[syslog-ng] Reg; Syslog-ng does not recognize the audit facility

Justin Kala justinkala at gmail.com
Mon Feb 22 17:46:47 CET 2016


Somehow facility 13 is unable to accept Audit Logs.
 syslog-names.c does have audit facility.
Please let me know what else can be done

On Wed, Jul 29, 2015 at 5:14 PM, Scheidler, Balázs <
balazs.scheidler at balabit.com> wrote:

> It doesn't matter, the on wire format is the same. Syslog-ng on the server
> prints the facility in debug mode.
> On Jul 29, 2015 9:07 PM, "Justin Kala" <justinkala at gmail.com> wrote:
>
>> Bazsi
>>
>> We do not have syslog-ng agents on the sending server side .Using the
>> capabilities of syslog.conf only where I put the line " audit.notice
>> @Syslog-NG-server "
>>
>> On Wed, Jul 29, 2015 at 4:25 AM, Scheidler, Balázs <
>> balazs.scheidler at balabit.com> wrote:
>>
>>> Syslog-ng does have a private facility registry to make the codes more
>>> portable accross OS-es.  It is in syslog-names.c in the lib/ directory. Can
>>> you check if audit is listed there?
>>>
>>> If it's not feel free to submit  a patch to add that.
>>>
>>> Also, on a related note, if syslog-ng doesnt match by facility code, pls
>>> confirm that the message was indeed submitted with the facility code you
>>> are expecting. You can do that by looking at raw syslog traffic (using a
>>> sniffer or merely looking at syslog-ng debug output). There you will see a
>>> number in brackets as the first thing in a message.
>>>
>>> E.g.
>>>
>>> <55>date host msg
>>>
>>> There 55 equals to 8 times facility plus the severity level, in this
>>> example 6*8+7, eg. Facility 6, severity 7.
>>> Hope this helps.
>>> Bazsi
>>> On Jul 28, 2015 8:36 PM, "Evan Rempel" <erempel at uvic.ca> wrote:
>>>
>>>> Then this needs to go back to whomever compiled the release of
>>>> syslog-ng that you are using.
>>>> Perhaps it was compiled on a different release of Solaris or something.
>>>> Only the group that compiled the release can give you more answers.
>>>>
>>>> Evan.
>>>>
>>>> On 07/28/2015 11:08 AM, Justin Kala wrote:
>>>>
>>>> I see AUDIT facility defined in /usr/include/sys/syslog.h on syslog-ng
>>>> server side and the sending server as well.
>>>>
>>>> #define LOG_KERN        (0<<3)  /* kernel messages */
>>>> #define LOG_USER        (1<<3)  /* random user-level messages */
>>>> #define LOG_MAIL        (2<<3)  /* mail system */
>>>> #define LOG_DAEMON      (3<<3)  /* system daemons */
>>>> #define LOG_AUTH        (4<<3)  /* security/authorization messages */
>>>> #define LOG_SYSLOG      (5<<3)  /* messages generated internally by
>>>> syslogd */
>>>> #define LOG_LPR         (6<<3)  /* line printer subsystem */
>>>> #define LOG_NEWS        (7<<3)  /* netnews subsystem */
>>>> #define LOG_UUCP        (8<<3)  /* uucp subsystem */
>>>> *#define LOG_AUDIT       (13<<3) /* audit subsystem */*
>>>> #define LOG_CRON        (15<<3) /* cron/at subsystem */
>>>>
>>>> On Tue, Jul 28, 2015 at 12:41 PM, Evan Rempel <erempel at uvic.ca> wrote:
>>>>
>>>>> Can you look at the syslog facility definitions
>>>>>
>>>>> /usr/include/sys/syslog.h
>>>>>
>>>>> or
>>>>>
>>>>> /usr/include/syslog.h
>>>>>
>>>>> to see if audit is a defined facility?
>>>>>
>>>>>
>>>>>
>>>>> On 07/28/2015 09:32 AM, Justin Kala wrote:
>>>>>
>>>>> Hi Evan..thanks for the reply but both sending and receiving servers
>>>>> are same OS.. Solaris 10
>>>>> On Jul 28, 2015 12:18 PM, "Evan Rempel" <erempel at uvic.ca> wrote:
>>>>>
>>>>>> Well, that is probably because the host where syslog-ng was compiled
>>>>>> is a different OS than that where the "audit" facility log line was created.
>>>>>>
>>>>>> For instance, on a Linux host, the syslog.h file from the system only
>>>>>> has these facilities defined.
>>>>>>
>>>>>> CODE facilitynames[] =
>>>>>>   {
>>>>>>     { "auth", LOG_AUTH },
>>>>>>     { "authpriv", LOG_AUTHPRIV },
>>>>>>     { "cron", LOG_CRON },
>>>>>>     { "daemon", LOG_DAEMON },
>>>>>>     { "ftp", LOG_FTP },
>>>>>>     { "kern", LOG_KERN },
>>>>>>     { "lpr", LOG_LPR },
>>>>>>     { "mail", LOG_MAIL },
>>>>>>     { "mark", INTERNAL_MARK },          /* INTERNAL */
>>>>>>     { "news", LOG_NEWS },
>>>>>>     { "security", LOG_AUTH },           /* DEPRECATED */
>>>>>>     { "syslog", LOG_SYSLOG },
>>>>>>     { "user", LOG_USER },
>>>>>>     { "uucp", LOG_UUCP },
>>>>>>     { "local0", LOG_LOCAL0 },
>>>>>>     { "local1", LOG_LOCAL1 },
>>>>>>     { "local2", LOG_LOCAL2 },
>>>>>>     { "local3", LOG_LOCAL3 },
>>>>>>     { "local4", LOG_LOCAL4 },
>>>>>>     { "local5", LOG_LOCAL5 },
>>>>>>     { "local6", LOG_LOCAL6 },
>>>>>>     { "local7", LOG_LOCAL7 },
>>>>>>
>>>>>>
>>>>>> with values of
>>>>>>
>>>>>> /* facility codes */
>>>>>> #define LOG_KERN        (0<<3)  /* kernel messages */
>>>>>> #define LOG_USER        (1<<3)  /* random user-level messages */
>>>>>> #define LOG_MAIL        (2<<3)  /* mail system */
>>>>>> #define LOG_DAEMON      (3<<3)  /* system daemons */
>>>>>> #define LOG_AUTH        (4<<3)  /* security/authorization messages */
