Determine which programs are logging to a specific syslog facility
Is there any way to determine which daemons are logging to a specific syslog facility? (spec. rsyslog)
What I am specifically looking for is who logs to the auth.* severities.
A 2001 audit for netbsd syslog.
atrun(8) cron.err pid fatal errors
chat(8) local2.err pid ndelay fatal errors
local2.info -v output
comsat(8) daemon.err pid fatal errors
daemon.info log biffs (-l)
daemon.debug debug notices (if debug != 0)
auth.notice / in tty name (might be incorrect code)
cron(8) cron.info pid commands executed
Solution 1:
There's no way to determine this a priori. That is, you can't usefully inspect a binary and figure out which facility it's going to use.
You only real option is to analyze the logs and see which processes are logging to which facility. You can make this easier by having rsyslogd either (a) log each facility to a separate file or (b) include the facility name in log messages (I think rsyslog will let you do this).
Solution 2:
"Not Really" -- Any daemon can send messages to any log facility (if syslog is listening on a network socket you can usually add "from any host" to that as well). Config files for various daemons is your best bet.
Most daemons are good about putting their name in their logs -- You may be able to do this by process of elimination if yours is one of the ones that doesn't. auth.*
is also usually authentication-related stuff (logins/passwords), so you may be able to narrow the field further...