Ubuntu
sysklogd package

undocumented logaudit facility, how to log unknown facilities

Bug #302237 reported by Robb Topolski
2
Affects Status Importance Assigned to Milestone
sysklogd (Ubuntu)
New
Undecided
Unassigned

Bug Description

Binary package hint: sysklogd

Ubuntu 8.10 sysklogd 1.5-2ubuntu6

From syslog.conf MAN page
---- Quote ----
       The facility is one of the following keywords: auth, authpriv, cron,
       daemon, ftp, kern, lpr, mail, mark, news, security (same as auth), sys‐
       log, user, uucp and local0 through local7.
---- endQuote ----

My silly D-Link DIR-655 router puts its syslog on the Log Audit facility 13 (which is 104 in the 32-bit PRI). It took me quite a bit of reverse engineering to figure that out. I'll make the following proposal based on that finding, but it would be even better if someone could find a copy of syslog.h (mentioned in the MAN page) and extract all of the supported facility names. (I did review the source and couldn't find it myself, it's probably in some global header or config file for making inet-tools.)

---- Proposed Change ----
       The facility is one of the following keywords: auth, authpriv, cron,
       daemon, ftp, kern, logaudit, lpr, mail, mark, news, security (same as auth), sys‐
       log, user, uucp and local0 through local7.
---- end ----

I also found something else in the meantime, close and related and easy to fix...

---- Quote ----
       ... Both parts are case insensitive and can
       also be specified as decimal numbers corresponding to the definitions
       in <syslog.h>.
---- endQuote ----

This is probably incorrect, as I was able to find an old Berkeley syslog.h and it turns
out that you have to multiply the decimal number by 8. So logaudit (13) becomes 104 and
both logaudit.info and 104.info works correctly in syslog.conf while 13.info does not.

Here is my suggestion

---- Quote ----
       ... Both parts are case insensitive and can
       also be specified as decimal numbers corresponding to the numerical code being
       used in the PRI part of the RFC 3164 message from the logging device. (Note:
       the facility's numerical code is multiplied by 8 before being used in the PRI part,
       and syslog.conf requires this too. For example, network news facilities have a facility
       identifier of 7, therefore news.local and 56.local are equivalent in syslog.conf.)
---- endQuote ----

Thanks

Robb Topolski

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.