Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 29 Nov 2011 04:27:11 +0200
From:      Kaya Saman <kayasaman@gmail.com>
To:        Fbsd8 <fbsd8@a1poweruser.com>
Cc:        Adam Vande More <amvandemore@gmail.com>, "freebsd-questions@freebsd.org" <freebsd-questions@freebsd.org>
Subject:   Re: Alternative to syslogd that actually writes external logs to files?
Message-ID:  <4ED442FF.4030206@gmail.com>
In-Reply-To: <4ED440EF.8000604@a1poweruser.com>
References:  <4ED38578.1000501@gmail.com>	<CA+tpaK0rkWX8G3hiapZkutK6xvb+c0z6aTK=U=RsC=Pk68mCEA@mail.gmail.com> <4ED3CE66.4020903@gmail.com> <4ED440EF.8000604@a1poweruser.com>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
On 11/29/2011 04:18 AM, Fbsd8 wrote:
> Kaya Saman wrote:
>> [...snip...]
>>> Properly configured, syslogd will log remotely.  However something 
>>> like sysutils/rsyslog may fit your requirements better.
>>>
>>> -- 
>>> Adam Vande More
>>
>> Thanks for that. I have tested rsyslog which is backwards compatible 
>> with syslog but again something failed with that in order to write to 
>> the created logfile???
>>
>>
>> Here is my config just incase something hinky can be seen; although 
>> have already posted it (with minimal responses) in a heading: Syslog 
>> server not logging remote machines to file? {basically please don't 
>> lynch me for double posting!!}
>>
>>
>> /etc/rc.conf
>>
>> syslogd_enable="YES"
>> syslog_flags=""
>> syslogd_flags="-b 192.168.1.120 -a 192.168.1.1/24:* -C"
>> #syslogd_flags="-d -b 192.168.1.120 -a 192.168.1.1/24:* -vv -C"
>> #syslogd_flags="-c"
>> #rsyslogd_enable="YES"
>> #rsyslogd_pidfile="/var/run/syslog.pid"
>> #rsyslogd_config="/etc/syslog.conf"
>> #rsyslogd_klog_enable="YES"
>> #rsyslogd_flags="-d"
>>
>>
>> The extra addition to /etc/syslog.conf under the ppp statement
>>
>> !*
>> +192.168.1.1
>> *.*                        /var/log/cisco857w.log
>>
>>
>> Debug from tcpdump:
>>
>>
>> # tcpdump -tlnvv -i em0 port 514
>> tcpdump: listening on em0, link-type EN10MB (Ethernet), capture size 
>> 96 bytes
>> IP (tos 0x0, ttl 255, id 337, offset 0, flags [none], proto UDP (17), 
>> length 122)
>>     192.168.1.1.59189 > 192.168.1.120.514: SYSLOG, length: 94
>>     Facility local7 (23), Severity debug (7)
>>     Msg: 10040: 010027: Nov 19 10:28:04.322: ISAKMP:(0): S[|syslog]
>> IP (tos 0x0, ttl 255, id 338, offset 0, flags [none], proto UDP (17), 
>> length 122)
>>     192.168.1.1.59189 > 192.168.1.120.514: SYSLOG, length: 94
>>     Facility local7 (23), Severity debug (7)
>>     Msg: 10041: 010028: Nov 19 10:28:04.326: ISAKMP:(0): S[|syslog]
>> IP (tos 0x0, ttl 255, id 339, offset 0, flags [none], proto UDP (17), 
>> length 142)
>>     192.168.1.1.59189 > 192.168.1.120.514: SYSLOG, length: 114
>>     Facility local7 (23), Severity notice (5)
>>     Msg: 10042: 010029: Nov 19 10:28:04.770: %SYS-5-CONFIG[|syslog]
>> IP (tos 0x0, ttl 255, id 340, offset 0, flags [none], proto UDP (17), 
>> length 122)
>>     192.168.1.1.59189 > 192.168.1.120.514: SYSLOG, length: 94
>>     Facility local7 (23), Severity debug (7)
>>     Msg: 10043: 010030: Nov 19 10:30:30.672: ISAKMP:(0): S[|syslog]
>> IP (tos 0x0, ttl 255, id 341, offset 0, flags [none], proto UDP (17), 
>> length 122)
>>     192.168.1.1.59189 > 192.168.1.120.514: SYSLOG, length: 94
>>     Facility local7 (23), Severity debug (7)
>>     Msg: 10044: 010031: Nov 19 10:30:30.672: ISAKMP:(0): S[|syslog]
>> IP (tos 0x0, ttl 255, id 342, offset 0, flags [none], proto UDP (17), 
>> length 189)
>>     192.168.1.1.59189 > 192.168.1.120.514: SYSLOG, length: 161
>>     Facility local7 (23), Severity info (6)
>>     Msg: 10045: 010032: Nov 19 10:30:36.455: %DOT11-6-ASSO[|syslog]
>> IP (tos 0x0, ttl 255, id 343, offset 0, flags [none], proto UDP (17), 
>> length 203)
>>     192.168.1.1.59189 > 192.168.1.120.514: SYSLOG, length: 175
>>     Facility local7 (23), Severity info (6)
>>     Msg: 10046: 010033: Nov 19 10:30:47.643: %DOT11-6-DISA[|syslog]
>>
>>
>>
>> Debug from syslogd:
>>
>>
>>
>> # /etc/rc.d/syslogd restart
>> syslogd not running? (check /var/run/syslog.pid).
>> Starting syslogd.
>> allowaddr: rule 0: numeric, addr = 192.168.1.0, mask = 255.255.255.0; 
>> port = 0
>> listening on inet and/or inet6 socket
>> sending on inet and/or inet6 socket
>> off & running....
>> init
>> cfline("*.err;kern.warning;auth.notice;mail.crit        
>> /dev/console", f, "*", "+Server.domain")
