[syslog-ng] Reg; Syslog-ng does not recognize the audit facility
Justin Kala
justinkala at gmail.com
Mon Feb 22 18:16:54 CET 2016
Also current operating system is Solaris 11 SPARC 64-bit
On Mon, Feb 22, 2016 at 11:46 AM, Justin Kala <justinkala at gmail.com> wrote:
> Somehow facility 13 is unable to accept Audit Logs.
> syslog-names.c does have audit facility.
> Please let me know what else can be done
>
> On Wed, Jul 29, 2015 at 5:14 PM, Scheidler, Balázs <
> balazs.scheidler at balabit.com> wrote:
>
>> It doesn't matter, the on wire format is the same. Syslog-ng on the
>> server prints the facility in debug mode.
>> On Jul 29, 2015 9:07 PM, "Justin Kala" <justinkala at gmail.com> wrote:
>>
>>> Bazsi
>>>
>>> We do not have syslog-ng agents on the sending server side .Using the
>>> capabilities of syslog.conf only where I put the line " audit.notice
>>> @Syslog-NG-server "
>>>
>>> On Wed, Jul 29, 2015 at 4:25 AM, Scheidler, Balázs <
>>> balazs.scheidler at balabit.com> wrote:
>>>
>>>> Syslog-ng does have a private facility registry to make the codes more
>>>> portable accross OS-es. It is in syslog-names.c in the lib/ directory. Can
>>>> you check if audit is listed there?
>>>>
>>>> If it's not feel free to submit a patch to add that.
>>>>
>>>> Also, on a related note, if syslog-ng doesnt match by facility code,
>>>> pls confirm that the message was indeed submitted with the facility code
>>>> you are expecting. You can do that by looking at raw syslog traffic (using
>>>> a sniffer or merely looking at syslog-ng debug output). There you will see
>>>> a number in brackets as the first thing in a message.
>>>>
>>>> E.g.
>>>>
>>>> <55>date host msg
>>>>
>>>> There 55 equals to 8 times facility plus the severity level, in this
>>>> example 6*8+7, eg. Facility 6, severity 7.
>>>> Hope this helps.
>>>> Bazsi
>>>> On Jul 28, 2015 8:36 PM, "Evan Rempel" <erempel at uvic.ca> wrote:
>>>>
>>>>> Then this needs to go back to whomever compiled the release of
>>>>> syslog-ng that you are using.
>>>>> Perhaps it was compiled on a different release of Solaris or
>>>>> something. Only the group that compiled the release can give you more
>>>>> answers.
>>>>>
>>>>> Evan.
>>>>>
>>>>> On 07/28/2015 11:08 AM, Justin Kala wrote:
>>>>>
>>>>> I see AUDIT facility defined in /usr/include/sys/syslog.h on syslog-ng
>>>>> server side and the sending server as well.
>>>>>
>>>>> #define LOG_KERN (0<<3) /* kernel messages */
>>>>> #define LOG_USER (1<<3) /* random user-level messages */
>>>>> #define LOG_MAIL (2<<3) /* mail system */
>>>>> #define LOG_DAEMON (3<<3) /* system daemons */
>>>>> #define LOG_AUTH (4<<3) /* security/authorization messages */
>>>>> #define LOG_SYSLOG (5<<3) /* messages generated internally by
>>>>> syslogd */
>>>>> #define LOG_LPR (6<<3) /* line printer subsystem */
>>>>> #define LOG_NEWS (7<<3) /* netnews subsystem */
>>>>> #define LOG_UUCP (8<<3) /* uucp subsystem */
>>>>> *#define LOG_AUDIT (13<<3) /* audit subsystem */*
>>>>> #define LOG_CRON (15<<3) /* cron/at subsystem */
>>>>>
>>>>> On Tue, Jul 28, 2015 at 12:41 PM, Evan Rempel <erempel at uvic.ca> wrote:
>>>>>
>>>>>> Can you look at the syslog facility definitions
>>>>>>
>>>>>> /usr/include/sys/syslog.h
>>>>>>
>>>>>> or
>>>>>>
>>>>>> /usr/include/syslog.h
>>>>>>
>>>>>> to see if audit is a defined facility?
>>>>>>
>>>>>>
>>>>>>
>>>>>> On 07/28/2015 09:32 AM, Justin Kala wrote:
>>>>>>
>>>>>> Hi Evan..thanks for the reply but both sending and receiving servers
>>>>>> are same OS.. Solaris 10
>>>>>> On Jul 28, 2015 12:18 PM, "Evan Rempel" <erempel at uvic.ca> wrote:
>>>>>>
>>>>>>> Well, that is probably because the host where syslog-ng was compiled
>>>>>>> is a different OS than that where the "audit" facility log line was created.
>>>>>>>
>>>>>>> For instance, on a Linux host, the syslog.h file from the system
>>>>>>> only has these facilities defined.
