From owner-freebsd-questions@FreeBSD.ORG  Mon Nov 28 18:09:48 2011
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 106EC106566C
	for <freebsd-questions@freebsd.org>;
	Mon, 28 Nov 2011 18:09:48 +0000 (UTC)
	(envelope-from kayasaman@gmail.com)
Received: from mail-fx0-f54.google.com (mail-fx0-f54.google.com
	[209.85.161.54])
	by mx1.freebsd.org (Postfix) with ESMTP id 95D1D8FC08
	for <freebsd-questions@freebsd.org>;
	Mon, 28 Nov 2011 18:09:47 +0000 (UTC)
Received: by faak28 with SMTP id k28so521636faa.13
	for <freebsd-questions@freebsd.org>;
	Mon, 28 Nov 2011 10:09:46 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma;
	h=message-id:date:from:user-agent:mime-version:to:cc:subject
	:references:in-reply-to:content-type:content-transfer-encoding;
	bh=rBVmDoama+dgA1l4g+txdRHtn751HkPwsO3K9i/QQ5A=;
	b=l91J6invxPDspJgm8z2bzua+AcM206Awy5+ZeLpr8a9bRQu62GXTO+9p4kpzJ/tdtL
	Up8IASLvzV8qZYi44ffnRzwqxQJkWiHCxsLb4p4PO6TXMfaeKPKkinu0oOW+mDG646FW
	AACR+bVxYPa3VDPQdBNz79oNPULYXrv+zn38o=
Received: by 10.205.117.134 with SMTP id fm6mr42671992bkc.93.1322503786207;
	Mon, 28 Nov 2011 10:09:46 -0800 (PST)
Received: from Hp2230s.localhost (81-178-2-118.dsl.pipex.com. [81.178.2.118])
	by mx.google.com with ESMTPS id
	c4sm31213050bkk.13.2011.11.28.10.09.43 (version=SSLv3 cipher=OTHER);
	Mon, 28 Nov 2011 10:09:44 -0800 (PST)
Message-ID: <4ED3CE66.4020903@gmail.com>
Date: Mon, 28 Nov 2011 20:09:42 +0200
From: Kaya Saman <kayasaman@gmail.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64;
	rv:7.0) Gecko/20110927 Thunderbird/7.0
MIME-Version: 1.0
To: Adam Vande More <amvandemore@gmail.com>
References: <4ED38578.1000501@gmail.com>
	<CA+tpaK0rkWX8G3hiapZkutK6xvb+c0z6aTK=U=RsC=Pk68mCEA@mail.gmail.com>
In-Reply-To: <CA+tpaK0rkWX8G3hiapZkutK6xvb+c0z6aTK=U=RsC=Pk68mCEA@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Cc: "freebsd-questions@freebsd.org" <freebsd-questions@freebsd.org>
Subject: Re: Alternative to syslogd that actually writes external logs to
 files?
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 28 Nov 2011 18:09:48 -0000

[...snip...]
> Properly configured, syslogd will log remotely.  However something 
> like sysutils/rsyslog may fit your requirements better.
>
> -- 
> Adam Vande More

Thanks for that. I have tested rsyslog which is backwards compatible 
with syslog but again something failed with that in order to write to 
the created logfile???


Here is my config just incase something hinky can be seen; although have 
already posted it (with minimal responses) in a heading: Syslog server 
not logging remote machines to file? {basically please don't lynch me 
for double posting!!}


/etc/rc.conf

syslogd_enable="YES"
syslog_flags=""
syslogd_flags="-b 192.168.1.120 -a 192.168.1.1/24:* -C"
#syslogd_flags="-d -b 192.168.1.120 -a 192.168.1.1/24:* -vv -C"
#syslogd_flags="-c"
#rsyslogd_enable="YES"
#rsyslogd_pidfile="/var/run/syslog.pid"
#rsyslogd_config="/etc/syslog.conf"
#rsyslogd_klog_enable="YES"
#rsyslogd_flags="-d"


The extra addition to /etc/syslog.conf under the ppp statement

!*
+192.168.1.1
*.*                        /var/log/cisco857w.log


Debug from tcpdump:


# tcpdump -tlnvv -i em0 port 514
tcpdump: listening on em0, link-type EN10MB (Ethernet), capture size 96 
bytes
IP (tos 0x0, ttl 255, id 337, offset 0, flags [none], proto UDP (17), 
length 122)
     192.168.1.1.59189 > 192.168.1.120.514: SYSLOG, length: 94
     Facility local7 (23), Severity debug (7)
     Msg: 10040: 010027: Nov 19 10:28:04.322: ISAKMP:(0): S[|syslog]
IP (tos 0x0, ttl 255, id 338, offset 0, flags [none], proto UDP (17), 
length 122)
     192.168.1.1.59189 > 192.168.1.120.514: SYSLOG, length: 94
     Facility local7 (23), Severity debug (7)
     Msg: 10041: 010028: Nov 19 10:28:04.326: ISAKMP:(0): S[|syslog]
IP (tos 0x0, ttl 255, id 339, offset 0, flags [none], proto UDP (17), 
length 142)
     192.168.1.1.59189 > 192.168.1.120.514: SYSLOG, length: 114
     Facility local7 (23), Severity notice (5)
     Msg: 10042: 010029: Nov 19 10:28:04.770: %SYS-5-CONFIG[|syslog]
IP (tos 0x0, ttl 255, id 340, offset 0, flags [none], proto UDP (17), 
length 122)
     192.168.1.1.59189 > 192.168.1.120.514: SYSLOG, length: 94
     Facility local7 (23), Severity debug (7)
     Msg: 10043: 010030: Nov 19 10:30:30.672: ISAKMP:(0): S[|syslog]
IP (tos 0x0, ttl 255, id 341, offset 0, flags [none], proto UDP (17), 
length 122)
     192.168.1.1.59189 > 192.168.1.120.514: SYSLOG, length: 94
     Facility local7 (23), Severity debug (7)
     Msg: 10044: 010031: Nov 19 10:30:30.672: ISAKMP:(0): S[|syslog]
IP (tos 0x0, ttl 255, id 342, offset 0, flags [none], proto UDP (17), 
length 189)
     192.168.1.1.59189 > 192.168.1.120.514: SYSLOG, length: 161
     Facility local7 (23), Severity info (6)
     Msg: 10045: 010032: Nov 19 10:30:36.455: %DOT11-6-ASSO[|syslog]
IP (tos 0x0, ttl 255, id 343, offset 0, flags [none], proto UDP (17), 
length 203)
     192.168.1.1.59189 > 192.168.1.120.514: SYSLOG, length: 175
     Facility local7 (23), Severity info (6)
     Msg: 10046: 010033: Nov 19 10:30:47.643: %DOT11-6-DISA[|syslog]



