Date: Tue, 10 Jul 2001 13:17:18 -0700 From: Drew Tomlinson <drewt@writeme.com> To: cjclark@alum.mit.edu, Mike Meyer <mwm@mired.org> Cc: questions@FreeBSD.ORG Subject: RE: How To Receive Syslog Messages From Another Device? Message-ID: <5CD46247635BD511B6B100A0CC3F0239259FE8@ldcmsx01.lc.ca.gov> In-Reply-To: <20010629011526.A375@blossom.cjclark.org>
next in thread | previous in thread | raw e-mail | index | archive | help
> -----Original Message----- > From: Crist J. Clark [mailto:cristjc@earthlink.net] > Sent: Friday, June 29, 2001 1:15 AM > To: Mike Meyer > Cc: Drew Tomlinson; questions@FreeBSD.ORG > Subject: Re: How To Receive Syslog Messages From Another Device? > > > On Thu, Jun 28, 2001 at 11:24:32PM -0500, Mike Meyer wrote: > > Drew Tomlinson <drewt@writeme.com> types: > > > > From: Mike Meyer [mailto:mwm@mired.org] > > > > Drew Tomlinson <drewt@writeme.com> types: > > > > > I have a 3Com ADSL router for my home network. I > have found that it > > > > > (according to the docs) has the capability to send log > > > > messages to syslogd > > > > Hmm - it works fine for me, without the ":*" as I'm > going from FBSD to > > > > FBSD. You do need to make sure that syslogd is started > without "-s", > > > > as that causes it to ignore the -a. If syslog is sending packets > > > > from the syslog udp port, you might try dropping the ":*". > > > Thanks for your response. I'm still a newbie but > learning. :) I recall > > > when I setup ntpd that to get log messages, I had to put > an entry in > > > syslog.conf that was something along the lines of: > > > ntp.info /var/log/ntp.log > > > Where ntp is the "name" (for lack of a better word) of > the program sending > > > the message and info is the level at which to log. The > file spec is the > > > file to log to. > > > > According to the documentation, that's "the selector field which > > specifies the types of messages and priorities". > > In the example above, "ntp" is the FACILITY, "info" is the LEVEL, the > combination of "ntp.info" is the SELECTOR, and "/var/log/ntp.log" is > the ACTION. > > > The program name can > > be selected for with the "!progname" construct. > > Correct. This is not used in the example. > > > As far as I can tell, > > there isn't any way to select on hostname. > > Uh, read syslog.conf(5) again, > > A hostname specification of the > form `#+hostname' or > `+hostname' and the following blocks will be applied to > messages received > from the specified hostname. Alternatively, a hostname > specification > `#-hostname' or `-hostname' causes the following blocks > to be applied to > messages from any host but the one specified. If the > hostname is given > as `@', the local hostname will be used. A program or > hostname specifi- > cation may be reset by giving the program or hostname as `*'. > > > > So I assume I need the "name" of the messages coming from > my router and add > > > a similar line to syslog.conf. Would this be correct? > I've called 3Com to > > > get this "name" and all they could do was point me to > some freeware syslog > > > daemons for Windows. > > Put an entry like, > > +router.hostname > *.* /var/log/router.log I'm still working on this but have not had much luck. I've tried your suggestions in both the following ways: +router *.* /var/log/router.log +192.168.0.1 *.* /var/log/router.log In the first example, "router" is the hostname of the router and I have a static entry in dns and it is resolved correctly by the FBSD machine to which I am trying to log. In the second example, I used the explicit IP address of the router. > In your syslog.conf. Run syslogd like, > > # syslogd -vv -a router.hostname > > To see what facility it is using (probably one of the local[0-7] > ones). After you see what it is up to, do some fine tuning. > > > > > If nothing else works, enable a firewall on the > destination box set to > > > > log everything, and see what's getting sent to it. > > > So if I do this, will I see the "name" I need above? > What is some good "how > > > to's" for doing this? I assume there's something in the > handbook. Anywhere > > > else you'd recommend I look? > > A better idea is to turn on tcpdump(8) to catch the packets, > > # tcpdump -s1500 -nvv 'udp && port 514' > > I forget at what level of detail tcpdump(8) prints them. If you don't > see the facility, level, and message, do, > > # tcpdump -s1500 -nvvX 'udp && port 514' I've tried this as well but don't understand how to apply the information I am receiving. I'm getting various output like the following: 13:10:38.578336 192.168.0.1.2049 > 192.168.0.4.514: udp 74 (ttl 255, id 15775) 0x0000 4500 0066 3d9f 0000 ff11 fc91 c0a8 0001 E..f=........... 0x0010 c0a8 0004 0801 0202 0052 38d8 3c33 3e41 .........R8.<3>A 0x0020 7420 3133 3a30 393a 3534 2c20 4661 6369 t.13:09:54,.Faci 0x0030 6c69 7479 2022 444e 5322 2c20 4c65 7665 lity."DNS",.Leve 0x0040 6c20 2255 4e55 5355 414c 223a 3a20 444e l."UNUSUAL"::.DN 0x0050 5320 4572 726f 7220 2d20 556e 7265 6163 S.Error.-.Unreac 0x0060 6861 626c 650a hable. 13:12:02.230436 192.168.0.1.2049 > 192.168.0.4.514: udp 119 (ttl 255, id 15863) 0x0000 4500 0093 3df7 0000 ff11 fc0c c0a8 0001 E...=........... 0x0010 c0a8 0004 0801 0202 007f 843f 3c35 3e41 ...........?<5>A 0x0020 7420 3133 3a31 313a 3138 2c20 4661 6369 t.13:11:18,.Faci 0x0030 6c69 7479 2022 5573 6572 204d 616e 6167 lity."User.Manag 0x0040 6572 222c 204c 6576 656c 2022 434f 4d4d er",.Level."COMM 0x0050 4f4e 223a 3a20 4143 4354 3a20 556e 6162 ON"::.ACCT:.Unab 0x0060 6c65 2074 6f20 6163 636f 756e 7420 6966 le.to.account.if 0x0070 2062 6f74 6820 6163 636f 756e 7469 6e67 .both.accounting 0x0080 2069 7027 7320 6172 6520 7365 7420 746f .ip's.are.set.to 0x0090 2030 0a .0. 13:12:02.226787 192.168.0.1.2049 > 192.168.0.4.514: udp 120 (ttl 255, id 15861) 0x0000 4500 0094 3df5 0000 ff11 fc0d c0a8 0001 E...=........... 0x0010 c0a8 0004 0801 0202 0080 a6ad 3c35 3e41 ............<5>A 0x0020 7420 3133 3a31 313a 3138 2c20 4661 6369 t.13:11:18,.Faci 0x0030 6c69 7479 2022 5573 6572 204d 616e 6167 lity."User.Manag 0x0040 6572 222c 204c 6576 656c 2022 434f 4d4d er",.Level."COMM 0x0050 4f4e 223a 3a20 4155 5448 3a20 5375 6363 ON"::.AUTH:.Succ 0x0060 6573 7366 756c 206c 6f63 616c 2061 7574 essful.local.aut 0x0070 6865 6e74 6963 6174 696f 6e20 666f 7220 hentication.for. 0x0080 7573 6572 3a20 6164 6d69 6e69 7374 7261 user:.administra 0x0090 746f 720a tor. So what do I need to do to get the messages logged to my FBSD box? Thanks for your help. I really appreciate it. Drew To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5CD46247635BD511B6B100A0CC3F0239259FE8>