From owner-freebsd-questions@FreeBSD.ORG Tue Feb 6 15:29:32 2007 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 8181916A400 for ; Tue, 6 Feb 2007 15:29:32 +0000 (UTC) (envelope-from a@jenisch.at) Received: from srvdmz13.oekb.co.at (srvdmz13.oekb.co.at [143.245.5.103]) by mx1.freebsd.org (Postfix) with ESMTP id EC5CF13C491 for ; Tue, 6 Feb 2007 15:29:31 +0000 (UTC) (envelope-from a@jenisch.at) X-SEF-Processed: 5_0_0_910__2007_02_06_16_29_31 X-SEF-7853D99-ADF1-478E-8894-213D316B8FFA: 1 Received: from msc01-n1 [143.245.2.187] by srvdmz13.oekb.co.at - SurfControl E-mail Filter (5.2.1); Tue, 06 Feb 2007 16:29:30 +0100 Received: from aurora.oekb.co.at ([143.245.9.16]) by MAIL1.oekb.co.at with Microsoft SMTPSVC(6.0.3790.2499); Tue, 6 Feb 2007 16:29:30 +0100 Received: from aurora.oekb.co.at (localhost.oekb.co.at [127.0.0.1]) by aurora.oekb.co.at (8.13.8/8.13.8) with ESMTP id l16FTUj1067871; Tue, 6 Feb 2007 16:29:30 +0100 (CET) (envelope-from a@jenisch.at) Received: (from ej@localhost) by aurora.oekb.co.at (8.13.8/8.13.8/Submit) id l16FTUnT067870; Tue, 6 Feb 2007 16:29:30 +0100 (CET) (envelope-from a@jenisch.at) X-Authentication-Warning: aurora.oekb.co.at: ej set sender to a@jenisch.at using -f Date: Tue, 6 Feb 2007 16:29:30 +0100 From: Ewald Jenisch To: freebsd-questions@freebsd.org Message-ID: <20070206152929.GA67647@aurora.oekb.co.at> References: <20070206110009.GA93053@aurora.oekb.co.at> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20070206110009.GA93053@aurora.oekb.co.at> User-Agent: Mutt/1.4.2.2i X-OriginalArrivalTime: 06 Feb 2007 15:29:30.0715 (UTC) FILETIME=[987EC2B0:01C74A03] Subject: syslog from Cisco -> FreeBSD - SOLVED X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 06 Feb 2007 15:29:32 -0000 Hi, First of all thanks much to all who responded so quickly to my question about setting up syslogging in order to accept messages from Cisco (remote) boxes. I could finally get that thing going. Here's what I did - maybe this is of help to others running into similar problems: 1) In order for syslogd to accept messages from remote machines you've got to use the "-a"-flag. Here's what I've got in my /etc/rc.conf: syslogd_flags="-a 192.168.0.0/16:*" Don't forget the "*" - it makes sure that syslogd accepts UDP packets from *every* port on the remote machine, not just the syslog-port. Typically Cisco-boxes seem to have a high-order source-port in their syslog-messages. 2) /etc/syslog.conf: Make sure that the "local7"-messages coming from Cisco boxes aren't logged multiple times. Typically the vanilla /etc/syslog.conf coming with FreeBSD has the following line in /etc/syslog.conf (near the top of the file): *.notice;authpriv.none;kern.debug;lpr.info;mail.crit;news.err /var/log/message s change this to read *.notice;local7.none;authpriv.none;kern.debug;lpr.info;mail.crit;news.err /var/log/messages This makes sure that any syslog-messages with the local7 facility don't get written to /var/log/messages. Get to the end of syslog.conf. Here you'll find something like !ppp *.* /var/log/ppp.log These is the setup for log-entries from ppp. You've got to add the following line: !* This resets logging as per man syslog.conf(5): "A program or hostname specification may be reset by giving the program or hostname as `*'." Without that line the lines that you add for your Cisco logging at the end of the file (see below) will only be triggered when coming from the ppp program which almost never is the case. (You can check this using the debug-option of syslogd - see below) 3) Add your log-setup for cisco devices at the end of syslog.conf like so: local7.* /var/log/Syslog/cisco-syslog 4) Touch and "chmod 600" the logfile mentioned above 5) Restart syslogd: /etc/rc.d/syslogd restart Final thoughts & caveats: 1) Use s to separate the entries in /etc/syslog.conf 2) Running syslog in debug-mode (i.e. syslogd_flags="-d..." in etc/rc.conf) is a very helpful tool in tracking down problems. It keeps syslogd running in the foreground and logs very helpful information to the console Be aware though, that syslogd in debug-mode is behaving somewhat different. It e.g.seems to ignore the "-a ..." flags that are otherwise necessary in order for syslog to accept messages from remote machines, i.e. accepting messages from everywhere even without the -a flag. Hope this little receipe helps others going... Thanks again for all your help, -ewald