From owner-freebsd-questions@FreeBSD.ORG Mon Nov 28 23:42:29 2011 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 485E21065670 for ; Mon, 28 Nov 2011 23:42:29 +0000 (UTC) (envelope-from kayasaman@gmail.com) Received: from mail-ey0-f182.google.com (mail-ey0-f182.google.com [209.85.215.182]) by mx1.freebsd.org (Postfix) with ESMTP id CDDE48FC14 for ; Mon, 28 Nov 2011 23:42:28 +0000 (UTC) Received: by eaai12 with SMTP id i12so3532960eaa.13 for ; Mon, 28 Nov 2011 15:42:27 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:content-type:content-transfer-encoding; bh=aHfK7ODuV/yomK065HeL9WxUL5Hfdeg0yGPENLN/ngE=; b=SGhg9TX9mo1mqP2arbLmR29nqUW6sk12ldKcpQCQ4gR5Y6No1s3eBVuxbzLsXj+aYr 8iDr88Ab9rfDYK+tlGHvHYWza0U57Indd0ENe+qE3uu4cGGaizV5HC05vXMVxv3qT/pf l6gkH3qtiel5qnUhWVJR1dMb7Dm0vviFs9aMw= Received: by 10.227.16.166 with SMTP id o38mr15290111wba.13.1322523747696; Mon, 28 Nov 2011 15:42:27 -0800 (PST) Received: from Hp2230s.localhost (81-178-2-118.dsl.pipex.com. [81.178.2.118]) by mx.google.com with ESMTPS id g29sm8493475wbp.2.2011.11.28.15.42.25 (version=SSLv3 cipher=OTHER); Mon, 28 Nov 2011 15:42:26 -0800 (PST) Message-ID: <4ED41C5F.3030906@gmail.com> Date: Tue, 29 Nov 2011 01:42:23 +0200 From: Kaya Saman User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:7.0) Gecko/20110927 Thunderbird/7.0 MIME-Version: 1.0 To: freebsd-questions@freebsd.org References: <4ED38578.1000501@gmail.com> <4ED3CE66.4020903@gmail.com> <4ED3D9BF.701@my.gd> In-Reply-To: <4ED3D9BF.701@my.gd> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: Alternative to syslogd that actually writes external logs to files? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 Nov 2011 23:42:29 -0000 On 11/28/2011 08:58 PM, Damien Fleuriot wrote: > On 11/28/11 7:09 PM, Kaya Saman wrote: >> [...snip...] >>> Properly configured, syslogd will log remotely. However something >>> like sysutils/rsyslog may fit your requirements better. >>> >>> -- >>> Adam Vande More >> Thanks for that. I have tested rsyslog which is backwards compatible >> with syslog but again something failed with that in order to write to >> the created logfile??? >> > > We have absolutely no problems whatsoever with rsyslogd here. > > It runs on our FreeBSD firewall boxes and logs both to local files and > a remote server running rsyslogd on debian. > > > > Additionally and in reply to your need to track what happens on your > network, I very highly recommend Observium which we have been running > for over 18 months now and which I use on an almost daily basis. > > http://www.observium.org/wiki/Main_Page > > The icing on the cake is that you'll be able to export your logs to > Observium directly. > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org" Thanks for the vote of confidence! I have set syslogd to run on the loopback and rsyslogd to run on the local IP address. Here is my config file for rsyslog: $ModLoad immark.so # provides --MARK-- message capability $ModLoad imuxsock.so # provides support for local system logging $ModLoad imklog.so # kernel logging $ModLoad imudp $UDPServerAddress 192.168.1.120 $UDPServerRun 514 $RuleSet Cisco857w #:msg, contains, "192.168.1.1" /var/log/cisco857w.log :fromhost-ip, isequal, "192.168.1.1" /var/log/cisco857w.log According to the rule anything coming in from 192.168.1.1 should be logged to /var/log/cisco857.log From rsyslog debug mode I was able to find that the rule was in place and should be performing properly: 0302.998028819:800c041c0: ruleset 0x800c2b0a0: rsyslog ruleset Cisco857w: 0302.998046140:800c041c0: rule 0x800c14d80: rsyslog rule: 0302.998058991:800c041c0: PROPERTY-BASED Filter: 0302.998070165:800c041c0: Property.: 'fromhost-ip' 0302.998080781:800c041c0: Operation: 'isequal' 0302.998099499:800c041c0: Value....: '192.168.1.1' 0302.998109835:800c041c0: Action...: Actions: 0302.998127435:800c041c0: builtin-file: /var/log/cisco857w.log 0302.998143918:800c041c0: template='/var/log/cisco857w.log' 0302.998153696:800c041c0: use async writer=0 0302.998165150:800c041c0: flush on TX end=1 0302.998175766:800c041c0: flush interval=1 0302.998186661:800c041c0: file cache size=10 0302.998198115:800c041c0: create directories: yes 0302.998208451:800c041c0: file owner 0, group 0 0302.998218788:800c041c0: force chown() for all files: no 0302.998229683:800c041c0: directory owner 0, group 0 0302.998240020:800c041c0: dir create mode 0700, file create mode 0644 0302.998254267:800c041c0: fail if owner/group can not be set: no However, when using tcpdump it shows that rsyslog is infact receiving information but still unfortunately not logging to file??? # tcpdump -tlnvv -i em0 port 514 tcpdump: listening on em0, link-type EN10MB (Ethernet), capture size 96 bytes IP (tos 0x0, ttl 255, id 1875, offset 0, flags [none], proto UDP (17), length 142) 192.168.1.1.59189 > 192.168.1.120.514: SYSLOG, length: 114 Facility local7 (23), Severity notice (5) Msg: 11578: 011565: Nov 28 23:34:19.475: %SYS-5-CONFIG[|syslog] File permissions are correct as I got rsyslog to create the file from scratch....... What am I missing here?