Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
syslog and authpriv
292 views
Skip to first unread message
Martin Paul
Oct 10, 2013, 3:43:30 AM10/10/13
to
I'm forwarding all syslog messages from a Red Hat 6 system (using
rsyslog) to a server running Solaris 10 with the included syslogd.
Unfortunately, many messages never show up in the logfiles on the
receiving end.
The problem seems to be that Solaris' syslogd doesn't support certain
facility codes like "authpriv", "ftp", etc., as can be seen when
comparing /usr/include/sys/syslog.h on both systems.
Can syslogd on Solaris be told to log unknown facilities as well?
Martin.
rsyslog) to a server running Solaris 10 with the included syslogd.
Unfortunately, many messages never show up in the logfiles on the
receiving end.
The problem seems to be that Solaris' syslogd doesn't support certain
facility codes like "authpriv", "ftp", etc., as can be seen when
comparing /usr/include/sys/syslog.h on both systems.
Can syslogd on Solaris be told to log unknown facilities as well?
Martin.
Volker Borchert
Oct 10, 2013, 3:31:48 PM10/10/13
to
Might be worth a try.
--
"I'm a doctor, not a mechanic." Dr Leonard McCoy <mc...@ncc1701.starfleet.fed>
"I'm a mechanic, not a doctor." Volker Borchert <v_bor...@despammed.com>
Martin Paul
Oct 11, 2013, 3:10:49 AM10/11/13
to
Am 10.10.2013 21:31, schrieb Volker Borchert:
LOG_AUTHPRIV (10<<3)", but it doesn't work. Too bad, supporting
unknown codes in this way would have been an elegant solution.
Somebody else recommended this:
*.info;audit.none;auth.none;cron.none;daemon.none;kern.none;local0.none;local1.n
one;local2.none;local3.none;local4.none;local5.none;local6.none;local7.none;lpr.
none;mail.none;news.none;user.none;uucp.none /var/log/allother
.. but unknown facilities are still ignored.
Martin.
> Martin Paul wrote:
>> Can syslogd on Solaris be told to log unknown facilities as well?
>
> On Solaris 7, octal numeric values (like in '088.debug') work.
> Might be worth a try.
Tried both "0120.debug" and "120.debug" on Solaris 10 to catch "#define
>> Can syslogd on Solaris be told to log unknown facilities as well?
>
> On Solaris 7, octal numeric values (like in '088.debug') work.
> Might be worth a try.
LOG_AUTHPRIV (10<<3)", but it doesn't work. Too bad, supporting
unknown codes in this way would have been an elegant solution.
Somebody else recommended this:
*.info;audit.none;auth.none;cron.none;daemon.none;kern.none;local0.none;local1.n
one;local2.none;local3.none;local4.none;local5.none;local6.none;local7.none;lpr.
none;mail.none;news.none;user.none;uucp.none /var/log/allother
.. but unknown facilities are still ignored.
Martin.
Volker Borchert
Oct 11, 2013, 3:13:49 PM10/11/13
to
Martin Paul wrote:
> Am 10.10.2013 21:31, schrieb Volker Borchert:
> > Martin Paul wrote:
> >> Can syslogd on Solaris be told to log unknown facilities as well?
> >
> > On Solaris 7, octal numeric values (like in '088.debug') work.
> > Might be worth a try.
>
> Tried both "0120.debug" and "120.debug" on Solaris 10 to catch "#define
> LOG_AUTHPRIV (10<<3)", but it doesn't work. Too bad, supporting
> unknown codes in this way would have been an elegant solution.
Hm... it should have been obvious even to me that 088 can't be octal...
> Am 10.10.2013 21:31, schrieb Volker Borchert:
> > Martin Paul wrote:
> >> Can syslogd on Solaris be told to log unknown facilities as well?
> >
> > On Solaris 7, octal numeric values (like in '088.debug') work.
> > Might be worth a try.
>
> Tried both "0120.debug" and "120.debug" on Solaris 10 to catch "#define
> LOG_AUTHPRIV (10<<3)", but it doesn't work. Too bad, supporting
> unknown codes in this way would have been an elegant solution.
Output from syslogd -d is
------------------------ priority = [file, facility] ------------------------
0 0 0 0 0 0 0 0 0 0 1 1 1 1 1 1 1 1 1 1 2 2 2 2 2
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4
--------------------------------------------------
X X X X X X X X X X X X X X X X X X X X X X X X 7 FORW: loghost
X X X X X X X X X X X X X X X X X X X X 7 X X X X USERS: root
7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 X FORW: loghost
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 X WALL:
X X X X X X X X X X X 7 X X X X X X X X X X X X X FILE: /var/log/net
X X X X X X X X X X X X X X X X X X X 6 X X X X X FILE: /var/log/net
and the relevant part of syslogd.conf is
088.debug /var/log/net
local3.info /var/log/net
19 is local3, on both NetBSD and SunOS. 11 is LOG_FTP on NetBSD, and
obviuosly originates from the 088. But how? I don't remember, I must
have had figured it out in 2002 ;-)
..
..
..
It seems to be _decimal_ with leading zero - eight times eleven gives
eighty-eight. Looking at the sources of my BSD-ish syslogd:
if (isdigit(*name))
return (atoi(name));
So, please try 080 - if only to do me a favor ;-)
Chris Ridd
Oct 12, 2013, 1:13:29 AM10/12/13
to
On 2013-10-11 19:13:49 +0000, Volker Borchert said:
> Martin Paul wrote:
>> Am 10.10.2013 21:31, schrieb Volker Borchert:
>>> Martin Paul wrote:
>>>> Can syslogd on Solaris be told to log unknown facilities as well?
>>>
>>> On Solaris 7, octal numeric values (like in '088.debug') work.
>>> Might be worth a try.
>>
>> Tried both "0120.debug" and "120.debug" on Solaris 10 to catch "#define
>> LOG_AUTHPRIV (10<<3)", but it doesn't work. Too bad, supporting
>> unknown codes in this way would have been an elegant solution.
>
> Hm... it should have been obvious even to me that 088 can't be octal...
Is it worth looking at the code from the Illumos/OpenSolaris versions
> Martin Paul wrote:
>> Am 10.10.2013 21:31, schrieb Volker Borchert:
>>> Martin Paul wrote:
>>>> Can syslogd on Solaris be told to log unknown facilities as well?
>>>
>>> On Solaris 7, octal numeric values (like in '088.debug') work.
>>> Might be worth a try.
>>
>> Tried both "0120.debug" and "120.debug" on Solaris 10 to catch "#define
>> LOG_AUTHPRIV (10<<3)", but it doesn't work. Too bad, supporting
>> unknown codes in this way would have been an elegant solution.
>
> Hm... it should have been obvious even to me that 088 can't be octal...
of the Solaris syslogd to see what it does?
--
Chris
Martin Paul
Oct 14, 2013, 3:15:47 AM10/14/13
to
Am 11.10.2013 21:13, schrieb Volker Borchert:
> Hm... it should have been obvious even to me that 088 can't be octal...
Same here :) Obviously my brain matched the 8's and "octal" and that
> Hm... it should have been obvious even to me that 088 can't be octal...
sounded OK.
> It seems to be _decimal_ with leading zero - eight times eleven gives
> eighty-eight. Looking at the sources of my BSD-ish syslogd:
> if (isdigit(*name))
> return (atoi(name));
> So, please try 080 - if only to do me a favor ;-)
So I identified this syslog facilities as missing on Solaris, from
comparing /usr/include/sys/syslog.h on Solaris and RHEL:
#define LOG_CRON (9<<3) /* clock daemon */
#define LOG_AUTHPRIV (10<<3) /* security/authorization messages
(private) */
#define LOG_FTP (11<<3) /* ftp daemon */
Converted to decimal (like "9<<3" = "9 * 2^3" = "72") and added these
lines to /etc/syslog.conf on Solaris 10:
72.debug /var/log/cron
80.debug /var/log/auth
88.debug /var/log/daemon
A quick "svcadm refresh system-log" and tests with "logger -p cron.info
crontest" etc. showed that it works.
A look at the Illumos source verifies that atio() is used:
http://src.illumos.org/source/xref/illumos-gate/usr/src/cmd/syslogd/syslogd.c#3568
Thanks a lot for sharing this!
Martin.
0 new messages