Date: Tue, 29 Nov 2011 01:42:23 +0200 From: Kaya Saman <kayasaman@gmail.com> To: freebsd-questions@freebsd.org Subject: Re: Alternative to syslogd that actually writes external logs to files? Message-ID: <4ED41C5F.3030906@gmail.com> In-Reply-To: <4ED3D9BF.701@my.gd> References: <4ED38578.1000501@gmail.com> <CA%2BtpaK0rkWX8G3hiapZkutK6xvb%2Bc0z6aTK=U=RsC=Pk68mCEA@mail.gmail.com> <4ED3CE66.4020903@gmail.com> <4ED3D9BF.701@my.gd>
next in thread | previous in thread | raw e-mail | index | archive | help
On 11/28/2011 08:58 PM, Damien Fleuriot wrote: > On 11/28/11 7:09 PM, Kaya Saman wrote: >> [...snip...] >>> Properly configured, syslogd will log remotely. However something >>> like sysutils/rsyslog may fit your requirements better. >>> >>> -- >>> Adam Vande More >> Thanks for that. I have tested rsyslog which is backwards compatible >> with syslog but again something failed with that in order to write to >> the created logfile??? >> > > We have absolutely no problems whatsoever with rsyslogd here. > > It runs on our FreeBSD firewall boxes and logs both to local files and > a remote server running rsyslogd on debian. > > > > Additionally and in reply to your need to track what happens on your > network, I very highly recommend Observium which we have been running > for over 18 months now and which I use on an almost daily basis. > > http://www.observium.org/wiki/Main_Page > > The icing on the cake is that you'll be able to export your logs to > Observium directly. > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org" Thanks for the vote of confidence! I have set syslogd to run on the loopback and rsyslogd to run on the local IP address. Here is my config file for rsyslog: $ModLoad immark.so # provides --MARK-- message capability $ModLoad imuxsock.so # provides support for local system logging $ModLoad imklog.so # kernel logging $ModLoad imudp $UDPServerAddress 192.168.1.120 $UDPServerRun 514 $RuleSet Cisco857w #:msg, contains, "192.168.1.1" /var/log/cisco857w.log :fromhost-ip, isequal, "192.168.1.1" /var/log/cisco857w.log According to the rule anything coming in from 192.168.1.1 should be logged to /var/log/cisco857.log From rsyslog debug mode I was able to find that the rule was in place and should be performing properly: 0302.998028819:800c041c0: ruleset 0x800c2b0a0: rsyslog ruleset Cisco857w: 0302.998046140:800c041c0: rule 0x800c14d80: rsyslog rule: 0302.998058991:800c041c0: PROPERTY-BASED Filter: 0302.998070165:800c041c0: Property.: 'fromhost-ip' 0302.998080781:800c041c0: Operation: 'isequal' 0302.998099499:800c041c0: Value....: '192.168.1.1' 0302.998109835:800c041c0: Action...: Actions: 0302.998127435:800c041c0: builtin-file: /var/log/cisco857w.log 0302.998143918:800c041c0: template='/var/log/cisco857w.log' 0302.998153696:800c041c0: use async writer=0 0302.998165150:800c041c0: flush on TX end=1 0302.998175766:800c041c0: flush interval=1 0302.998186661:800c041c0: file cache size=10 0302.998198115:800c041c0: create directories: yes 0302.998208451:800c041c0: file owner 0, group 0 0302.998218788:800c041c0: force chown() for all files: no 0302.998229683:800c041c0: directory owner 0, group 0 0302.998240020:800c041c0: dir create mode 0700, file create mode 0644 0302.998254267:800c041c0: fail if owner/group can not be set: no However, when using tcpdump it shows that rsyslog is infact receiving information but still unfortunately not logging to file??? # tcpdump -tlnvv -i em0 port 514 tcpdump: listening on em0, link-type EN10MB (Ethernet), capture size 96 bytes IP (tos 0x0, ttl 255, id 1875, offset 0, flags [none], proto UDP (17), length 142) 192.168.1.1.59189 > 192.168.1.120.514: SYSLOG, length: 114 Facility local7 (23), Severity notice (5) Msg: 11578: 011565: Nov 28 23:34:19.475: %SYS-5-CONFIG[|syslog] File permissions are correct as I got rsyslog to create the file from scratch....... What am I missing here?
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4ED41C5F.3030906>