Date: Tue, 29 Nov 2011 10:18:23 +0800 From: Fbsd8 <fbsd8@a1poweruser.com> To: Kaya Saman <kayasaman@gmail.com> Cc: Adam Vande More <amvandemore@gmail.com>, "freebsd-questions@freebsd.org" <freebsd-questions@freebsd.org> Subject: Re: Alternative to syslogd that actually writes external logs to files? Message-ID: <4ED440EF.8000604@a1poweruser.com> In-Reply-To: <4ED3CE66.4020903@gmail.com> References: <4ED38578.1000501@gmail.com> <CA%2BtpaK0rkWX8G3hiapZkutK6xvb%2Bc0z6aTK=U=RsC=Pk68mCEA@mail.gmail.com> <4ED3CE66.4020903@gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Kaya Saman wrote:
> [...snip...]
>> Properly configured, syslogd will log remotely. However something
>> like sysutils/rsyslog may fit your requirements better.
>>
>> --
>> Adam Vande More
>
> Thanks for that. I have tested rsyslog which is backwards compatible
> with syslog but again something failed with that in order to write to
> the created logfile???
>
>
> Here is my config just incase something hinky can be seen; although have
> already posted it (with minimal responses) in a heading: Syslog server
> not logging remote machines to file? {basically please don't lynch me
> for double posting!!}
>
>
> /etc/rc.conf
>
> syslogd_enable="YES"
> syslog_flags=""
> syslogd_flags="-b 192.168.1.120 -a 192.168.1.1/24:* -C"
> #syslogd_flags="-d -b 192.168.1.120 -a 192.168.1.1/24:* -vv -C"
> #syslogd_flags="-c"
> #rsyslogd_enable="YES"
> #rsyslogd_pidfile="/var/run/syslog.pid"
> #rsyslogd_config="/etc/syslog.conf"
> #rsyslogd_klog_enable="YES"
> #rsyslogd_flags="-d"
>
>
> The extra addition to /etc/syslog.conf under the ppp statement
>
> !*
> +192.168.1.1
> *.* /var/log/cisco857w.log
>
>
> Debug from tcpdump:
>
>
> # tcpdump -tlnvv -i em0 port 514
> tcpdump: listening on em0, link-type EN10MB (Ethernet), capture size 96
> bytes
> IP (tos 0x0, ttl 255, id 337, offset 0, flags [none], proto UDP (17),
> length 122)
> 192.168.1.1.59189 > 192.168.1.120.514: SYSLOG, length: 94
> Facility local7 (23), Severity debug (7)
> Msg: 10040: 010027: Nov 19 10:28:04.322: ISAKMP:(0): S[|syslog]
> IP (tos 0x0, ttl 255, id 338, offset 0, flags [none], proto UDP (17),
> length 122)
> 192.168.1.1.59189 > 192.168.1.120.514: SYSLOG, length: 94
> Facility local7 (23), Severity debug (7)
> Msg: 10041: 010028: Nov 19 10:28:04.326: ISAKMP:(0): S[|syslog]
> IP (tos 0x0, ttl 255, id 339, offset 0, flags [none], proto UDP (17),
> length 142)
> 192.168.1.1.59189 > 192.168.1.120.514: SYSLOG, length: 114
> Facility local7 (23), Severity notice (5)
> Msg: 10042: 010029: Nov 19 10:28:04.770: %SYS-5-CONFIG[|syslog]
> IP (tos 0x0, ttl 255, id 340, offset 0, flags [none], proto UDP (17),
> length 122)
> 192.168.1.1.59189 > 192.168.1.120.514: SYSLOG, length: 94
> Facility local7 (23), Severity debug (7)
> Msg: 10043: 010030: Nov 19 10:30:30.672: ISAKMP:(0): S[|syslog]
> IP (tos 0x0, ttl 255, id 341, offset 0, flags [none], proto UDP (17),
> length 122)
> 192.168.1.1.59189 > 192.168.1.120.514: SYSLOG, length: 94
> Facility local7 (23), Severity debug (7)
> Msg: 10044: 010031: Nov 19 10:30:30.672: ISAKMP:(0): S[|syslog]
> IP (tos 0x0, ttl 255, id 342, offset 0, flags [none], proto UDP (17),
> length 189)
> 192.168.1.1.59189 > 192.168.1.120.514: SYSLOG, length: 161
> Facility local7 (23), Severity info (6)
> Msg: 10045: 010032: Nov 19 10:30:36.455: %DOT11-6-ASSO[|syslog]
> IP (tos 0x0, ttl 255, id 343, offset 0, flags [none], proto UDP (17),
> length 203)
> 192.168.1.1.59189 > 192.168.1.120.514: SYSLOG, length: 175
> Facility local7 (23), Severity info (6)
> Msg: 10046: 010033: Nov 19 10:30:47.643: %DOT11-6-DISA[|syslog]
>
>
>
> Debug from syslogd:
>
>
>
> # /etc/rc.d/syslogd restart
> syslogd not running? (check /var/run/syslog.pid).