>>>>>> #define LOG_SYSLOG      (5<<3)  /* messages generated internally by
>>>>>> syslogd */
>>>>>> #define LOG_LPR         (6<<3)  /* line printer subsystem */
>>>>>> #define LOG_NEWS        (7<<3)  /* network news subsystem */
>>>>>> #define LOG_UUCP        (8<<3)  /* UUCP subsystem */
>>>>>> #define LOG_CRON        (9<<3)  /* clock daemon */
>>>>>> #define LOG_AUTHPRIV    (10<<3) /* security/authorization messages
>>>>>> (private) */
>>>>>> #define LOG_FTP         (11<<3) /* ftp daemon */
>>>>>>
>>>>>>         /* other codes through 15 reserved for system use */
>>>>>> #define LOG_LOCAL0      (16<<3) /* reserved for local use */
>>>>>> #define LOG_LOCAL1      (17<<3) /* reserved for local use */
>>>>>> #define LOG_LOCAL2      (18<<3) /* reserved for local use */
>>>>>> #define LOG_LOCAL3      (19<<3) /* reserved for local use */
>>>>>> #define LOG_LOCAL4      (20<<3) /* reserved for local use */
>>>>>> #define LOG_LOCAL5      (21<<3) /* reserved for local use */
>>>>>> #define LOG_LOCAL6      (22<<3) /* reserved for local use */
>>>>>> #define LOG_LOCAL7      (23<<3) /* reserved for local use */
>>>>>>
>>>>>>
>>>>>> so there is no audit facility.
>>>>>>
>>>>>> Hope that explains it.
>>>>>>
>>>>>>
>>>>>> On 07/28/2015 09:08 AM, Justin Kala wrote:
>>>>>>
>>>>>>
>>>>>> Hi
>>>>>>
>>>>>> Syslog-ng is unable to recognize the facility audit. When I put
>>>>>> filter as audit and restart syslog-ng it errors out. When I put the
>>>>>> facility code as 13 ,it does not error on restarting the service but does
>>>>>> not capture the syslog message received through this filter code  13 as
>>>>>> well.
>>>>>>
>>>>>> Please advise.
>>>>>> --
>>>>>> Kaladhar
>>>>>>
>>>>>>
>>>>>> ______________________________________________________________________________
>>>>>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>>>>>> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
>>>>>> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>> Evan Rempel                                      erempel at uvic.ca
>>>>>> Senior Systems Administrator                        250.721.7691
>>>>>> Data Centre Services, University Systems, University of Victoria
>>>>>>
>>>>>>
>>>>>>
>>>>>> ______________________________________________________________________________
>>>>>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>>>>>> Documentation:
>>>>>> http://www.balabit.com/support/documentation/?product=syslog-ng
>>>>>> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>> ______________________________________________________________________________
>>>>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>>>>> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
>>>>> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> Evan Rempel                                      erempel at uvic.ca
>>>>> Senior Systems Administrator                        250.721.7691
>>>>> Data Centre Services, University Systems, University of Victoria
>>>>>
>>>>>
>>>>>
>>>>> ______________________________________________________________________________
>>>>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>>>>> Documentation:
>>>>> http://www.balabit.com/support/documentation/?product=syslog-ng
>>>>> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>> --
>>>> Kaladhar
>>>>
>>>>
>>>> ______________________________________________________________________________
>>>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>>>> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
>>>> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>>>>
>>>>
>>>>
>>>> --
>>>> Evan Rempel                                      erempel at uvic.ca
>>>> Senior Systems Administrator                        250.721.7691
>>>> Data Centre Services, University Systems, University of Victoria
>>>>
>>>>
>>>>
>>>> ______________________________________________________________________________
>>>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>>>> Documentation:
>>>> http://www.balabit.com/support/documentation/?product=syslog-ng
>>>> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>>>>
>>>>
>>>>
>>>
>>> ______________________________________________________________________________
>>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>>> Documentation:
>>> http://www.balabit.com/support/documentation/?product=syslog-ng
>>> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>>>
>>>
>>>
>>
>>
>> --
>> Kaladhar
>>
>>
>> ______________________________________________________________________________
>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>> Documentation:
>> http://www.balabit.com/support/documentation/?product=syslog-ng
>> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>>
>>
>>
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation:
> http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
>
>


-- 
Kaladhar
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20160222/2019abbd/attachment-0001.htm 


More information about the syslog-ng mailing list