Date: Fri, 10 Nov 2000 17:56:56 -0600 (CST) From: Mike Meyer <mwm@mired.org> To: Daniel Podolsky <daniel.podolsky@twelvehorses.com> Cc: questions@freebsd.org Subject: RE: Logging to remote syslogd Message-ID: <14860.35656.389841.767243@guru.mired.org> In-Reply-To: <856E94D34FF3D311B5FE00508B6B8BD22A34A9@BlackWidow.twelvehorses.int> References: <856E94D34FF3D311B5FE00508B6B8BD22A34A9@BlackWidow.twelvehorses.int>
next in thread | previous in thread | raw e-mail | index | archive | help
Daniel Podolsky <daniel.podolsky@twelvehorses.com> types:
>
> Dear Mike,
>
> Thank you for you answer.
>
> Especially for you I've run the syslogd with command
> syslogd -d -a 193.120.127.33/32:* >s.t
Well, you shouldn't do it for me, you should show send it to
-questions. More eyes mean it's more likely that somene will spot the
problem.
> And this is a s.t
> [begin]
> allowaddr: rule 0: numeric, addr = 193.120.127.33, mask = 255.255.255.255;
> port = 0
> off & running....
> init
> cfline("*.err;kern.debug;auth.notice;mail.crit /dev/console", f,
> "*")
> cfline("*.notice;kern.debug;lpr.info;mail.crit;news.err /var/log/messages",
> f, "*")
> cfline("security.* /var/log/security",
> f, "*")
> cfline("mail.info /var/log/maillog",
> f, "*")
> cfline("lpr.info /var/log/lpd-errs",
> f, "*")
> cfline("cron.* /var/log/cron", f,
> "*")
> cfline("*.err root", f, "*")
> cfline("*.notice;news.err root", f, "*")
> cfline("*.alert root", f, "*")
> cfline("*.emerg *", f, "*")
> cfline("*.* /var/log/all.log",
> f, "*")
> cfline("local7.* /var/log/c7200.log",
> f, "*")
> cfline("*.* /var/log/slip.log",
> f, "startslip")
> cfline("*.* /var/log/ppp.log",
> f, "ppp")
> cfline("*.* /var/log/pppd.log",
> f, "pppd")
> cfline("*.* /var/log/ipfw.log",
> f, "ipfw")
> 7 3 2 3 5 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3 X CONSOLE: /dev/console
> 7 5 2 5 5 5 6 3 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 X FILE: /var/log/messages
> X X X X X X X X X X X X X 8 X X X X X X X X X X X FILE: /var/log/security
> X X 6 X X X X X X X X X X X X X X X X X X X X X X FILE: /var/log/maillog
> X X X X X X 6 X X X X X X X X X X X X X X X X X X FILE: /var/log/lpd-errs
> X X X X X X X X X 8 X X X X X X X X X X X X X X X FILE: /var/log/cron
> 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3 X USERS: root,
> 5 5 5 5 5 5 5 3 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 X USERS: root,
> 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 X USERS: root,
> 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 X WALL:
> 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 X FILE: /var/log/all.log
> X X X X X X X X X X X X X X X X X X X X X X X 8 X FILE: /var/log/c7200.log
> 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 X FILE: /var/log/slip.log
> (startslip)
> 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 X FILE: /var/log/ppp.log
> (ppp)
> 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 X FILE: /var/log/pppd.log
> (pppd)
> 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 X FILE: /var/log/ipfw.log
> (ipfw)
> logmsg: pri 56, flags 4, from lf, msg syslogd: restart
> Logging to FILE /var/log/all.log
> syslogd: restarted
> logmsg: pri 156, flags 16, from lf, msg ipfw: 1100 Accept UDP
> 193.120.127.33:58896 193.120.127.35:514 in via lnc0
> Logging to FILE /var/log/security
> Logging to FILE /var/log/all.log
> Logging to FILE /var/log/ipfw.log
> logmsg: pri 116, flags 0, from lf, msg Nov 10 23:30:00 CRON[2243]: (root)
> CMD (/usr/libexec/atrun)
> Logging to FILE /var/log/cron
> Logging to FILE /var/log/all.log
> syslogd: exiting on signal 2
> syslogd: exiting on signal 2
> logmsg: pri 53, flags 4, from lf, msg syslogd: exiting on signal 2
> Logging to CONSOLE /dev/console
> Logging to FILE /var/log/messages
> Logging to USERS
> Logging to USERS
> Logging to FILE /var/log/all.log
>
> We can see the packet from Cisco, but we can not see the message Cisco's
> mesage.
>
> Yes, I know, this functionality works. It works for me for Cisco 1005 and
> FreeBSD 3.2. I'm really surprised... It is looks like the syslogd does not
> hear the port 514...
Have you got divert rules in your firewall, perhaps? Possibly
something in your syslog.conf will provide a clue.
Again, don't send them to me, send them to -questions. That will give
more people a chance to look at them and possibly spot the problem.
<mike
> Thank you for you help.
>
> With best regards,
> Daniel Podolsky
>
> >-----Original Message-----
> >From: Mike Meyer [mailto:mwm@mired.org]
> >Sent: Friday, November 10, 2000 9:13 PM
> >To: Daniel Podolsky
> >Cc: questions@freebsd.org
> >Subject: Re: Logging to remote syslogd
> >
> >
> >Daniel Podolsky <daniel.podolsky@twelvehorses.com> types:
> >> Dear All,
> >>
> >> I'm tryed to configure my Cisco for logging to the syslog on
> >my FreeBSD
> >> 4.1.1.
> >> I have confugred the Cisco correctly. I can see Cisco's
> >incoming UDP packets
> >> to port 514 in a ipfw log.
> >
> >They are being accepted, not denied, right? Show us the log
> >messages, please?
> >
> >> The syslogd run command is "syslogd -a <Cisco1Address>/32
> >> <Cisco2Address>/32".
> >
> >Can we have the actually command or - hopefully - the variables from
> >rc.conf? In more than one similar case, it's been a simple typo that a
> >fresh pair of eyes will immediately spot. However, we can't do that if
> >you don't give us all the information.
> >
> >> For testing purposes I have added the string "*.*
> >/var/log/all.log" to
> >> the /etc/syslog.conf
> >> However, I can not see Cosco's packets in a all.log. Also, I
> >can not see the
> >> trace of this packets then I run syslogd with "-d".
> >
> >Can you see *anything* in /var/log/all.log?
> >
> >This kind of functionality works - I use it between FreeBSD boxes.
> >
> > <mike
> >
>
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?14860.35656.389841.767243>