0

This is a follow-up to this question. mghocke was kind enough to help me out with that question, but this is really a separate question, therefor a new post.

I really don't know a lot about syslog, and am trying to move away from syslogd to syslog-ng.

In Solaris' syslogd, there is an 'audit' facility that you can see configured below:

local7.debug                                    /var/log/ncolog
audit.debug                                     /var/log/ncolog
local7.debug                                    @nimitz
audit.debug                                     @nimitz

In my new syslog-ng.conf, it is configured like this:

filter f_local7 { facility (local7); };
filter f_audit { facility (audit); };

...

log { source (s_sys); filter (f_local7); destination (d_ncolog); destination (d_nimitz); };
log { source (s_sys); filter (f_audit); destination (d_ncolog); destination (d_nimitz); };

But syslog-ng doesn't recognize the 'audit' facility. I've looked around some, and it seems that the 'audit' facility is facility 13, but 'local13' doesn't work. What is this facility called in syslog-ng?

Community
  • 1
coding_hero
  • 221
  • 3
  • 5
  • 11

1 Answers1

3

Instead of using the symbolic name 'audit' you have to use the numeric code 13:

filter f_audit { facility (13); };
mghocke
  • 796
  • 4
  • 5
  • Thanks for the help again. Sorry I attributed the wrong user above, I'm an idiot. It's been fixed. – coding_hero Jul 11 '12 at 19:30
  • If I want to keep the local7 and audit logs out of /var/adm/messages, would changing the first line of the f_messages filter to this work?: `filter f_messages { priority (err..emerg) and not facility (local7) and not facility (13) or` – coding_hero Jul 11 '12 at 23:10
  • Yup, you got it. – mghocke Jul 16 '12 at 14:54