[syslog-ng] Reg; Syslog-ng does not recognize the audit facility

Scheidler, Balázs balazs.scheidler at balabit.com
Wed Jul 29 10:25:16 CEST 2015


Syslog-ng does have a private facility registry to make the codes more
portable accross OS-es.  It is in syslog-names.c in the lib/ directory. Can
you check if audit is listed there?

If it's not feel free to submit  a patch to add that.

Also, on a related note, if syslog-ng doesnt match by facility code, pls
confirm that the message was indeed submitted with the facility code you
are expecting. You can do that by looking at raw syslog traffic (using a
sniffer or merely looking at syslog-ng debug output). There you will see a
number in brackets as the first thing in a message.

E.g.

<55>date host msg

There 55 equals to 8 times facility plus the severity level, in this
example 6*8+7, eg. Facility 6, severity 7.
Hope this helps.
Bazsi
On Jul 28, 2015 8:36 PM, "Evan Rempel" <erempel at uvic.ca> wrote:

>  Then this needs to go back to whomever compiled the release of syslog-ng
> that you are using.
> Perhaps it was compiled on a different release of Solaris or something.
> Only the group that compiled the release can give you more answers.
>
> Evan.
>
> On 07/28/2015 11:08 AM, Justin Kala wrote:
>
>  I see AUDIT facility defined in /usr/include/sys/syslog.h on syslog-ng
> server side and the sending server as well.
>
>  #define LOG_KERN        (0<<3)  /* kernel messages */
> #define LOG_USER        (1<<3)  /* random user-level messages */
> #define LOG_MAIL        (2<<3)  /* mail system */
> #define LOG_DAEMON      (3<<3)  /* system daemons */
> #define LOG_AUTH        (4<<3)  /* security/authorization messages */
> #define LOG_SYSLOG      (5<<3)  /* messages generated internally by
> syslogd */
> #define LOG_LPR         (6<<3)  /* line printer subsystem */
> #define LOG_NEWS        (7<<3)  /* netnews subsystem */
> #define LOG_UUCP        (8<<3)  /* uucp subsystem */
> *#define LOG_AUDIT       (13<<3) /* audit subsystem */*
> #define LOG_CRON        (15<<3) /* cron/at subsystem */
>
> On Tue, Jul 28, 2015 at 12:41 PM, Evan Rempel <erempel at uvic.ca> wrote:
>
>>  Can you look at the syslog facility definitions
>>
>> /usr/include/sys/syslog.h
>>
>> or
>>
>> /usr/include/syslog.h
>>
>> to see if audit is a defined facility?
>>
>>
>>
>> On 07/28/2015 09:32 AM, Justin Kala wrote:
>>
>> Hi Evan..thanks for the reply but both sending and receiving servers are
>> same OS.. Solaris 10
>> On Jul 28, 2015 12:18 PM, "Evan Rempel" <erempel at uvic.ca> wrote:
>>
>>>  Well, that is probably because the host where syslog-ng was compiled
>>> is a different OS than that where the "audit" facility log line was created.
>>>
>>> For instance, on a Linux host, the syslog.h file from the system only
>>> has these facilities defined.
>>>
>>> CODE facilitynames[] =
>>>   {
>>>     { "auth", LOG_AUTH },
>>>     { "authpriv", LOG_AUTHPRIV },
>>>     { "cron", LOG_CRON },
>>>     { "daemon", LOG_DAEMON },
>>>     { "ftp", LOG_FTP },
>>>     { "kern", LOG_KERN },
>>>     { "lpr", LOG_LPR },
>>>     { "mail", LOG_MAIL },
>>>     { "mark", INTERNAL_MARK },          /* INTERNAL */
>>>     { "news", LOG_NEWS },
>>>     { "security", LOG_AUTH },           /* DEPRECATED */
>>>     { "syslog", LOG_SYSLOG },
>>>     { "user", LOG_USER },
>>>     { "uucp", LOG_UUCP },
>>>     { "local0", LOG_LOCAL0 },
>>>     { "local1", LOG_LOCAL1 },
>>>     { "local2", LOG_LOCAL2 },
>>>     { "local3", LOG_LOCAL3 },
>>>     { "local4", LOG_LOCAL4 },
>>>     { "local5", LOG_LOCAL5 },
>>>     { "local6", LOG_LOCAL6 },
>>>     { "local7", LOG_LOCAL7 },
>>>
>>>
>>> with values of
>>>
>>> /* facility codes */
>>> #define LOG_KERN        (0<<3)  /* kernel messages */
>>> #define LOG_USER        (1<<3)  /* random user-level messages */
