014

Hi,

Just got me thinking. I did use filter by facility and insert facility variable on the filename. Due to this, I still going to get 'a' from facility variable. Why it uses 'a' instead of other facility? maybe due to authpriv facility from remote server.

How do I change 'a' to more meaningful name for facility then?"

Regards,
Feroz Basir

> On 7 Mar 2014, at 00:59, <jrhendri at roadrunner.com> wrote:
> 
> If you look at the filters below, I think they are filtering on facility *number* as seen in the syslog stream.
> 
> You may need to test / play with this a bit to get it right, but I think that is the direction I would look.
> 
> Jim
> 
> 
> ---- Feroz Basir <feroz.basir at gmail.com> wrote: 
>> Hi,
>> 
>> Thanks for replying. Yes, you are right Solaris has no authpriv facility. If I use filter, it still cannot determine the facility variable since Solaris has no authpriv. Are we saying that the filter will send the log to known facility available on Solaris?
>> 
>> 
>> 
>> Regards,
>> Feroz Basir
>> 
>>> On 6 Mar 2014, at 02:26, <jrhendri at roadrunner.com> wrote:
>>> 
>>> It's a bit subtle (and I may not have the details exactly correct)
>>> 
>>> The facility is set by the sending server in the syslog packet, but interpreted on the receiving server according to what is defined in local system headers.
>>> 
>>> I think what you may be seeing is a remote server setting a value that the Solaris box does not have defined. (possibly authpriv, which is normally 10 or 0x0a -- but that's a total guess :-)
>>> 
>>> You might need to put in a local filter to get the logs to go to the right place.
>>> If I were you I would look for the local system syslog.h (there may be several places) and see what is defined locally.
>>> something like
>>> find /usr -name \*syslog\*.h -exec grep -il facility {} \;
>>> should get you the filename(s)
>>> 
>>> You may need to implement something like this and uncommend the appropriate line(s)
>>> 
>>> 
>>> ###############################
>>> # Facility Filters
>>> ################################
>>> 
>>> #filter f_kern   { facility (0); };
>>> #filter f_user   { facility (1); };
>>> filter f_mail   { facility (2); };
>>> #filter f_daemon { facility (3); };
>>> #filter f_auth   { facility (4); };
>>> #filter f_syslog { facility (5); };
>>> #filter f_lpr    { facility (6); };
>>> #filter f_news   { facility (7); };
>>> #filter f_uucp   { facility (8); };
>>> #filter f_audit  { facility (13); };
>>> #filter f_cron   { facility (15); };
>>> #filter f_local0 { facility (16); };
>>> #filter f_local1 { facility (17); };
>>> #filter f_local2 { facility (18); };
>>> #filter f_local3 { facility (19); };
>>> #filter f_local4 { facility (20); };
>>> #filter f_local5 { facility (21); };
>>> #filter f_local6 { facility (22); };
>>> #filter f_local7 { facility (23); };
>>> 
>>> 
>>> Best,
>>> Jim
>>> 
>>> 
>>> 
>>> ---- Feroz Basir <feroz.basir at gmail.com> wrote: 
>>>> Hi all,
>>>> 
>>>> Need some help regarding filename that use $facility variable. For some reason the facility variable was set to 'a' during file naming convention. I don't recall to have 'a' as a facility on remote server. What could be the issue here? This only happen on Solaris syslog-ng server. Others OS seem ok. 
>>>> 
>>>> Config sample:
>>>> destination d_remoteall {file ("/syslog/$sourceip@$facility@$r_year:$r_month:$r_day:" create_dirs(yes) perm(0644));};
>>>> 
>>>> Sample output:
>>>> 10.10.10.1 at a@2014:03:05.gz
>>>> 
>>>> I'm running syslog-ng version 3.0.2.
>>>> 
>>>> Thanks.
>>>> 
>>>> Regards,
>>>> Feroz Basir
>>>> ______________________________________________________________________________
>>>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>>>> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
>>>> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
> 