From owner-freebsd-questions  Fri Jun 29  1:15:38 2001
Delivered-To: freebsd-questions@freebsd.org
Received: from hawk.mail.pas.earthlink.net (hawk.mail.pas.earthlink.net [207.217.120.22])
	by hub.freebsd.org (Postfix) with ESMTP id 4A07C37B409
	for <questions@FreeBSD.ORG>; Fri, 29 Jun 2001 01:15:34 -0700 (PDT)
	(envelope-from cjc@earthlink.net)
Received: from blossom.cjclark.org (dialup-209.245.141.202.Dial1.SanJose1.Level3.net [209.245.141.202])
	by hawk.mail.pas.earthlink.net (EL-8_9_3_3/8.9.3) with ESMTP id BAA07558;
	Fri, 29 Jun 2001 01:15:31 -0700 (PDT)
Received: (from cjc@localhost)
	by blossom.cjclark.org (8.11.4/8.11.3) id f5T8FRo00466;
	Fri, 29 Jun 2001 01:15:27 -0700 (PDT)
	(envelope-from cjc)
Date: Fri, 29 Jun 2001 01:15:26 -0700
From: "Crist J. Clark" <cristjc@earthlink.net>
To: Mike Meyer <mwm@mired.org>
Cc: Drew Tomlinson <drewt@writeme.com>, questions@FreeBSD.ORG
Subject: Re: How To Receive Syslog Messages From Another Device?
Message-ID: <20010629011526.A375@blossom.cjclark.org>
Reply-To: cjclark@alum.mit.edu
References: <15161.2940.652129.5196@guru.mired.org> <5CD46247635BD511B6B100A0CC3F0239259FD5@ldcmsx01.lc.ca.gov> <15164.768.944327.747606@guru.mired.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <15164.768.944327.747606@guru.mired.org>; from mwm@mired.org on Thu, Jun 28, 2001 at 11:24:32PM -0500
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-questions.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo?subject=subscribe%20freebsd-questions>
List-Unsubscribe: <mailto:majordomo?subject=unsubscribe%20freebsd-questions>
X-Loop: FreeBSD.ORG

On Thu, Jun 28, 2001 at 11:24:32PM -0500, Mike Meyer wrote:
> Drew Tomlinson <drewt@writeme.com> types:
> > > From: Mike Meyer [mailto:mwm@mired.org]
> > > Drew Tomlinson <drewt@writeme.com> types:
> > > > I have a 3Com ADSL router for my home network.  I have found that it
> > > > (according to the docs) has the capability to send log
> > > messages to syslogd
> > > Hmm - it works fine for me, without the ":*" as I'm going from FBSD to
> > > FBSD. You do need to make sure that syslogd is started without "-s",
> > > as that causes it to ignore the -a. If syslog is sending packets
> > > from the syslog udp port, you might try dropping the ":*".
> > Thanks for your response.  I'm still a newbie but learning. :)  I recall
> > when I setup ntpd that to get log messages, I had to put an entry in
> > syslog.conf that was something along the lines of:
> > ntp.info                                        /var/log/ntp.log
> > Where ntp is the "name" (for lack of a better word) of the program sending
> > the message and info is the level at which to log.  The file spec is the
> > file to log to.
> 
> According to the documentation, that's "the selector field which
> specifies the types of messages and priorities".

In the example above, "ntp" is the FACILITY, "info" is the LEVEL, the
combination of "ntp.info" is the SELECTOR, and "/var/log/ntp.log" is
the ACTION.

> The program name can
> be selected for with the "!progname" construct.

Correct. This is not used in the example.

> As far as I can tell,
> there isn't any way to select on hostname.

Uh, read syslog.conf(5) again,

                          A hostname specification of the form `#+hostname' or
     `+hostname' and the following blocks will be applied to messages received
     from the specified hostname.  Alternatively, a hostname specification
     `#-hostname' or `-hostname' causes the following blocks to be applied to
     messages from any host but the one specified.  If the hostname is given
     as `@', the local hostname will be used.  A program or hostname specifi-
     cation may be reset by giving the program or hostname as `*'.

> > So I assume I need the "name" of the messages coming from my router and add
> > a similar line to syslog.conf.  Would this be correct?  I've called 3Com to
> > get this "name" and all they could do was point me to some freeware syslog
> > daemons for Windows.

Put an entry like,

  +router.hostname
  *.*				/var/log/router.log

In your syslog.conf. Run syslogd like,

  # syslogd -vv -a router.hostname

To see what facility it is using (probably one of the local[0-7]
ones). After you see what it is up to, do some fine tuning.

> > > If nothing else works, enable a firewall on the destination box set to
> > > log everything, and see what's getting sent to it.
> > So if I do this, will I see the "name" I need above?  What is some good "how
> > to's" for doing this?  I assume there's something in the handbook.  Anywhere
> > else you'd recommend I look?

A better idea is to turn on tcpdump(8) to catch the packets,

  # tcpdump -s1500 -nvv 'udp && port 514'

I forget at what level of detail tcpdump(8) prints them. If you don't
see the facility, level, and message, do,

  # tcpdump -s1500 -nvvX 'udp && port 514'

And read the packets on your own.
-- 
Crist J. Clark                           cjclark@alum.mit.edu

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message