[syslog-ng] $facility variable not working in filename - Solaris OS
Jim Hendrick
jrhendri at roadrunner.com
Fri Mar 7 14:03:25 CET 2014
One other thing - the FACILITY variable can only get the name from two
places - the OS (which you already know doesn't have the text string
defined) or a redefinition by syslog-ng (as Balazs suggested)
That explains why you do not see the text you would on another OS.
Where the "a" comes from I am not certain (I am not familiar with the
syslog-ng source code myself) but I suspect it is simply that whatever
gets parsed out of the packet.
You could examine the packets with tcpdump or Wireshark and see what
exactly is coming across in what position, then try to figure out how
that is mapped in the source code for syslog-ng.
It might be something as simple as decimal 10 being 0x0a but that is a
completely wild guess on my part :-) since it doesn't map to ascii "a"...
Jim
On 03/06/2014 07:02 PM, Feroz Basir wrote:
> Hi,
>
> I didn't use any custom name. I used $FACILITY variable in my
> filename. As I stated on my first email, for some reason this variable
> got a value of 'a'. Then Jim suggested that this is due to Solaris OS
> didn't have authpriv facility defined. He was right about that. Jim
> also suggested that I use filter to write to appropriate file. I did
> use filter to separate my log messages based on facility. So I'm back
> to original problem where I still going to get $FACILITY variable as 'a'.
>
> As you suggested, I can use conditional rewrite to rename the
> $FACILITY variable. I think this would work by the look at it. Will
> test it first. Does this setting apply globally or can be based on OS
> type, in this case If the messages coming from Solaris OS?
>
> Thank you.
>
> Regards,
> Feroz Basir
>
> On 7 Mar 2014, at 03:50, Balazs Scheidler <bazsi77 at gmail.com
> <mailto:bazsi77 at gmail.com>> wrote:
>
>> If I understand you correctly you used a custom name-value pair in
>> the message (called facility in lower case, syslog-ng has a similar
>> macro named FACILITY in upper case).
>>
>> You can initialize this value using $FACILITY and then use a
>> conditional rewrite.
>>
>> set('authpriv' value('facility') condition(facility(10)));
>>
>> You should probably use a less confusing name for this purpose though.
>>
>> On Mar 6, 2014 7:21 PM, "Feroz Basir" <feroz.basir at gmail.com
>> <mailto:feroz.basir at gmail.com>> wrote:
>>
>> Hi,
>>
>> Just got me thinking. I did use filter by facility and insert
>> facility variable on the filename. Due to this, I still going to
>> get 'a' from facility variable. Why it uses 'a' instead of other
>> facility? maybe due to authpriv facility from remote server.
>>
>> How do I change 'a' to more meaningful name for facility then?"
>>
>> Regards,
>> Feroz Basir
>>
>> > On 7 Mar 2014, at 00:59, <jrhendri at roadrunner.com
>> <mailto:jrhendri at roadrunner.com>> wrote:
>> >
>> > If you look at the filters below, I think they are filtering on
>> facility *number* as seen in the syslog stream.
>> >
>> > You may need to test / play with this a bit to get it right,
>> but I think that is the direction I would look.
>> >
>> > Jim
>> >
>> >
>> > ---- Feroz Basir <feroz.basir at gmail.com
>> <mailto:feroz.basir at gmail.com>> wrote:
>> >> Hi,
>> >>
>> >> Thanks for replying. Yes, you are right Solaris has no
>> authpriv facility. If I use filter, it still cannot determine the
>> facility variable since Solaris has no authpriv. Are we saying
>> that the filter will send the log to known facility available on
>> Solaris?
>> >>
>> >>
>> >>
>> >> Regards,
>> >> Feroz Basir
>> >>
>> >>> On 6 Mar 2014, at 02:26, <jrhendri at roadrunner.com
>> <mailto:jrhendri at roadrunner.com>> wrote:
>> >>>
>> >>> It's a bit subtle (and I may not have the details exactly
>> correct)
>> >>>
>> >>> The facility is set by the sending server in the syslog
>> packet, but interpreted on the receiving server according to what
>> is defined in local system headers.
>> >>>
>> >>> I think what you may be seeing is a remote server setting a
>> value that the Solaris box does not have defined. (possibly
>> authpriv, which is normally 10 or 0x0a -- but that's a total
>> guess :-)
>> >>>
>> >>> You might need to put in a local filter to get the logs to go
>> to the right place.
>> >>> If I were you I would look for the local system syslog.h
>> (there may be several places) and see what is defined locally.
>> >>> something like
>> >>> find /usr -name \*syslog\*.h -exec grep -il facility {} \;
>> >>> should get you the filename(s)
>> >>>
>> >>> You may need to implement something like this and uncommend
>> the appropriate line(s)
>> >>>
>> >>>
>> >>> ###############################
>> >>> # Facility Filters
>> >>> ################################
>> >>>
>> >>> #filter f_kern { facility (0); };
>> >>> #filter f_user { facility (1); };
>> >>> filter f_mail { facility (2); };
>> >>> #filter f_daemon { facility (3); };
>> >>> #filter f_auth { facility (4); };
>> >>> #filter f_syslog { facility (5); };
>> >>> #filter f_lpr { facility (6); };
>> >>> #filter f_news { facility (7); };
>> >>> #filter f_uucp { facility (8); };
>> >>> #filter f_audit { facility (13); };
>> >>> #filter f_cron { facility (15); };
>> >>> #filter f_local0 { facility (16); };
>> >>> #filter f_local1 { facility (17); };
>> >>> #filter f_local2 { facility (18); };
>> >>> #filter f_local3 { facility (19); };
>> >>> #filter f_local4 { facility (20); };
>> >>> #filter f_local5 { facility (21); };
>> >>> #filter f_local6 { facility (22); };
>> >>> #filter f_local7 { facility (23); };
>> >>>
>> >>>
>> >>> Best,
>> >>> Jim
>> >>>
>> >>>
>> >>>
>> >>> ---- Feroz Basir <feroz.basir at gmail.com
>> <mailto:feroz.basir at gmail.com>> wrote:
>> >>>> Hi all,
>> >>>>
>> >>>> Need some help regarding filename that use $facility
>> variable. For some reason the facility variable was set to 'a'
>> during file naming convention. I don't recall to have 'a' as a
>> facility on remote server. What could be the issue here? This
>> only happen on Solaris syslog-ng server. Others OS seem ok.
>> >>>>
>> >>>> Config sample:
>> >>>> destination d_remoteall {file
>> ("/syslog/$sourceip@$facility@$r_year:$r_month:$r_day:"
>> create_dirs(yes) perm(0644));};
>> >>>>
>> >>>> Sample output:
>> >>>> 10.10.10.1 at a@2014:03:05.gz
>> >>>>
>> >>>> I'm running syslog-ng version 3.0.2.
>> >>>>
>> >>>> Thanks.
>> >>>>
>> >>>> Regards,
>> >>>> Feroz Basir
>> >>>>
>> ______________________________________________________________________________
>> >>>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>> >>>> Documentation:
>> http://www.balabit.com/support/documentation/?product=syslog-ng
>> >>>> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>> >
>> ______________________________________________________________________________
>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>> Documentation:
>> http://www.balabit.com/support/documentation/?product=syslog-ng
>> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>>
>> ______________________________________________________________________________
>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>> Documentation:
>> http://www.balabit.com/support/documentation/?product=syslog-ng
>> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>>
>
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20140307/369acb12/attachment-0001.htm
More information about the syslog-ng
mailing list