undocumented logaudit facility, how to log unknown facilities
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
sysklogd (Ubuntu) |
New
|
Undecided
|
Unassigned |
Bug Description
Binary package hint: sysklogd
Ubuntu 8.10 sysklogd 1.5-2ubuntu6
From syslog.conf MAN page
---- Quote ----
The facility is one of the following keywords: auth, authpriv, cron,
daemon, ftp, kern, lpr, mail, mark, news, security (same as auth), sys‐
log, user, uucp and local0 through local7.
---- endQuote ----
My silly D-Link DIR-655 router puts its syslog on the Log Audit facility 13 (which is 104 in the 32-bit PRI). It took me quite a bit of reverse engineering to figure that out. I'll make the following proposal based on that finding, but it would be even better if someone could find a copy of syslog.h (mentioned in the MAN page) and extract all of the supported facility names. (I did review the source and couldn't find it myself, it's probably in some global header or config file for making inet-tools.)
---- Proposed Change ----
The facility is one of the following keywords: auth, authpriv, cron,
daemon, ftp, kern, logaudit, lpr, mail, mark, news, security (same as auth), sys‐
log, user, uucp and local0 through local7.
---- end ----
I also found something else in the meantime, close and related and easy to fix...
---- Quote ----
... Both parts are case insensitive and can
also be specified as decimal numbers corresponding to the definitions
in <syslog.h>.
---- endQuote ----
This is probably incorrect, as I was able to find an old Berkeley syslog.h and it turns
out that you have to multiply the decimal number by 8. So logaudit (13) becomes 104 and
both logaudit.info and 104.info works correctly in syslog.conf while 13.info does not.
Here is my suggestion
---- Quote ----
... Both parts are case insensitive and can
also be specified as decimal numbers corresponding to the numerical code being
used in the PRI part of the RFC 3164 message from the logging device. (Note:
the facility's numerical code is multiplied by 8 before being used in the PRI part,
and syslog.conf requires this too. For example, network news facilities have a facility
identifier of 7, therefore news.local and 56.local are equivalent in syslog.conf.)
---- endQuote ----
Thanks
Robb Topolski