The rocket-fast system for log processing

How to use authpriv on Solaris

Usually you can filter for a facility by a facility name. In the case of authpriv which I want to describe now, this is fairly easy:

authpriv.*     /var/log/authprivlog

That will work just fine with rsyslog on any common Linux system.

But, when using Solaris, some things work similar and some work different. In the case of authpriv the name will not work. Thus you have to use a different way to filter for authpriv. Whilst the name will not work, the facility number works. So a possible filter looks like that:

if $syslogfacility == 10 then /var/log/authprivlog

Valid values would be 4 or 10 as described in RFC5424.