Debug from syslogd:



# /etc/rc.d/syslogd restart
syslogd not running? (check /var/run/syslog.pid).
Starting syslogd.
allowaddr: rule 0: numeric, addr = 192.168.1.0, mask = 255.255.255.0; 
port = 0
listening on inet and/or inet6 socket
sending on inet and/or inet6 socket
off & running....
init
cfline("*.err;kern.warning;auth.notice;mail.crit        /dev/console", 
f, "*", "+Server.domain")
cfline("*.notice;local7.none;authpriv.none;kern.debug;lpr.info;mail.crit;news.err    
/var/log/messages", f, "*", "+Server.domain")
cfline("security.*                    /var/log/security", f, "*", 
"+Server.domain")
cfline("auth.info;authpriv.info                /var/log/auth.log", f, 
"*", "+Server.domain")
cfline("mail.info                    /var/log/maillog", f, "*", 
"+Server.domain")
cfline("lpr.info                    /var/log/lpd-errs", f, "*", 
"+Server.domain")
cfline("ftp.info                    /var/log/xferlog", f, "*", 
"+Server.domain")
cfline("cron.*                        /var/log/cron", f, "*", 
"+Server.domain")
cfline("*.=debug                    /var/log/debug.log", f, "*", 
"+Server.domain")
cfline("*.emerg                        *", f, "*", "+Server.domain")
cfline("*.*                        /var/log/ppp.log", f, "ppp", 
"+Server.domain")
cfline("*.*                        /var/log/cisco857w.log", f, "*", 
"+192.168.1.1")
4 3 2 3 5 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3 X CONSOLE: /dev/console
7 5 2 5 5 5 6 3 5 5 X 5 5 5 5 5 5 5 5 5 5 5 5 X X FILE: /var/log/messages
X X X X X X X X X X X X X 7 X X X X X X X X X X X FILE: /var/log/security
X X X X 6 X X X X X 6 X X X X X X X X X X X X X X FILE: /var/log/auth.log
X X 6 X X X X X X X X X X X X X X X X X X X X X X FILE: /var/log/maillog
X X X X X X 6 X X X X X X X X X X X X X X X X X X FILE: /var/log/lpd-errs
X X X X X X X X X X X 6 X X X X X X X X X X X X X FILE: /var/log/xferlog
X X X X X X X X X 7 X X X X X X X X X X X X X X X FILE: /var/log/cron
7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 X FILE: /var/log/debug.log
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 X WALL:
7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 X FILE: /var/log/ppp.log 
(ppp)
7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 X FILE: 
/var/log/cisco857w.log
logmsg: pri 56, flags 4, from Server, msg syslogd: restart
syslogd: restarted
logmsg: pri 6, flags 4, from Server, msg syslogd: kernel boot file is 
/boot/kernel/kernel
Logging to FILE /var/log/messages
syslogd: kernel boot file is /boot/kernel/kernel
logmsg: pri 166, flags 17, from Server, msg Nov 19 12:33:34 <syslog.err> 
Server syslogd: exiting on signal 2
cvthname(192.168.1.1)
validate: dgram from IP 192.168.1.1, port 59189, name router.domain;
accepted in rule 0.
logmsg: pri 275, flags 0, from cisco857w, msg 10048: 010035: Nov 19 
10:33:48.037: %SYS-5-CONFIG_I: Configured from console by admin on vty0 
(192.168.1.120)




And finally permissions for the log file to be 'logged' to:



# ls -l /var/log/cisco857w.log
-rw-------  1 root  wheel  0 Nov 18 16:32 /var/log/cisco857w.log





I actually tried the same setup with rsyslog and even amended the file 
as such:



!Cisco857w
:fromhost-ip, isequal, "192.168.1.1"    /var/log/cisco857w.log



while commenting out the rest of the legacy syslogd information 
regarding the device at hand. But still unfortunately no luck :-(


I really need to get this going as I need to be able to track what's 
going on at the network level.


Thanks to Robert Bonomi, the error was thought to be here: logmsg: pri 
275 with the log priority value. I did manage to change that using the 
Cisco command: logging facility kern - to give the message a 'higher' 
priority value of which outputted this:



accepted in rule 0.
logmsg: pri 15, flags 0, from cisco857w, msg 10146: 010133: Nov 19 
23:05:54.538: %SYS-5-CONFIG_I: Configured from console by admin on vty0 
(192.168.0.53



but whatever happens it doesn't even try to attempt to log the 
information to file after receiving it.......




Regards,



Kaya