>>>>>>>
>>>>>>> CODE facilitynames[] =
>>>>>>> {
>>>>>>> { "auth", LOG_AUTH },
>>>>>>> { "authpriv", LOG_AUTHPRIV },
>>>>>>> { "cron", LOG_CRON },
>>>>>>> { "daemon", LOG_DAEMON },
>>>>>>> { "ftp", LOG_FTP },
>>>>>>> { "kern", LOG_KERN },
>>>>>>> { "lpr", LOG_LPR },
>>>>>>> { "mail", LOG_MAIL },
>>>>>>> { "mark", INTERNAL_MARK }, /* INTERNAL */
>>>>>>> { "news", LOG_NEWS },
>>>>>>> { "security", LOG_AUTH }, /* DEPRECATED */
>>>>>>> { "syslog", LOG_SYSLOG },
>>>>>>> { "user", LOG_USER },
>>>>>>> { "uucp", LOG_UUCP },
>>>>>>> { "local0", LOG_LOCAL0 },
>>>>>>> { "local1", LOG_LOCAL1 },
>>>>>>> { "local2", LOG_LOCAL2 },
>>>>>>> { "local3", LOG_LOCAL3 },
>>>>>>> { "local4", LOG_LOCAL4 },
>>>>>>> { "local5", LOG_LOCAL5 },
>>>>>>> { "local6", LOG_LOCAL6 },
>>>>>>> { "local7", LOG_LOCAL7 },
>>>>>>>
>>>>>>>
>>>>>>> with values of
>>>>>>>
>>>>>>> /* facility codes */
>>>>>>> #define LOG_KERN (0<<3) /* kernel messages */
>>>>>>> #define LOG_USER (1<<3) /* random user-level messages */
>>>>>>> #define LOG_MAIL (2<<3) /* mail system */
>>>>>>> #define LOG_DAEMON (3<<3) /* system daemons */
>>>>>>> #define LOG_AUTH (4<<3) /* security/authorization messages */
>>>>>>> #define LOG_SYSLOG (5<<3) /* messages generated internally by
>>>>>>> syslogd */
>>>>>>> #define LOG_LPR (6<<3) /* line printer subsystem */
>>>>>>> #define LOG_NEWS (7<<3) /* network news subsystem */
>>>>>>> #define LOG_UUCP (8<<3) /* UUCP subsystem */
>>>>>>> #define LOG_CRON (9<<3) /* clock daemon */
>>>>>>> #define LOG_AUTHPRIV (10<<3) /* security/authorization messages
>>>>>>> (private) */
>>>>>>> #define LOG_FTP (11<<3) /* ftp daemon */
>>>>>>>
>>>>>>> /* other codes through 15 reserved for system use */
>>>>>>> #define LOG_LOCAL0 (16<<3) /* reserved for local use */
>>>>>>> #define LOG_LOCAL1 (17<<3) /* reserved for local use */
>>>>>>> #define LOG_LOCAL2 (18<<3) /* reserved for local use */
>>>>>>> #define LOG_LOCAL3 (19<<3) /* reserved for local use */
>>>>>>> #define LOG_LOCAL4 (20<<3) /* reserved for local use */
>>>>>>> #define LOG_LOCAL5 (21<<3) /* reserved for local use */
>>>>>>> #define LOG_LOCAL6 (22<<3) /* reserved for local use */
>>>>>>> #define LOG_LOCAL7 (23<<3) /* reserved for local use */
>>>>>>>
>>>>>>>
>>>>>>> so there is no audit facility.
>>>>>>>
>>>>>>> Hope that explains it.
>>>>>>>
>>>>>>>
>>>>>>> On 07/28/2015 09:08 AM, Justin Kala wrote:
>>>>>>>
>>>>>>>
>>>>>>> Hi
>>>>>>>
>>>>>>> Syslog-ng is unable to recognize the facility audit. When I put
>>>>>>> filter as audit and restart syslog-ng it errors out. When I put the
>>>>>>> facility code as 13 ,it does not error on restarting the service but does
>>>>>>> not capture the syslog message received through this filter code 13 as
>>>>>>> well.
>>>>>>>
>>>>>>> Please advise.
>>>>>>> --
>>>>>>> Kaladhar
>>>>>>>
>>>>>>>
>>>>>>> ______________________________________________________________________________
>>>>>>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>>>>>>> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
>>>>>>> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>> Evan Rempel erempel at uvic.ca
>>>>>>> Senior Systems Administrator 250.721.7691
>>>>>>> Data Centre Services, University Systems, University of Victoria
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> ______________________________________________________________________________
>>>>>>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>>>>>>> Documentation:
>>>>>>> http://www.balabit.com/support/documentation/?product=syslog-ng
>>>>>>> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>> ______________________________________________________________________________
>>>>>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>>>>>> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
>>>>>> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>> Evan Rempel erempel at uvic.ca
>>>>>> Senior Systems Administrator 250.721.7691
>>>>>> Data Centre Services, University Systems, University of Victoria
>>>>>>
>>>>>>
>>>>>>
>>>>>> ______________________________________________________________________________
>>>>>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>>>>>> Documentation:
>>>>>> http://www.balabit.com/support/documentation/?product=syslog-ng
>>>>>> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> Kaladhar
>>>>>
>>>>>
>>>>> ______________________________________________________________________________
>>>>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>>>>> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
>>>>> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> Evan Rempel erempel at uvic.ca
>>>>> Senior Systems Administrator 250.721.7691
>>>>> Data Centre Services, University Systems, University of Victoria
>>>>>
>>>>>
>>>>>
>>>>> ______________________________________________________________________________
>>>>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>>>>> Documentation:
>>>>> http://www.balabit.com/support/documentation/?product=syslog-ng
>>>>> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>>>>>
>>>>>
>>>>>
>>>>
>>>> ______________________________________________________________________________
>>>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>>>> Documentation:
>>>> http://www.balabit.com/support/documentation/?product=syslog-ng
>>>> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>>>>
>>>>
>>>>
>>>
>>>
>>> --
>>> Kaladhar
>>>
>>>
>>> ______________________________________________________________________________
>>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>>> Documentation:
>>> http://www.balabit.com/support/documentation/?product=syslog-ng
>>> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>>>
>>>
>>>
>>
>> ______________________________________________________________________________
>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>> Documentation:
>> http://www.balabit.com/support/documentation/?product=syslog-ng
>> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>>
>>
>>
>
>
> --
> Kaladhar
>
--
Kaladhar
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20160222/e4d5f908/attachment-0001.htm
More information about the syslog-ng
mailing list