> Starting syslogd.
> allowaddr: rule 0: numeric, addr = 192.168.1.0, mask = 255.255.255.0;
> port = 0
> listening on inet and/or inet6 socket
> sending on inet and/or inet6 socket
> off & running....
> init
> cfline("*.err;kern.warning;auth.notice;mail.crit /dev/console",
> f, "*", "+Server.domain")
> cfline("*.notice;local7.none;authpriv.none;kern.debug;lpr.info;mail.crit;news.err
> /var/log/messages", f, "*", "+Server.domain")
> cfline("security.* /var/log/security", f, "*",
> "+Server.domain")
> cfline("auth.info;authpriv.info /var/log/auth.log", f,
> "*", "+Server.domain")
> cfline("mail.info /var/log/maillog", f, "*",
> "+Server.domain")
> cfline("lpr.info /var/log/lpd-errs", f, "*",
> "+Server.domain")
> cfline("ftp.info /var/log/xferlog", f, "*",
> "+Server.domain")
> cfline("cron.* /var/log/cron", f, "*",
> "+Server.domain")
> cfline("*.=debug /var/log/debug.log", f, "*",
> "+Server.domain")
> cfline("*.emerg *", f, "*", "+Server.domain")
> cfline("*.* /var/log/ppp.log", f, "ppp",
> "+Server.domain")
> cfline("*.* /var/log/cisco857w.log", f, "*",
> "+192.168.1.1")
> 4 3 2 3 5 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3 X CONSOLE: /dev/console
> 7 5 2 5 5 5 6 3 5 5 X 5 5 5 5 5 5 5 5 5 5 5 5 X X FILE: /var/log/messages
> X X X X X X X X X X X X X 7 X X X X X X X X X X X FILE: /var/log/security
> X X X X 6 X X X X X 6 X X X X X X X X X X X X X X FILE: /var/log/auth.log
> X X 6 X X X X X X X X X X X X X X X X X X X X X X FILE: /var/log/maillog
> X X X X X X 6 X X X X X X X X X X X X X X X X X X FILE: /var/log/lpd-errs
> X X X X X X X X X X X 6 X X X X X X X X X X X X X FILE: /var/log/xferlog
> X X X X X X X X X 7 X X X X X X X X X X X X X X X FILE: /var/log/cron
> 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 X FILE: /var/log/debug.log
> 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 X WALL:
> 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 X FILE: /var/log/ppp.log
> (ppp)
> 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 X FILE:
> /var/log/cisco857w.log
> logmsg: pri 56, flags 4, from Server, msg syslogd: restart
> syslogd: restarted
> logmsg: pri 6, flags 4, from Server, msg syslogd: kernel boot file is
> /boot/kernel/kernel
> Logging to FILE /var/log/messages
> syslogd: kernel boot file is /boot/kernel/kernel
> logmsg: pri 166, flags 17, from Server, msg Nov 19 12:33:34 <syslog.err>
> Server syslogd: exiting on signal 2
> cvthname(192.168.1.1)
> validate: dgram from IP 192.168.1.1, port 59189, name router.domain;
> accepted in rule 0.
> logmsg: pri 275, flags 0, from cisco857w, msg 10048: 010035: Nov 19
> 10:33:48.037: %SYS-5-CONFIG_I: Configured from console by admin on vty0
> (192.168.1.120)
>
>
>
>
> And finally permissions for the log file to be 'logged' to:
>
>
>
> # ls -l /var/log/cisco857w.log
> -rw------- 1 root wheel 0 Nov 18 16:32 /var/log/cisco857w.log
>
>
>
>
>
> I actually tried the same setup with rsyslog and even amended the file
> as such:
>
>
>
> !Cisco857w
> :fromhost-ip, isequal, "192.168.1.1" /var/log/cisco857w.log
>
>
>
> while commenting out the rest of the legacy syslogd information
> regarding the device at hand. But still unfortunately no luck :-(
>
>
> I really need to get this going as I need to be able to track what's
> going on at the network level.
>
>
> Thanks to Robert Bonomi, the error was thought to be here: logmsg: pri
> 275 with the log priority value. I did manage to change that using the
> Cisco command: logging facility kern - to give the message a 'higher'
> priority value of which outputted this:
>
>
>
> accepted in rule 0.
> logmsg: pri 15, flags 0, from cisco857w, msg 10146: 010133: Nov 19
> 23:05:54.538: %SYS-5-CONFIG_I: Configured from console by admin on vty0
> (192.168.0.53
>
>
>
> but whatever happens it doesn't even try to attempt to log the
> information to file after receiving it.......
>
>
>
>
> Regards,
>
>
>
> Kaya
>
You have never said if you restarted syslog after making your changes to
syslog.conf, you have to reboot your box or restart syslog for the
changes to take effect.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4ED440EF.8000604>