[syslog-ng] $facility variable not working in filename - Solaris OS

Jim Hendrick jrhendri at roadrunner.com
Fri Mar 7 01:42:59 CET 2014 

I suppose you could force it to write logs that match that facility
filter to a different destination where that destination hard codes
whatever name you want for that facility.

Jim

On 03/06/2014 07:02 PM, Feroz Basir wrote:
> Hi,
>
> I didn't use any custom name. I used $FACILITY variable in my
> filename. As I stated on my first email, for some reason this variable
> got a value of 'a'. Then Jim suggested that this is due to Solaris OS
> didn't have authpriv facility defined. He was right about that. Jim
> also suggested that I use filter to write to appropriate file. I did
> use filter to separate my log messages based on facility. So I'm back
> to original problem where I still going to get $FACILITY variable as 'a'.
>
> As you suggested, I can use conditional rewrite to rename the
> $FACILITY variable. I think this would work by the look at it. Will
> test it first. Does this setting apply globally or can be based on OS
> type, in this case If the messages coming from Solaris OS?
>
> Thank you.
>
> Regards,
> Feroz Basir
>
> On 7 Mar 2014, at 03:50, Balazs Scheidler <bazsi77 at gmail.com
> <mailto:bazsi77 at gmail.com>> wrote:
>
>> If I understand you correctly you used a custom name-value pair in
>> the message (called facility in lower case, syslog-ng has  a similar
>> macro named FACILITY in upper case).
>>
>> You can initialize this value using $FACILITY and then use a
>> conditional rewrite.
>>
>> set('authpriv' value('facility') condition(facility(10)));
>>
>> You should probably use a less confusing name for this purpose though.
>>
>> On Mar 6, 2014 7:21 PM, "Feroz Basir" <feroz.basir at gmail.com
>> <mailto:feroz.basir at gmail.com>> wrote:
>>
>>     Hi,
>>
>>     Just got me thinking. I did use filter by facility and insert
>>     facility variable on the filename. Due to this, I still going to
>>     get 'a' from facility variable. Why it uses 'a' instead of other
>>     facility? maybe due to authpriv facility from remote server.
>>
>>     How do I change 'a' to more meaningful name for facility then?"
>>
>>     Regards,
>>     Feroz Basir
>>
>>     > On 7 Mar 2014, at 00:59, <jrhendri at roadrunner.com
>>     <mailto:jrhendri at roadrunner.com>> wrote:
>>     >
>>     > If you look at the filters below, I think they are filtering on
>>     facility *number* as seen in the syslog stream.
>>     >
>>     > You may need to test / play with this a bit to get it right,
>>     but I think that is the direction I would look.
>>     >
>>     > Jim
>>     >
>>     >
>>     > ---- Feroz Basir <feroz.basir at gmail.com
>>     <mailto:feroz.basir at gmail.com>> wrote:
>>     >> Hi,
>>     >>
>>     >> Thanks for replying. Yes, you are right Solaris has no
>>     authpriv facility. If I use filter, it still cannot determine the
>>     facility variable since Solaris has no authpriv. Are we saying
>>     that the filter will send the log to known facility available on
>>     Solaris?
>>     >>
>>     >>
>>     >>
>>     >> Regards,
>>     >> Feroz Basir
>>     >>
>>     >>> On 6 Mar 2014, at 02:26, <jrhendri at roadrunner.com
>>     <mailto:jrhendri at roadrunner.com>> wrote:
>>     >>>
>>     >>> It's a bit subtle (and I may not have the details exactly
>>     correct)
>>     >>>
>>     >>> The facility is set by the sending server in the syslog
>>     packet, but interpreted on the receiving server according to what
>>     is defined in local system headers.
>>     >>>
>>     >>> I think what you may be seeing is a remote server setting a
>>     value that the Solaris box does not have defined. (possibly
>>     authpriv, which is normally 10 or 0x0a -- but that's a total
>>     guess :-)
>>     >>>
>>     >>> You might need to put in a local filter to get the logs to go
>>     to the right place.
>>     >>> If I were you I would look for the local system syslog.h
>>     (there may be several places) and see what is defined locally.
>>     >>> something like
>>     >>> find /usr -name \*syslog\*.h -exec grep -il facility {} \;
>>     >>> should get you the filename(s)
>>     >>>
>>     >>> You may need to implement something like this and uncommend
>>     the appropriate line(s)
>>     >>>
>>     >>>
>>     >>> ###############################
>>     >>> # Facility Filters
>>     >>> ################################
>>     >>>
>>     >>> #filter f_kern   { facility (0); };
>>     >>> #filter f_user   { facility (1); };
>>     >>> filter f_mail   { facility (2); };
>>     >>> #filter f_daemon { facility (3); };
>>     >>> #filter f_auth   { facility (4); };
>>     >>> #filter f_syslog { facility (5); };
>>     >>> #filter f_lpr    { facility (6); };
>>     >>> #filter f_news   { facility (7); };
>>     >>> #filter f_uucp   { facility (8); };
>>     >>> #filter f_audit  { facility (13); };
>>     >>> #filter f_cron   { facility (15); };
>>     >>> #filter f_local0 { facility (16); };
>>     >>> #filter f_local1 { facility (17); };
>>     >>> #filter f_local2 { facility (18); };
>>     >>> #filter f_local3 { facility (19); };
>>     >>> #filter f_local4 { facility (20); };
>>     >>> #filter f_local5 { facility (21); };
>>     >>> #filter f_local6 { facility (22); };
>>     >>> #filter f_local7 { facility (23); };
>>     >>>
>>     >>>
>>     >>> Best,
>>     >>> Jim
>>     >>>
>>     >>>
>>     >>>
>>     >>> ---- Feroz Basir <feroz.basir at gmail.com
>>     <mailto:feroz.basir at gmail.com>> wrote:
>>     >>>> Hi all,
>>     >>>>
>>     >>>> Need some help regarding filename that use $facility
>>     variable. For some reason the facility variable was set to 'a'
>>     during file naming convention. I don't recall to have 'a' as a
>>     facility on remote server. What could be the issue here? This
>>     only happen on Solaris syslog-ng server. Others OS seem ok.
>>     >>>>
>>     >>>> Config sample:
>>     >>>> destination d_remoteall {file
>>     ("/syslog/$sourceip@$facility@$r_year:$r_month:$r_day:"
>>     create_dirs(yes) perm(0644));};
>>     >>>>
>>     >>>> Sample output:
>>     >>>> 10.10.10.1 at a@2014:03:05.gz
>>     >>>>
>>     >>>> I'm running syslog-ng version 3.0.2.
>>     >>>>
>>     >>>> Thanks.
>>     >>>>
>>     >>>> Regards,
>>     >>>> Feroz Basir
>>     >>>>
>>     ______________________________________________________________________________
>>     >>>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>>     >>>> Documentation:
>>     http://www.balabit.com/support/documentation/?product=syslog-ng
>>     >>>> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>>     >
>>     ______________________________________________________________________________
>>     Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>>     Documentation:
>>     http://www.balabit.com/support/documentation/?product=syslog-ng
>>     FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>>
>> ______________________________________________________________________________
>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>> Documentation:
>> http://www.balabit.com/support/documentation/?product=syslog-ng
>> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>>
>
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20140306/d2e4039b/attachment-0001.htm

More information about the syslog-ng mailing list