From owner-freebsd-questions@FreeBSD.ORG Mon Nov 24 18:32:34 2008 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 64A361065672 for ; Mon, 24 Nov 2008 18:32:34 +0000 (UTC) (envelope-from canito@dalan.us) Received: from netbits.us (ptr-89.fastconcepts.net [209.18.107.89]) by mx1.freebsd.org (Postfix) with SMTP id 203D98FC13 for ; Mon, 24 Nov 2008 18:32:33 +0000 (UTC) (envelope-from canito@dalan.us) Received: (qmail 8706 invoked by uid 65534); 24 Nov 2008 18:05:52 -0000 Received: from 206.55.176.26 ([206.55.176.26]) by mail.dalan.us (Horde MIME library) with HTTP; Mon, 24 Nov 2008 12:05:52 -0600 Message-ID: <20081124120552.5l2vjjzjxpgkw04k@mail.dalan.us> Date: Mon, 24 Nov 2008 12:05:52 -0600 From: David Alanis To: freebsd-questions@freebsd.org References: <20081121060619.GA1057@gmail.com> In-Reply-To: <20081121060619.GA1057@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; DelSp="Yes"; format="flowed" Content-Disposition: inline Content-Transfer-Encoding: quoted-printable User-Agent: Internet Messaging Program (IMP) H3 (4.1.4) Subject: Syslog Suggestion - Help! X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 24 Nov 2008 18:32:34 -0000 Good Day, A few days ago, I put freebsd on a Netra X1 to serve as our primary =20 log host for our network devices, primarily to log for our CISCO ASA =20 firewall. Once I configured syslog to capture remotely, I realized that syslog =20 by default logs local information to /var/log/messages via: *.err =20 *.info amongst others, causing duplicate firewall logs in =20 /var/log/messages and in /var/log/firewall/logs My syslog: http://www.dalan.us/download/log From what I understand, in syslog.conf I can specify a process id (or =20 string? (e.g. ftpd) and give it an action? Thus, redirect messages =20 sent to the wrong facility and logged in the proper place, as in my =20 example given below: !ftpd ftpd.err /var/log/ftp/1.log ftpd.info /var/log/ftp/2.log I fired up tcpdump and saw the following: 09:47:28.413584 IP 192.168.1.1.syslog > 192.168.1.42.syslog: SYSLOG =20 local7.info, length: 154 09:47:28.413596 IP 192.168.1.1.syslog > 192.168.1.42.syslog: SYSLOG =20 local7.info, length: 155 09:47:28.415157 IP 192.168.1.1.syslog > 192.168.1.42.syslog: SYSLOG =20 local7.info, length: 134 09:47:28.415166 IP 192.168.1.1.syslog > 192.168.1.42.syslog: SYSLOG =20 local7.info, length: 178 So the big question is, what best method can I employ to stop syslog =20 from duplicating these messages? Can I use SYSLOG as a string? !SYSLOG local7.err /var/log/firewall/log local7.info /var/log/firewall/1.log Alternative? +firewall local7.err /var/log/firewall/log local7.info /var/log/firewall/1.log Lastly, I quickly reviewed syslog-ng, but I really want to keep this =20 as simple as possible so no. Thanks much for your help! David ---------------------------------------------------------------- This message was sent using IMP, the Internet Messaging Program.