Is there any way to determine which daemons are logging to a specific syslog facility? (spec. rsyslog)
What I am specifically looking for is who logs to the auth.* severities.
A 2001 audit for netbsd syslog.
atrun(8) cron.err pid fatal errors
chat(8) local2.err pid ndelay fatal errors
local2.info -v output
comsat(8) daemon.err pid fatal errors
daemon.info log biffs (-l)
daemon.debug debug notices (if debug != 0)
auth.notice / in tty name (might be incorrect code)
cron(8) cron.info pid commands executed
Best Answer
There's no way to determine this a priori. That is, you can't usefully inspect a binary and figure out which facility it's going to use.
You only real option is to analyze the logs and see which processes are logging to which facility. You can make this easier by having rsyslogd either (a) log each facility to a separate file or (b) include the facility name in log messages (I think rsyslog will let you do this).