Determine which programs are logging to a specific syslog facility

Is there any way to determine which daemons are logging to a specific syslog facility? (spec. rsyslog)

What I am specifically looking for is who logs to the auth.* severities.

A 2001 audit for netbsd syslog.

atrun(8)    cron.err pid        fatal errors

chat(8)     local2.err pid ndelay   fatal errors
            local2.info     -v output

comsat(8)   daemon.err pid      fatal errors
            daemon.info     log biffs (-l)
            daemon.debug        debug notices (if debug != 0)
            auth.notice     / in tty name (might be incorrect code)

cron(8)     cron.info pid       commands executed

Solution 1:

There's no way to determine this a priori. That is, you can't usefully inspect a binary and figure out which facility it's going to use.

You only real option is to analyze the logs and see which processes are logging to which facility. You can make this easier by having rsyslogd either (a) log each facility to a separate file or (b) include the facility name in log messages (I think rsyslog will let you do this).

Solution 2:

"Not Really" -- Any daemon can send messages to any log facility (if syslog is listening on a network socket you can usually add "from any host" to that as well). Config files for various daemons is your best bet.

Most daemons are good about putting their name in their logs -- You may be able to do this by process of elimination if yours is one of the ones that doesn't. auth.* is also usually authentication-related stuff (logins/passwords), so you may be able to narrow the field further...