[syslog-ng] Reg; Syslog-ng does not recognize the audit facility
Justin Kala
justinkala at gmail.com
Tue Jul 28 20:08:24 CEST 2015
I see AUDIT facility defined in /usr/include/sys/syslog.h on syslog-ng
server side and the sending server as well.
#define LOG_KERN (0<<3) /* kernel messages */
#define LOG_USER (1<<3) /* random user-level messages */
#define LOG_MAIL (2<<3) /* mail system */
#define LOG_DAEMON (3<<3) /* system daemons */
#define LOG_AUTH (4<<3) /* security/authorization messages */
#define LOG_SYSLOG (5<<3) /* messages generated internally by syslogd
*/
#define LOG_LPR (6<<3) /* line printer subsystem */
#define LOG_NEWS (7<<3) /* netnews subsystem */
#define LOG_UUCP (8<<3) /* uucp subsystem */
*#define LOG_AUDIT (13<<3) /* audit subsystem */*
#define LOG_CRON (15<<3) /* cron/at subsystem */
On Tue, Jul 28, 2015 at 12:41 PM, Evan Rempel <erempel at uvic.ca> wrote:
> Can you look at the syslog facility definitions
>
> /usr/include/sys/syslog.h
>
> or
>
> /usr/include/syslog.h
>
> to see if audit is a defined facility?
>
>
>
> On 07/28/2015 09:32 AM, Justin Kala wrote:
>
> Hi Evan..thanks for the reply but both sending and receiving servers are
> same OS.. Solaris 10
> On Jul 28, 2015 12:18 PM, "Evan Rempel" <erempel at uvic.ca> wrote:
>
>> Well, that is probably because the host where syslog-ng was compiled is
>> a different OS than that where the "audit" facility log line was created.
>>
>> For instance, on a Linux host, the syslog.h file from the system only has
>> these facilities defined.
>>
>> CODE facilitynames[] =
>> {
>> { "auth", LOG_AUTH },
>> { "authpriv", LOG_AUTHPRIV },
>> { "cron", LOG_CRON },
>> { "daemon", LOG_DAEMON },
>> { "ftp", LOG_FTP },
>> { "kern", LOG_KERN },
>> { "lpr", LOG_LPR },
>> { "mail", LOG_MAIL },
>> { "mark", INTERNAL_MARK }, /* INTERNAL */
>> { "news", LOG_NEWS },
>> { "security", LOG_AUTH }, /* DEPRECATED */
>> { "syslog", LOG_SYSLOG },
>> { "user", LOG_USER },
>> { "uucp", LOG_UUCP },
>> { "local0", LOG_LOCAL0 },
>> { "local1", LOG_LOCAL1 },
>> { "local2", LOG_LOCAL2 },
>> { "local3", LOG_LOCAL3 },
>> { "local4", LOG_LOCAL4 },
>> { "local5", LOG_LOCAL5 },
>> { "local6", LOG_LOCAL6 },
>> { "local7", LOG_LOCAL7 },
>>
>>
>> with values of
>>
>> /* facility codes */
>> #define LOG_KERN (0<<3) /* kernel messages */
>> #define LOG_USER (1<<3) /* random user-level messages */
>> #define LOG_MAIL (2<<3) /* mail system */
>> #define LOG_DAEMON (3<<3) /* system daemons */
>> #define LOG_AUTH (4<<3) /* security/authorization messages */
>> #define LOG_SYSLOG (5<<3) /* messages generated internally by
>> syslogd */
>> #define LOG_LPR (6<<3) /* line printer subsystem */
>> #define LOG_NEWS (7<<3) /* network news subsystem */
>> #define LOG_UUCP (8<<3) /* UUCP subsystem */
>> #define LOG_CRON (9<<3) /* clock daemon */
>> #define LOG_AUTHPRIV (10<<3) /* security/authorization messages
>> (private) */
>> #define LOG_FTP (11<<3) /* ftp daemon */
>>
>> /* other codes through 15 reserved for system use */
>> #define LOG_LOCAL0 (16<<3) /* reserved for local use */
>> #define LOG_LOCAL1 (17<<3) /* reserved for local use */
>> #define LOG_LOCAL2 (18<<3) /* reserved for local use */
>> #define LOG_LOCAL3 (19<<3) /* reserved for local use */
>> #define LOG_LOCAL4 (20<<3) /* reserved for local use */
>> #define LOG_LOCAL5 (21<<3) /* reserved for local use */
>> #define LOG_LOCAL6 (22<<3) /* reserved for local use */
>> #define LOG_LOCAL7 (23<<3) /* reserved for local use */
>>
>>
>> so there is no audit facility.
>>
>> Hope that explains it.
>>
>>
>> On 07/28/2015 09:08 AM, Justin Kala wrote:
>>
>>
>> Hi
>>
>> Syslog-ng is unable to recognize the facility audit. When I put filter
>> as audit and restart syslog-ng it errors out. When I put the facility code
>> as 13 ,it does not error on restarting the service but does not capture the
>> syslog message received through this filter code 13 as well.
>>
>> Please advise.
>> --
>> Kaladhar
>>
>>
>> ______________________________________________________________________________
>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
>> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>>
>>
>>
>> --
>> Evan Rempel erempel at uvic.ca
>> Senior Systems Administrator 250.721.7691
>> Data Centre Services, University Systems, University of Victoria
>>
>>
>>
>> ______________________________________________________________________________
>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>> Documentation:
>> http://www.balabit.com/support/documentation/?product=syslog-ng
>> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>>
>>
>>
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
>
>
> --
> Evan Rempel erempel at uvic.ca
> Senior Systems Administrator 250.721.7691
> Data Centre Services, University Systems, University of Victoria
>
>
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation:
> http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
>
>
--
Kaladhar
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20150728/468e19b4/attachment.htm
More information about the syslog-ng
mailing list