From owner-freebsd-questions@FreeBSD.ORG Sat Nov 19 11:20:10 2011 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A8B431065672 for ; Sat, 19 Nov 2011 11:20:10 +0000 (UTC) (envelope-from kayasaman@gmail.com) Received: from mail-ww0-f50.google.com (mail-ww0-f50.google.com [74.125.82.50]) by mx1.freebsd.org (Postfix) with ESMTP id 290FC8FC0C for ; Sat, 19 Nov 2011 11:20:09 +0000 (UTC) Received: by wwg14 with SMTP id 14so6591280wwg.31 for ; Sat, 19 Nov 2011 03:20:09 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=message-id:date:from:user-agent:mime-version:to:subject :content-type:content-transfer-encoding; bh=2QoIq+B8zkOAn2fTAO8iWR2p2vzOYU1ESiaiUU/QenM=; b=CEHVWXGEQwFDVKBw5UQIe5SCwUh6zAhlXJwr2GuSrLPqbbIileWIRSfBuS4A1x8Xt2 BLupuExVXOKj7SD9fCEV4saQLud0KsU86oy+7MT8T/3lg49E/MuckGSocYKM5qVge+FI akPBwXh8nCFpjPmwLU4JErcQjYNvjZzUw3f08= Received: by 10.227.206.143 with SMTP id fu15mr4379669wbb.16.1321700265981; Sat, 19 Nov 2011 02:57:45 -0800 (PST) Received: from Hp2230s.localhost (81-178-2-118.dsl.pipex.com. [81.178.2.118]) by mx.google.com with ESMTPS id fy13sm4349350wbb.18.2011.11.19.02.57.43 (version=SSLv3 cipher=OTHER); Sat, 19 Nov 2011 02:57:44 -0800 (PST) Message-ID: <4EC78BA6.1050107@gmail.com> Date: Sat, 19 Nov 2011 12:57:42 +0200 From: Kaya Saman User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:7.0) Gecko/20110927 Thunderbird/7.0 MIME-Version: 1.0 To: freebsd-questions@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Syslog server not logging remote machines to file? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 19 Nov 2011 11:20:10 -0000 Hi, I've got a really strange problem which seems to either be a bug with the syslog server service or perhaps because I'm running jails on my system..... I can log my router syslog information but somehow the syslog server doesn't put the information into the designated file; which should be /var/log/cisco857w.log??? This is the syslog definition in my /etc/rc.conf file: { syslogd_enable="YES" #syslog_flags="" syslogd_flags="-d -b 192.168.1.120 -a 192.168.1.1/24:* -vv -C" } Additionally here is my /etc/syslog.conf file: { # $FreeBSD: src/etc/syslog.conf,v 1.30.2.1.2.1 2009/10/25 01:10:29 kensmith Exp $ # # Spaces ARE valid field separators in this file. However, # other *nix-like systems still insist on using tabs as field # separators. If you are sharing this file between systems, you # may want to use only tabs as field separators here. # Consult the syslog.conf(5) manpage. #+server.domain *.err;kern.warning;auth.notice;mail.crit /dev/console *.notice;local7.none;authpriv.none;kern.debug;lpr.info;mail.crit;news.err /var/log/messages security.* /var/log/security auth.info;authpriv.info /var/log/auth.log mail.info /var/log/maillog lpr.info /var/log/lpd-errs ftp.info /var/log/xferlog cron.* /var/log/cron *.=debug /var/log/debug.log *.emerg * # uncomment this to log all writes to /dev/console to /var/log/console.log #console.info /var/log/console.log # uncomment this to enable logging of all log messages to /var/log/all.log # touch /var/log/all.log and chmod it to mode 600 before it will work #*.* /var/log/all.log # uncomment this to enable logging to a remote loghost named loghost #*.