Determine which programs are logging to a specific syslog facility

syslog

Is there any way to determine which daemons are logging to a specific syslog facility? (spec. rsyslog)

What I am specifically looking for is who logs to the auth.* severities.

A 2001 audit for netbsd syslog.

atrun(8)    cron.err pid        fatal errors

chat(8)     local2.err pid ndelay   fatal errors
            local2.info     -v output

comsat(8)   daemon.err pid      fatal errors
            daemon.info     log biffs (-l)
            daemon.debug        debug notices (if debug != 0)
            auth.notice     / in tty name (might be incorrect code)

cron(8)     cron.info pid       commands executed

Best Answer

There's no way to determine this a priori. That is, you can't usefully inspect a binary and figure out which facility it's going to use.

You only real option is to analyze the logs and see which processes are logging to which facility. You can make this easier by having rsyslogd either (a) log each facility to a separate file or (b) include the facility name in log messages (I think rsyslog will let you do this).

Related Solutions

Logging atd messages via syslog

From looking at the source of the 'at' program (from the CentOS 5.3 source repository) , it looks like it is indeed logging to syslog, but only fatal errors regarding the at daemon itself are logged (for example, if you try to run 2 at daemons at the same time).

However, process executions, resulting return code and standard error/output are not logged to syslog at all. Even when turning on debug (which requires recompilation) the log messages are not very informative (for end users) and write something like :

atd[24116]: pid 24121 exited with status 0.

Which will not help you a lot in identifying which command was ran, by which user or what was its standard output/error.

atd does send an email notification to the user who requested the command, in case the command had failed, or produced anything in it's standard output/error. But for commands that succeed without any output , no mail is sent. You can change that using the -m flag.

From at(1):

-m Send mail to the user when the job has completed even if there was no output.

Exclude syslog facility from all others

In syslog I'm afraid your assumption is right, you have to do it by adding local0.none to each syslog line you don't want local0 in.

If you're looking for other options rsyslog is all in nowadays (all the cool kids love it), and will actually let you do what you're asking for (check here).

Also syslog-ng allows you to do what you're asking for, and have some pretty cool filtering by strings even (check here), I use it for advanced syslogging on my log collector server.

Best Answer

Related Solutions

Logging atd messages via syslog

Exclude syslog facility from all others

Related Topic