Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 29 Nov 2011 01:42:23 +0200
From:      Kaya Saman <>
Subject:   Re: Alternative to syslogd that actually writes external logs to files?
Message-ID:  <>
In-Reply-To: <>
References:  <> <> <> <>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
On 11/28/2011 08:58 PM, Damien Fleuriot wrote:
> On 11/28/11 7:09 PM, Kaya Saman wrote:
>> [...snip...]
>>> Properly configured, syslogd will log remotely.  However something
>>> like sysutils/rsyslog may fit your requirements better.
>>> -- 
>>> Adam Vande More
>> Thanks for that. I have tested rsyslog which is backwards compatible
>> with syslog but again something failed with that in order to write to
>> the created logfile???
> We have absolutely no problems whatsoever with rsyslogd here.
> It runs on our FreeBSD firewall boxes and logs both to local files and
> a remote server running rsyslogd on debian.
> Additionally and in reply to your need to track what happens on your
> network, I very highly recommend Observium which we have been running
> for over 18 months now and which I use on an almost daily basis.
> The icing on the cake is that you'll be able to export your logs to
> Observium directly.
> _______________________________________________
> mailing list
> To unsubscribe, send any mail to ""
Thanks for the vote of confidence!

I have set syslogd to run on the loopback and rsyslogd to run on the 
local IP address.

Here is my config file for rsyslog:

$ModLoad   # provides --MARK-- message capability
$ModLoad # provides support for local system logging
$ModLoad   # kernel logging
$ModLoad imudp
$UDPServerRun 514
$RuleSet Cisco857w
#:msg, contains, ""    /var/log/cisco857w.log
:fromhost-ip, isequal, ""    /var/log/cisco857w.log

According to the rule anything coming in from should be 
logged to /var/log/cisco857.log

 From rsyslog debug mode I was able to find that the rule was in place 
and should be performing properly:

0302.998028819:800c041c0: ruleset 0x800c2b0a0: rsyslog ruleset Cisco857w:
0302.998046140:800c041c0: rule 0x800c14d80: rsyslog rule:
0302.998058991:800c041c0: PROPERTY-BASED Filter:
0302.998070165:800c041c0:       Property.: 'fromhost-ip'
0302.998080781:800c041c0:       Operation: 'isequal'
0302.998099499:800c041c0:       Value....: ''
0302.998109835:800c041c0:       Action...:
0302.998127435:800c041c0: builtin-file: /var/log/cisco857w.log
0302.998143918:800c041c0:       template='/var/log/cisco857w.log'
0302.998153696:800c041c0:       use async writer=0
0302.998165150:800c041c0:       flush on TX end=1
0302.998175766:800c041c0:       flush interval=1
0302.998186661:800c041c0:       file cache size=10
0302.998198115:800c041c0:       create directories: yes
0302.998208451:800c041c0:       file owner 0, group 0
0302.998218788:800c041c0:       force chown() for all files: no
0302.998229683:800c041c0:       directory owner 0, group 0
0302.998240020:800c041c0:       dir create mode 0700, file create mode 0644
0302.998254267:800c041c0:       fail if owner/group can not be set: no

However, when using tcpdump it shows that rsyslog is infact receiving 
information but still unfortunately not logging to file???

# tcpdump -tlnvv -i em0 port 514
tcpdump: listening on em0, link-type EN10MB (Ethernet), capture size 96 
IP (tos 0x0, ttl 255, id 1875, offset 0, flags [none], proto UDP (17), 
length 142) > SYSLOG, length: 114
     Facility local7 (23), Severity notice (5)
     Msg: 11578: 011565: Nov 28 23:34:19.475: %SYS-5-CONFIG[|syslog]

File permissions are correct as I got rsyslog to create the file from 

What am I missing here?

Want to link to this message? Use this URL: <>