[syslog-ng] Reg; Syslog-ng does not recognize the audit facility

Evan Rempel erempel at uvic.ca
Tue Jul 28 20:36:34 CEST 2015


Then this needs to go back to whomever compiled the release of syslog-ng that you are using.
Perhaps it was compiled on a different release of Solaris or something. Only the group that compiled the release can give you more answers.

Evan.

On 07/28/2015 11:08 AM, Justin Kala wrote:
> I see AUDIT facility defined in /usr/include/sys/syslog.h on syslog-ng server side and the sending server as well.
>
> #define LOG_KERN        (0<<3)  /* kernel messages */
> #define LOG_USER        (1<<3)  /* random user-level messages */
> #define LOG_MAIL        (2<<3)  /* mail system */
> #define LOG_DAEMON      (3<<3)  /* system daemons */
> #define LOG_AUTH        (4<<3)  /* security/authorization messages */
> #define LOG_SYSLOG      (5<<3)  /* messages generated internally by syslogd */
> #define LOG_LPR         (6<<3)  /* line printer subsystem */
> #define LOG_NEWS        (7<<3)  /* netnews subsystem */
> #define LOG_UUCP        (8<<3)  /* uucp subsystem */
> *#define LOG_AUDIT       (13<<3) /* audit subsystem */*
> #define LOG_CRON        (15<<3) /* cron/at subsystem */
>
> On Tue, Jul 28, 2015 at 12:41 PM, Evan Rempel <erempel at uvic.ca <mailto:erempel at uvic.ca>> wrote:
>
>     Can you look at the syslog facility definitions
>
>     /usr/include/sys/syslog.h
>
>     or
>
>     /usr/include/syslog.h
>
>     to see if audit is a defined facility?
>
>
>
>     On 07/28/2015 09:32 AM, Justin Kala wrote:
>>
>>     Hi Evan..thanks for the reply but both sending and receiving servers are same OS.. Solaris 10
>>
>>     On Jul 28, 2015 12:18 PM, "Evan Rempel" <erempel at uvic.ca <mailto:erempel at uvic.ca>> wrote:
>>
>>         Well, that is probably because the host where syslog-ng was compiled is a different OS than that where the "audit" facility log line was created.
>>
>>         For instance, on a Linux host, the syslog.h file from the system only has these facilities defined.
>>
>>         CODE facilitynames[] =
>>           {
>>             { "auth", LOG_AUTH },
>>             { "authpriv", LOG_AUTHPRIV },
>>             { "cron", LOG_CRON },
>>             { "daemon", LOG_DAEMON },
>>             { "ftp", LOG_FTP },
>>             { "kern", LOG_KERN },
>>             { "lpr", LOG_LPR },
>>             { "mail", LOG_MAIL },
>>             { "mark", INTERNAL_MARK },          /* INTERNAL */
>>             { "news", LOG_NEWS },
>>             { "security", LOG_AUTH },           /* DEPRECATED */
>>             { "syslog", LOG_SYSLOG },
>>             { "user", LOG_USER },
>>             { "uucp", LOG_UUCP },
>>             { "local0", LOG_LOCAL0 },
>>             { "local1", LOG_LOCAL1 },
>>             { "local2", LOG_LOCAL2 },
>>             { "local3", LOG_LOCAL3 },
>>             { "local4", LOG_LOCAL4 },
>>             { "local5", LOG_LOCAL5 },
>>             { "local6", LOG_LOCAL6 },
>>             { "local7", LOG_LOCAL7 },
>>
>>
>>         with values of
>>
>>         /* facility codes */
>>         #define LOG_KERN        (0<<3)  /* kernel messages */
>>         #define LOG_USER        (1<<3)  /* random user-level messages */
>>         #define LOG_MAIL        (2<<3)  /* mail system */
>>         #define LOG_DAEMON      (3<<3)  /* system daemons */
>>         #define LOG_AUTH        (4<<3)  /* security/authorization messages */
>>         #define LOG_SYSLOG      (5<<3)  /* messages generated internally by syslogd */
>>         #define LOG_LPR         (6<<3)  /* line printer subsystem */
>>         #define LOG_NEWS        (7<<3)  /* network news subsystem */
>>         #define LOG_UUCP        (8<<3)  /* UUCP subsystem */
>>         #define LOG_CRON        (9<<3)  /* clock daemon */
>>         #define LOG_AUTHPRIV    (10<<3) /* security/authorization messages (private) */
>>         #define LOG_FTP         (11<<3) /* ftp daemon */
>>
>>                 /* other codes through 15 reserved for system use */
>>         #define LOG_LOCAL0      (16<<3) /* reserved for local use */
>>         #define LOG_LOCAL1      (17<<3) /* reserved for local use */
>>         #define LOG_LOCAL2      (18<<3) /* reserved for local use */
>>         #define LOG_LOCAL3      (19<<3) /* reserved for local use */
>>         #define LOG_LOCAL4      (20<<3) /* reserved for local use */
>>         #define LOG_LOCAL5      (21<<3) /* reserved for local use */
>>         #define LOG_LOCAL6      (22<<3) /* reserved for local use */
>>         #define LOG_LOCAL7      (23<<3) /* reserved for local use */
>>
>>
>>         so there is no audit facility.
>>
>>         Hope that explains it.
>>
>>
>>         On 07/28/2015 09:08 AM, Justin Kala wrote:
>>>
>>>         Hi
>>>
>>>         Syslog-ng is unable to recognize the facility audit. When I put filter as audit and restart syslog-ng it errors out. When I put the facility code as 13 ,it does not error on restarting the service but does not capture the syslog message received through this filter code  13 as well.
>>>
>>>         Please advise.
>>>         -- 
>>>         Kaladhar
>>>
>>>
>>>         ______________________________________________________________________________
>>>         Member info:https://lists.balabit.hu/mailman/listinfo/syslog-ng
>>>         Documentation:http://www.balabit.com/support/documentation/?product=syslog-ng
>>>         FAQ:http://www.balabit.com/wiki/syslog-ng-faq
>>>
>>
>>
>>         -- 
>>         Evan Rempelerempel at uvic.ca <mailto:erempel at uvic.ca>
>>         Senior Systems Administrator250.721.7691 <tel:250.721.7691>
>>         Data Centre Services, University Systems, University of Victoria
>>
>>
>>         ______________________________________________________________________________
>>         Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>>         Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
>>         FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>>
>>
>>
>>
>>     ______________________________________________________________________________
>>     Member info:https://lists.balabit.hu/mailman/listinfo/syslog-ng
>>     Documentation:http://www.balabit.com/support/documentation/?product=syslog-ng
>>     FAQ:http://www.balabit.com/wiki/syslog-ng-faq
>>
>
>
>     -- 
>     Evan Rempelerempel at uvic.ca <mailto:erempel at uvic.ca>
>     Senior Systems Administrator250.721.7691 <tel:250.721.7691>
>     Data Centre Services, University Systems, University of Victoria
>
>
>     ______________________________________________________________________________
>     Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>     Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
>     FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
>
>
>
>
> -- 
> Kaladhar
>
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>


-- 
Evan Rempel                                      erempel at uvic.ca
Senior Systems Administrator                        250.721.7691
Data Centre Services, University Systems, University of Victoria

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20150728/a59bea8e/attachment-0001.htm 


More information about the syslog-ng mailing list