From mboxrd@z Thu Jan  1 00:00:00 1970
From: Steve Grubb <sgrubb@redhat.com>
Subject: Re: Can't get syslog built-in plugin to post messages to syslog
Date: Tue, 10 Sep 2013 20:17:24 -0400
Message-ID: <1433920.8hDBHmljMe@x2>
References: <OF93D14AD0.A00E4F2C-ON85257BE2.001F4F96-85257BE2.001F4FB1@pt.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <OF93D14AD0.A00E4F2C-ON85257BE2.001F4F96-85257BE2.001F4FB1@pt.com>
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

On Tuesday, September 10, 2013 01:42:00 AM Peter Butler wrote:
> I can't get syslog built-in plugin to post messages to syslog.
> 
> My syslog.conf plugin file is:
> 
> active = yes
> direction = out
> path = builtin_syslog
> type = builtin
> args = LOG_INFO LOG_LOCAL3
> format = string
> 
> Presumably the file is indeed being parsed by the user-space audit daemon,
> as after having changed 'active' to 'yes' (and restarted the system), I see
> the audit daemon has started up the child process audispd, as required.
> 
> The audit daemon is indeed logging the audit logs to
> /var/log/audit/audit.log, but is not also sending them to syslog as
> configured.

https://fedorahosted.org/audit/browser/trunk/audisp/audispd-builtins.c#L256

Turns out that you can pass the priority, but not the facility. So, your 
events are wherever the LOG_USER facility is sending them. This probably 
should be documented better.
 
-Steve