>> cfline("*.notice;local7.none;authpriv.none;kern.debug;lpr.info;mail.crit;news.err    
>> /var/log/messages", f, "*", "+Server.domain")
>> cfline("security.*                    /var/log/security", f, "*", 
>> "+Server.domain")
>> cfline("auth.info;authpriv.info                /var/log/auth.log", f, 
>> "*", "+Server.domain")
>> cfline("mail.info                    /var/log/maillog", f, "*", 
>> "+Server.domain")
>> cfline("lpr.info                    /var/log/lpd-errs", f, "*", 
>> "+Server.domain")
>> cfline("ftp.info                    /var/log/xferlog", f, "*", 
>> "+Server.domain")
>> cfline("cron.*                        /var/log/cron", f, "*", 
>> "+Server.domain")
>> cfline("*.=debug                    /var/log/debug.log", f, "*", 
>> "+Server.domain")
>> cfline("*.emerg                        *", f, "*", "+Server.domain")
>> cfline("*.*                        /var/log/ppp.log", f, "ppp", 
>> "+Server.domain")
>> cfline("*.*                        /var/log/cisco857w.log", f, "*", 
>> "+192.168.1.1")
>> 4 3 2 3 5 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3 X CONSOLE: /dev/console
>> 7 5 2 5 5 5 6 3 5 5 X 5 5 5 5 5 5 5 5 5 5 5 5 X X FILE: 
>> /var/log/messages
>> X X X X X X X X X X X X X 7 X X X X X X X X X X X FILE: 
>> /var/log/security
>> X X X X 6 X X X X X 6 X X X X X X X X X X X X X X FILE: 
>> /var/log/auth.log
>> X X 6 X X X X X X X X X X X X X X X X X X X X X X FILE: /var/log/maillog
>> X X X X X X 6 X X X X X X X X X X X X X X X X X X FILE: 
>> /var/log/lpd-errs
>> X X X X X X X X X X X 6 X X X X X X X X X X X X X FILE: /var/log/xferlog
>> X X X X X X X X X 7 X X X X X X X X X X X X X X X FILE: /var/log/cron
>> 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 X FILE: 
>> /var/log/debug.log
>> 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 X WALL:
>> 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 X FILE: 
>> /var/log/ppp.log (ppp)
>> 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 X FILE: 
>> /var/log/cisco857w.log
>> logmsg: pri 56, flags 4, from Server, msg syslogd: restart
>> syslogd: restarted
>> logmsg: pri 6, flags 4, from Server, msg syslogd: kernel boot file is 
>> /boot/kernel/kernel
>> Logging to FILE /var/log/messages
>> syslogd: kernel boot file is /boot/kernel/kernel
>> logmsg: pri 166, flags 17, from Server, msg Nov 19 12:33:34 
>> <syslog.err> Server syslogd: exiting on signal 2
>> cvthname(192.168.1.1)
>> validate: dgram from IP 192.168.1.1, port 59189, name router.domain;
>> accepted in rule 0.
>> logmsg: pri 275, flags 0, from cisco857w, msg 10048: 010035: Nov 19 
>> 10:33:48.037: %SYS-5-CONFIG_I: Configured from console by admin on 
>> vty0 (192.168.1.120)
>>
>>
>>
>>
>> And finally permissions for the log file to be 'logged' to:
>>
>>
>>
>> # ls -l /var/log/cisco857w.log
>> -rw-------  1 root  wheel  0 Nov 18 16:32 /var/log/cisco857w.log
>>
>>
>>
>>
>>
>> I actually tried the same setup with rsyslog and even amended the 
>> file as such:
>>
>>
>>
>> !Cisco857w
>> :fromhost-ip, isequal, "192.168.1.1"    /var/log/cisco857w.log
>>
>>
>>
>> while commenting out the rest of the legacy syslogd information 
>> regarding the device at hand. But still unfortunately no luck :-(
>>
>>
>> I really need to get this going as I need to be able to track what's 
>> going on at the network level.
>>
>>
>> Thanks to Robert Bonomi, the error was thought to be here: logmsg: 
>> pri 275 with the log priority value. I did manage to change that 
>> using the Cisco command: logging facility kern - to give the message 
>> a 'higher' priority value of which outputted this:
>>
>>
>>
>> accepted in rule 0.
>> logmsg: pri 15, flags 0, from cisco857w, msg 10146: 010133: Nov 19 
>> 23:05:54.538: %SYS-5-CONFIG_I: Configured from console by admin on 
>> vty0 (192.168.0.53
>>
>>
>>
>> but whatever happens it doesn't even try to attempt to log the 
>> information to file after receiving it.......
>>
>>
>>
>>
>> Regards,
>>
>>
>>
>> Kaya
>>
>
> You have never said if you restarted syslog after making your changes 
> to syslog.conf, you have to reboot your box or restart syslog for the 
> changes to take effect.

Sorry if not mentioned......

I assumed that it was common practice to run:

ps aux | grep rsyslog
kill <pid>
/usr/local/etc/rc.d/rsyslogd restart

which is what I have been doing since day 1.



Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?4ED442FF.4030206>