From owner-freebsd-questions@FreeBSD.ORG Wed May 5 10:34:48 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1A13116A4CE for ; Wed, 5 May 2004 10:34:48 -0700 (PDT) Received: from sys33.mail.msu.edu (sys33.mail.msu.edu [35.9.75.133]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9F61143D4C for ; Wed, 5 May 2004 10:34:47 -0700 (PDT) (envelope-from bushous2@msu.edu) Received: from [198.70.64.112] (helo=msu.edu) by sys33.mail.msu.edu with asmtp (Exim 4.24 #37) (TLSv1:AES256-SHA:256) id 1BLQIA-0004tc-Va for questions@freebsd.org; Wed, 05 May 2004 13:34:47 -0400 Message-ID: <4099259A.90809@msu.edu> Date: Wed, 05 May 2004 13:34:18 -0400 From: Micah Bushouse User-Agent: Mozilla Thunderbird 0.5 (X11/20040411) X-Accept-Language: en-us, en MIME-Version: 1.0 To: questions@freebsd.org Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-Virus: None found by Clam AV Subject: Syslogd not logging data from remote machines X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 05 May 2004 17:34:48 -0000 Dear List, FreeBSD alumi.bushouse.net 4.10-PRERELEASE FreeBSD 4.10-PRERELEASE #0: Mon Apr 26 08:34:37 EDT 2004 micah@alumi.bushouse.net:/usr/obj/usr/src/sys/APRIL i386 I'm trying to get syslogd on the FBSD system above to log events from my Watchguard SOHO firewall/router. On this particular network packets flow from the internet through the SOHO to get to the FBSD machine. The SOHO is configured to log correctly to the FBSD machine... Also, I poked a hole (UDP/514) in IPFilter, and both TCPDump and Ethereal (both running on the FBSD machine) pick up the syslog traffic coming in from the SOHO. 192.168.111.1 is the router, 192.168.111.9 is the FBSD machine. Here is the command I'm using to run syslogd > ps -waux | grep syslogd root 8284 0.0 0.1 996 684 ?? Is 12:15PM 0:00.01 /usr/sbin/syslogd -a 192.168.111.1 -n Using Ethereal, I sniffed the traffic that the SOHO is sending to the FBSD system. Lots of UDP/514 packets flowed in, and all were a variation on the packet excerpt below (the stuff after LOCAL0.INFO was obviously different and depended on the information the router was trying to log): Syslog message: LOCAL0.INFO: MONITOR: Administrator Access... 1000 0... = Facility: LOCAL0 - reserved for local use (16) .... .110 = Level: INFO - informational (6) Message: MONITOR: Administrator access allowed from 192.168.111.9 I kept the default /etc/syslog.conf file, except for one added line: local0.* /var/log/router.log Here's what the router.log file looks like: > ls -l /var/log/router.log -rw-r--r-- 1 root wheel 0 May 4 22:02 /var/log/router.log There still is no data being written to this file, even though I'm sitting here watching TCPDump print out packet after packet of UDP/514 data from the SOHO. What am I doing wrong? ~Micah