>>> #define LOG_MAIL        (2<<3)  /* mail system */
>>> #define LOG_DAEMON      (3<<3)  /* system daemons */
>>> #define LOG_AUTH        (4<<3)  /* security/authorization messages */
>>> #define LOG_SYSLOG      (5<<3)  /* messages generated internally by
>>> syslogd */
>>> #define LOG_LPR         (6<<3)  /* line printer subsystem */
>>> #define LOG_NEWS        (7<<3)  /* network news subsystem */
>>> #define LOG_UUCP        (8<<3)  /* UUCP subsystem */
>>> #define LOG_CRON        (9<<3)  /* clock daemon */
>>> #define LOG_AUTHPRIV    (10<<3) /* security/authorization messages
>>> (private) */
>>> #define LOG_FTP         (11<<3) /* ftp daemon */
>>>
>>>         /* other codes through 15 reserved for system use */
>>> #define LOG_LOCAL0      (16<<3) /* reserved for local use */
>>> #define LOG_LOCAL1      (17<<3) /* reserved for local use */
>>> #define LOG_LOCAL2      (18<<3) /* reserved for local use */
>>> #define LOG_LOCAL3      (19<<3) /* reserved for local use */
>>> #define LOG_LOCAL4      (20<<3) /* reserved for local use */
>>> #define LOG_LOCAL5      (21<<3) /* reserved for local use */
>>> #define LOG_LOCAL6      (22<<3) /* reserved for local use */
>>> #define LOG_LOCAL7      (23<<3) /* reserved for local use */
>>>
>>>
>>> so there is no audit facility.
>>>
>>> Hope that explains it.
>>>
>>>
>>> On 07/28/2015 09:08 AM, Justin Kala wrote:
>>>
>>>
>>> Hi
>>>
>>>  Syslog-ng is unable to recognize the facility audit. When I put filter
>>> as audit and restart syslog-ng it errors out. When I put the facility code
>>> as 13 ,it does not error on restarting the service but does not capture the
>>> syslog message received through this filter code  13 as well.
>>>
>>>  Please advise.
>>> --
>>>  Kaladhar
>>>
>>>
>>> ______________________________________________________________________________
>>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>>> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
>>> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>>>
>>>
>>>
>>> --
>>> Evan Rempel                                      erempel at uvic.ca
>>> Senior Systems Administrator                        250.721.7691
>>> Data Centre Services, University Systems, University of Victoria
>>>
>>>
>>>
>>> ______________________________________________________________________________
>>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>>> Documentation:
>>> http://www.balabit.com/support/documentation/?product=syslog-ng
>>> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>>>
>>>
>>>
>>
>> ______________________________________________________________________________
>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
>> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>>
>>
>>
>> --
>> Evan Rempel                                      erempel at uvic.ca
>> Senior Systems Administrator                        250.721.7691
>> Data Centre Services, University Systems, University of Victoria
>>
>>
>>
>> ______________________________________________________________________________
>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>> Documentation:
>> http://www.balabit.com/support/documentation/?product=syslog-ng
>> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>>
>>
>>
>
>
> --
> Kaladhar
>
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
>
>
> --
> Evan Rempel                                      erempel at uvic.ca
> Senior Systems Administrator                        250.721.7691
> Data Centre Services, University Systems, University of Victoria
>
>
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation:
> http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20150729/df8f8b54/attachment.htm 


More information about the syslog-ng mailing list