How can I faind out what facility is number 10 in syslog?

I want to filter some messages that use facility 10 in rsyslog. I try
this in /etc/rsyslog.conf


if      ((syslogfacility == 10) \
and ($msg contains 'hat: Operation not permitted' )) \
then   ~

yields this error:

Telcontar:~ # /usr/sbin/rsyslogd -n
rsyslogd: error during parsing file /etc/rsyslog.conf, on or before line
280: syntax error on token '==' try http://www.rsyslog.com/e/2207

The documentation does not say how to compare to a numerical facility :-/


file:///usr/share/doc/packages/rsyslog/doc/rsyslog_conf_filter.html
(install rsyslog-doc to see - I do not have online link)

What I end up using is this rule:



> if $syslogfacility-text == 'security' and \
>         ($msg contains_i 'Unknown error occurred changing to' and $msg contains_i 'hat: Operation not permitted') \
> then ~


to match this type of message in the warning log:


> <10.3> 2013-06-14 00:38:01 Telcontar  21894 - -  pam_apparmor(crond:session): Unknown error occurred changing to news hat: Operation not permitted

And it is not working (it runs, it doesn’t work as I expected) :frowning:

You see, I know that it is facility 10, but not the name… unless I
change the log format to print it.


Cheers / Saludos,

Carlos E. R.
(from 12.3 x86_64 “Dartmouth” at Telcontar)

On 2013-06-14 00:48, Carlos E. R. wrote:
> You see, I know that it is facility 10, but not the name… unless I
> change the log format to print it.

And I can’t, because there is a template for “%syslogfacility%” which
prints the number, not the name… and no other one I can see to print
the name.


file:///usr/share/doc/packages/rsyslog/doc/rsyslog_conf_templates.html
http://www.rsyslog.com/doc/rsyslog_conf_templates.html


Cheers / Saludos,

Carlos E. R.
(from 12.3 x86_64 “Dartmouth” at Telcontar)

I suppose you can look in “/usr/include/sys/syslog.h”.

It looks to me as if this is the relevant line:


#define LOG_AUTHPRIV    (10<<3) /* security/authorization messages (private) */

On 2013-06-14 01:06, nrickert wrote:
>
> robin_listas;2564581 Wrote:
>> And I can’t, because there is a template for “%syslogfacility%” which
>> prints the number, not the name… and no other one I can see to print
>> the name.
>
> I suppose you can look in “/usr/include/sys/syslog.h”.
>
> It looks to me as if this is the relevant line:
>
> Code:
> --------------------
>
> #define LOG_AUTHPRIV (10<<3) /* security/authorization messages (private) */
>
> --------------------

That’s the one I thought… but “LOG_AUTHPRIV” is not the token to write
in the configuration file. Ok, it is:


$syslogfacility-text == 'authpriv'


Cheers / Saludos,

Carlos E. R.
(from 12.3 x86_64 “Dartmouth” at Telcontar)

On 2013-06-14 01:58, Carlos E. R. wrote:
> On 2013-06-14 01:06, nrickert wrote:

> That’s the one I thought… but “LOG_AUTHPRIV” is not the token to write
> in the configuration file. Ok, it is:
>
>


> $syslogfacility-text == 'authpriv'
> 

The trick to find out is to write the file entry on steps.

First only this:


if $syslogfacility-text == 'authpriv' \
then    -/var/log/Testing

If that matches, the lines are written to “/var/log/Testing”. The next
step is add more rules to the entry, one by one:


if $syslogfacility-text == 'authpriv' and \
($msg contains_i 'Unknown error occurred changing to') \
then    -/var/log/Testing

and finally:


> if $syslogfacility-text == 'authpriv' and \
>         ($msg contains_i 'Unknown error occurred changing to' and $msg contains 'hat: Operation not permitted' and $msg contains 'changing to')  \
> then    -/var/log/Testing
> &       ~

That has to be placed after the messages file filter, and before the
warning filter.


Cheers / Saludos,

Carlos E. R.
(from 12.3 x86_64 “Dartmouth” at Telcontar)