Results 1 to 5 of 5

Thread: How can I faind out what facility is number 10 in syslog?

  1. #1
    Join Date
    Feb 2009
    Location
    Spain
    Posts
    25,547

    Default How can I faind out what facility is number 10 in syslog?


    I want to filter some messages that use facility 10 in rsyslog. I try
    this in /etc/rsyslog.conf

    Code:
    if      ((syslogfacility == 10) \
    and ($msg contains 'hat: Operation not permitted' )) \
    then   ~
    
    yields this error:
    
    Telcontar:~ # /usr/sbin/rsyslogd -n
    rsyslogd: error during parsing file /etc/rsyslog.conf, on or before line
    280: syntax error on token '==' [try http://www.rsyslog.com/e/2207

    The documentation does not say how to compare to a numerical facility :-/

    Code:
    file:///usr/share/doc/packages/rsyslog/doc/rsyslog_conf_filter.html
    (install rsyslog-doc to see - I do not have online link)


    What I end up using is this rule:

    Code:
    
    > if $syslogfacility-text == 'security' and \
    >         ($msg contains_i 'Unknown error occurred changing to' and $msg contains_i 'hat: Operation not permitted') \
    > then ~
    to match this type of message in the warning log:

    Code:
    
    > <10.3> 2013-06-14 00:38:01 Telcontar  21894 - -  pam_apparmor(crond:session): Unknown error occurred changing to news hat: Operation not permitted

    And it is not working (it runs, it doesn't work as I expected) :-(

    You see, I know that it is facility 10, but not the name... unless I
    change the log format to print it.




    --
    Cheers / Saludos,

    Carlos E. R.
    (from 12.3 x86_64 "Dartmouth" at Telcontar)

  2. #2
    Join Date
    Feb 2009
    Location
    Spain
    Posts
    25,547

    Default Re: How can I faind out what facility is number 10 in syslog?

    On 2013-06-14 00:48, Carlos E. R. wrote:
    > You see, I know that it is facility 10, but not the name... unless I
    > change the log format to print it.


    And I can't, because there is a template for "%syslogfacility%" which
    prints the number, not the name... and no other one I can see to print
    the name.

    Code:
    file:///usr/share/doc/packages/rsyslog/doc/rsyslog_conf_templates.html
    http://www.rsyslog.com/doc/rsyslog_conf_templates.html
    --
    Cheers / Saludos,

    Carlos E. R.
    (from 12.3 x86_64 "Dartmouth" at Telcontar)

  3. #3
    Join Date
    Aug 2010
    Location
    Chicago suburbs
    Posts
    12,754
    Blog Entries
    3

    Default Re: How can I faind out what facility is number 10 in syslog?

    Quote Originally Posted by robin_listas View Post
    And I can't, because there is a template for "%syslogfacility%" which
    prints the number, not the name... and no other one I can see to print
    the name.
    I suppose you can look in "/usr/include/sys/syslog.h".

    It looks to me as if this is the relevant line:
    Code:
    #define LOG_AUTHPRIV    (10<<3) /* security/authorization messages (private) */
    openSUSE Leap 15.1; KDE Plasma 5;
    testing Leap 15.2Alpha

  4. #4
    Join Date
    Feb 2009
    Location
    Spain
    Posts
    25,547

    Default Re: How can I faind out what facility is number 10 in syslog?

    On 2013-06-14 01:06, nrickert wrote:
    >
    > robin_listas;2564581 Wrote:
    >> And I can't, because there is a template for "%syslogfacility%" which
    >> prints the number, not the name... and no other one I can see to print
    >> the name.

    >
    > I suppose you can look in "/usr/include/sys/syslog.h".
    >
    > It looks to me as if this is the relevant line:
    >
    > Code:
    > --------------------
    >
    > #define LOG_AUTHPRIV (10<<3) /* security/authorization messages (private) */
    >
    > --------------------


    That's the one I thought... but "LOG_AUTHPRIV" is not the token to write
    in the configuration file. Ok, it is:

    Code:
    $syslogfacility-text == 'authpriv'
    --
    Cheers / Saludos,

    Carlos E. R.
    (from 12.3 x86_64 "Dartmouth" at Telcontar)

  5. #5
    Join Date
    Feb 2009
    Location
    Spain
    Posts
    25,547

    Default Re: How can I faind out what facility is number 10 in syslog?

    On 2013-06-14 01:58, Carlos E. R. wrote:
    > On 2013-06-14 01:06, nrickert wrote:



    > That's the one I thought... but "LOG_AUTHPRIV" is not the token to write
    > in the configuration file. Ok, it is:
    >
    >
    Code:
    > $syslogfacility-text == 'authpriv'
    >


    The trick to find out is to write the file entry on steps.

    First only this:

    Code:
    if $syslogfacility-text == 'authpriv' \
    then    -/var/log/Testing
    If that matches, the lines are written to "/var/log/Testing". The next
    step is add more rules to the entry, one by one:


    Code:
    if $syslogfacility-text == 'authpriv' and \
    ($msg contains_i 'Unknown error occurred changing to') \
    then    -/var/log/Testing
    and finally:

    Code:
    
    > if $syslogfacility-text == 'authpriv' and \
    >         ($msg contains_i 'Unknown error occurred changing to' and $msg contains 'hat: Operation not permitted' and $msg contains 'changing to')  \
    > then    -/var/log/Testing
    > &       ~
    That has to be placed after the messages file filter, and before the
    warning filter.


    --
    Cheers / Saludos,

    Carlos E. R.
    (from 12.3 x86_64 "Dartmouth" at Telcontar)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •