[syslog-ng] $facility variable not working in filename - Solaris OS

Balazs Scheidler bazsi77 at gmail.com
Thu Mar 6 20:50:34 CET 2014


If I understand you correctly you used a custom name-value pair in the
message (called facility in lower case, syslog-ng has  a similar macro
named FACILITY in upper case).

You can initialize this value using $FACILITY and then use a conditional
rewrite.

set('authpriv' value('facility') condition(facility(10)));

You should probably use a less confusing name for this purpose though.
On Mar 6, 2014 7:21 PM, "Feroz Basir" <feroz.basir at gmail.com> wrote:

> Hi,
>
> Just got me thinking. I did use filter by facility and insert facility
> variable on the filename. Due to this, I still going to get 'a' from
> facility variable. Why it uses 'a' instead of other facility? maybe due to
> authpriv facility from remote server.
>
> How do I change 'a' to more meaningful name for facility then?"
>
> Regards,
> Feroz Basir
>
> > On 7 Mar 2014, at 00:59, <jrhendri at roadrunner.com> wrote:
> >
> > If you look at the filters below, I think they are filtering on facility
> *number* as seen in the syslog stream.
> >
> > You may need to test / play with this a bit to get it right, but I think
> that is the direction I would look.
> >
> > Jim
> >
> >
> > ---- Feroz Basir <feroz.basir at gmail.com> wrote:
> >> Hi,
> >>
> >> Thanks for replying. Yes, you are right Solaris has no authpriv
> facility. If I use filter, it still cannot determine the facility variable
> since Solaris has no authpriv. Are we saying that the filter will send the
> log to known facility available on Solaris?
> >>
> >>
> >>
> >> Regards,
> >> Feroz Basir
> >>
> >>> On 6 Mar 2014, at 02:26, <jrhendri at roadrunner.com> wrote:
> >>>
> >>> It's a bit subtle (and I may not have the details exactly correct)
> >>>
> >>> The facility is set by the sending server in the syslog packet, but
> interpreted on the receiving server according to what is defined in local
> system headers.
> >>>
> >>> I think what you may be seeing is a remote server setting a value that
> the Solaris box does not have defined. (possibly authpriv, which is
> normally 10 or 0x0a -- but that's a total guess :-)
> >>>
> >>> You might need to put in a local filter to get the logs to go to the
> right place.
> >>> If I were you I would look for the local system syslog.h (there may be
> several places) and see what is defined locally.
> >>> something like
> >>> find /usr -name \*syslog\*.h -exec grep -il facility {} \;
> >>> should get you the filename(s)
> >>>
> >>> You may need to implement something like this and uncommend the
> appropriate line(s)
> >>>
> >>>
> >>> ###############################
> >>> # Facility Filters
> >>> ################################
> >>>
> >>> #filter f_kern   { facility (0); };
> >>> #filter f_user   { facility (1); };
> >>> filter f_mail   { facility (2); };
> >>> #filter f_daemon { facility (3); };
> >>> #filter f_auth   { facility (4); };
> >>> #filter f_syslog { facility (5); };
> >>> #filter f_lpr    { facility (6); };
> >>> #filter f_news   { facility (7); };
> >>> #filter f_uucp   { facility (8); };
> >>> #filter f_audit  { facility (13); };
> >>> #filter f_cron   { facility (15); };
> >>> #filter f_local0 { facility (16); };
> >>> #filter f_local1 { facility (17); };
> >>> #filter f_local2 { facility (18); };
> >>> #filter f_local3 { facility (19); };
> >>> #filter f_local4 { facility (20); };
> >>> #filter f_local5 { facility (21); };
> >>> #filter f_local6 { facility (22); };
> >>> #filter f_local7 { facility (23); };
> >>>
> >>>
> >>> Best,
> >>> Jim
> >>>
> >>>
> >>>
> >>> ---- Feroz Basir <feroz.basir at gmail.com> wrote:
> >>>> Hi all,
> >>>>
> >>>> Need some help regarding filename that use $facility variable. For
> some reason the facility variable was set to 'a' during file naming
> convention. I don't recall to have 'a' as a facility on remote server. What
> could be the issue here? This only happen on Solaris syslog-ng server.
> Others OS seem ok.
> >>>>
> >>>> Config sample:
> >>>> destination d_remoteall {file ("/syslog/$sourceip@$facility@$r_year:$r_month:$r_day:"
> create_dirs(yes) perm(0644));};
> >>>>
> >>>> Sample output:
> >>>> 10.10.10.1 at a@2014:03:05.gz
> >>>>
> >>>> I'm running syslog-ng version 3.0.2.
> >>>>
> >>>> Thanks.
> >>>>
> >>>> Regards,
> >>>> Feroz Basir
> >>>>
> ______________________________________________________________________________
> >>>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> >>>> Documentation:
> http://www.balabit.com/support/documentation/?product=syslog-ng
> >>>> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
> >
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation:
> http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20140306/8f17a2f1/attachment-0001.htm 


More information about the syslog-ng mailing list