Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 05 May 2004 13:34:18 -0400
From:      Micah Bushouse <bushous2@msu.edu>
To:        questions@freebsd.org
Subject:   Syslogd not logging data from remote machines
Message-ID:  <4099259A.90809@msu.edu>
next in thread | raw e-mail | index | archive | help 
Dear List,

FreeBSD alumi.bushouse.net 4.10-PRERELEASE FreeBSD 4.10-PRERELEASE #0: 
Mon Apr 26 08:34:37 EDT 2004 
micah@alumi.bushouse.net:/usr/obj/usr/src/sys/APRIL  i386

I'm trying to get syslogd on the FBSD system above to log events from my 
Watchguard SOHO firewall/router.  On this particular network packets 
flow from the internet through the SOHO to get to the FBSD machine.  The 
SOHO is configured to log correctly to the FBSD machine... Also, I poked 
a hole (UDP/514) in IPFilter, and both TCPDump and Ethereal (both 
running on the FBSD machine) pick up the syslog traffic coming in from 
the SOHO.

192.168.111.1 is the router, 192.168.111.9 is the FBSD machine.

Here is the command I'm using to run syslogd
 > ps -waux | grep syslogd
root    8284  0.0  0.1   996  684  ??  Is   12:15PM   0:00.01 
/usr/sbin/syslogd -a 192.168.111.1 -n

Using Ethereal, I sniffed the traffic that the SOHO is sending to the 
FBSD system.  Lots of UDP/514 packets flowed in, and all were a 
variation on the packet excerpt below (the stuff after LOCAL0.INFO was 
obviously different and depended on the information the router was 
trying to log):

Syslog message: LOCAL0.INFO: MONITOR: Administrator Access...
   1000 0... = Facility: LOCAL0 - reserved for local use (16)
   .... .110 = Level: INFO - informational (6)
   Message: MONITOR: Administrator access allowed from 192.168.111.9

I kept the default /etc/syslog.conf file, except for one added line:
local0.*                                        /var/log/router.log

Here's what the router.log file looks like:
 > ls -l /var/log/router.log
-rw-r--r--  1 root  wheel  0 May  4 22:02 /var/log/router.log

There still is no data being written to this file, even though I'm 
sitting here watching TCPDump print out packet after packet of UDP/514 
data from the SOHO.  What am I doing wrong?

~Micah

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4099259A.90809>