* @loghost # uncomment these if you're running inn # news.crit /var/log/news/news.crit # news.err /var/log/news/news.err # news.notice /var/log/news/news.notice !ppp *.* /var/log/ppp.log !* +192.168.1.1 *.* /var/log/cisco857w.log #local7.* /var/log/cisco857w.log #!* #+172.16.0.1 #*.* } uname -a shows this: { # uname -a FreeBSD server.domain 8.0-RELEASE FreeBSD 8.0-RELEASE #0: Sat Nov 21 15:02:08 UTC 2009 root@mason.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC amd64 } The odd thing about this is that I did the same thing on a non-jailed 32bit machine running FreeBSD 8.x and the system worked fine. In my research for the problem I have covered this material: { http://www.freebsd.org/doc/handbook/network-syslogd.html http://forums.devshed.com/bsd-help-31/remote-syslog-question-router-to-freebsd-118652.html http://www.freebsd.org/doc/handbook/network-syslogd.html http://www.daemonforums.org/showthread.php?t=2968 http://bsd.dischaos.com/2009/02/25/logging-cisco-ios-messages-to-external-freebsd-syslog/ http://unix.derkeiler.com/Mailing-Lists/FreeBSD/questions/2007-02/msg00384.html http://plone.lucidsolutions.co.nz/networking/cisco/ios/logging-to-a-syslog-or-rsyslog-host-from-cisco-ios http://lists.nycbug.org/pipermail/talk/2007-April/010091.html http://www.freebsdonline.com/content/view/527/506/ } They all seem to say more or less the same thing that either putting the: { +192.168.1.1 *.* /var/log/cisco857w.log or local7.* /var/log/cisco857w.log } statements either at the top of the file or changing the syntax slightly using a + between machines should do the trick; however, non of the things I tried have worked from any of the material mentioned above! Here is my debug information: { # tcpdump -tlnvv -i em0 port 514 tcpdump: listening on em0, link-type EN10MB (Ethernet), capture size 96 bytes IP (tos 0x0, ttl 255, id 337, offset 0, flags [none], proto UDP (17), length 122) 192.168.1.1.59189 > 192.168.1.120.514: SYSLOG, length: 94 Facility local7 (23), Severity debug (7) Msg: 10040: 010027: Nov 19 10:28:04.322: ISAKMP:(0): S[|syslog] IP (tos 0x0, ttl 255, id 338, offset 0, flags [none], proto UDP (17), length 122) 192.168.1.1.59189 > 192.168.1.120.514: SYSLOG, length: 94 Facility local7 (23), Severity debug (7) Msg: 10041: 010028: Nov 19 10:28:04.326: ISAKMP:(0): S[|syslog] IP (tos 0x0, ttl 255, id 339, offset 0, flags [none], proto UDP (17), length 142) 192.168.1.1.59189 > 192.168.1.120.514: SYSLOG, length: 114 Facility local7 (23), Severity notice (5) Msg: 10042: 010029: Nov 19 10:28:04.770: %SYS-5-CONFIG[|syslog] IP (tos 0x0, ttl 255, id 340, offset 0, flags [none], proto UDP (17), length 122) 192.168.1.1.59189 > 192.168.1.120.514: SYSLOG, length: 94 Facility local7 (23), Severity debug (7) Msg: 10043: 010030: Nov 19 10:30:30.672: ISAKMP:(0): S[|syslog] IP (tos 0x0, ttl 255, id 341, offset 0, flags [none], proto UDP (17), length 122) 192.168.1.1.59189 > 192.168.1.120.514: SYSLOG, length: 94 Facility local7 (23), Severity debug (7) Msg: 10044: 010031: Nov 19 10:30:30.672: ISAKMP:(0): S[|syslog] IP (tos 0x0, ttl 255, id 342, offset 0, flags [none], proto UDP (17), length 189) 192.168.1.1.59189 > 192.168.1.120.514: SYSLOG, length: 161 Facility local7 (23), Severity info (6) Msg: 10045: 010032: Nov 19 10:30:36.455: %DOT11-6-ASSO[|syslog] IP (tos 0x0, ttl 255, id 343, offset 0, flags [none], proto UDP (17), length 203) 192.168.1.1.59189 > 192.168.1.120.514: SYSLOG, length: 175 Facility local7 (23), Severity info (6) Msg: 10046: 010033: Nov 19 10:30:47.643: %DOT11-6-DISA[|syslog] -------------------------- # /etc/rc.d/syslogd restart syslogd not running? (check /var/run/syslog.pid). Starting syslogd. allowaddr: rule 0: numeric, addr = 192.168.1.0, mask = 255.255.255.0; port = 0 listening on inet and/or inet6 socket sending on inet and/or inet6 socket off & running.... init cfline("*.err;kern.warning;auth.notice;mail.crit /dev/console", f, "*", "+Server.domain") cfline("*.notice;local7.none;authpriv.none;kern.debug;lpr.info;mail.crit;news.err /var/log/messages", f, "*", "+Server.domain") cfline("security.* /var/log/security", f, "*", "+Server.domain") cfline("auth.info;authpriv.info /var/log/auth.log", f, "*", "+Server.domain") cfline("mail.info /var/log/maillog", f, "*", "+Server.domain") cfline("lpr.info /var/log/lpd-errs", f, "*", "+Server.domain") cfline("ftp.info /var/log/xferlog", f, "*", "+Server.domain") cfline("cron.* /var/log/cron", f, "*", "+Server.domain") cfline("*.=debug /var/log/debug.log", f, "*", "+Server.domain") cfline("*.emerg *", f, "*", "+Server.domain") cfline("*.* /var/log/ppp.log", f, "ppp", "+Server.domain") cfline("*.* /var/log/cisco857w.log", f, "*", "+192.168.1.1") 4 3 2 3 5 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3 X CONSOLE: /dev/console 7 5 2 5 5 5 6 3 5 5 X 5 5 5 5 5 5 5 5 5 5 5 5 X X FILE: /var/log/messages X X X X X X X X X X X X X 7 X X X X X X X X X X X FILE: /var/log/security X X X X 6 X X X X X 6 X X X X X X X X X X X X X X FILE: /var/log/auth.log X X 6 X X X X X X X X X X X X X X X X X X X X X X FILE: /var/log/maillog X X X X X X 6 X X X X X X X X X X X X X X X X X X FILE: /var/log/lpd-errs X X X X X X X X X X X 6 X X X X X X X X X X X X X FILE: /var/log/xferlog X X X X X X X X X 7 X X X X X X X X X X X X X X X FILE: /var/log/cron 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 X FILE: /var/log/debug.log 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 X WALL: 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 X FILE: /var/log/ppp.log (ppp) 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 X FILE: /var/log/cisco857w.log logmsg: pri 56, flags 4, from Server, msg syslogd: restart syslogd: restarted logmsg: pri 6, flags 4, from Server, msg syslogd: kernel boot file is /boot/kernel/kernel Logging to FILE /var/log/messages syslogd: kernel boot file is /boot/kernel/kernel logmsg: pri 166, flags 17, from Server, msg Nov 19 12:33:34 Server syslogd: exiting on signal 2 cvthname(192.168.1.1) validate: dgram from IP 192.168.1.1, port 59189, name router.domain; accepted in rule 0. logmsg: pri 275, flags 0, from cisco857w, msg 10048: 010035: Nov 19 10:33:48.037: %SYS-5-CONFIG_I: Configured from console by admin on vty0 (192.168.1.120) } As can be seen the server accepts the messages from the gateway but unfortunately doesn't log them to the file defined in /etc/syslog.conf? Can anyone help with this??? Am I missing something or is it a bug? These are the file permissions set to 600, as can be seen no data has been logged at all: { # ls -l /var/log/cisco857w.log -rw------- 1 root wheel 0 Nov 18 16:32 /var/log/cisco857w.log } Regards, Kaya