Can't get syslog built-in plugin to post messages to syslog
Steve Grubb
sgrubb at redhat.com
Wed Sep 11 00:17:24 UTC 2013
On Tuesday, September 10, 2013 01:42:00 AM Peter Butler wrote:
> I can't get syslog built-in plugin to post messages to syslog.
>
> My syslog.conf plugin file is:
>
> active = yes
> direction = out
> path = builtin_syslog
> type = builtin
> args = LOG_INFO LOG_LOCAL3
> format = string
>
> Presumably the file is indeed being parsed by the user-space audit daemon,
> as after having changed 'active' to 'yes' (and restarted the system), I see
> the audit daemon has started up the child process audispd, as required.
>
> The audit daemon is indeed logging the audit logs to
> /var/log/audit/audit.log, but is not also sending them to syslog as
> configured.
https://fedorahosted.org/audit/browser/trunk/audisp/audispd-builtins.c#L256
Turns out that you can pass the priority, but not the facility. So, your
events are wherever the LOG_USER facility is sending them. This probably
should be documented better.
-Steve
More information about the Linux-audit
mailing list