Date: Sat, 5 Dec 1998 11:16:17 -0800 (PST) From: Roger Marquis <marquis@roble.com> To: security@FreeBSD.ORG Subject: Re: Syslog.conf setup Message-ID: <Pine.SUN.3.96.981205110029.22829F-100000@roble.com> In-Reply-To: <199812050136.RAA18568@hub.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
butlermd@tgn.net (Michael Butler) wrote:
> Reading the man pages and poking at the www and experimenting leaves
> me still confused on *just how* I can configure my syslog to separate
> logs by function. They grow at different rates and I want to use
> newsyslog (no man page tho I have a newsyslog.cf in /etc) to manage
> them.
Try this syslog.conf. It references every facility:
--------------------------------------------------------------------
syslog,auth,local7,local5.debug;daemon.notice;local6.info;user.none /dev/console
kern.debug /var/log/kern.messages
daemon.debug /var/log/daemon.messages
user.debug /var/log/user.messages
syslog,cron.info /var/cron/log
auth.debug /var/log/auth.messages
news.debug /var/log/news.messages
mail.info /var/log/mail.messages
uucp.notice /var/log/uucp.messages
local0.debug /var/log/local0.messages
local1.debug /var/log/local1.messages
local2.warning /var/log/local2.messages
local3.debug /var/log/local3.messages
local4.debug /var/log/local4.messages
local5.debug /var/log/local5.messages
local6.debug /var/log/local6.messages
local7.debug /var/log/local7.messages
ftp.debug /var/log/ftp.messages
ntp.debug /var/log/ntp.messages
authpriv,lpr.debug /var/log/misc.messages
*.debug,local2.none @loghost2
--------------------------------------------------------------------
> I see references to entries like this with the !program but don't see
> the difference from:
> ftp.* /var/log/ftpd
This example is trying to use "*" as a log level, which is incorrect.
You can use "*" to indicate all facilities but not all log levels.
Debug is the equivalent to "*" in this case:
ftp.debug /var/log/ftpd
And don't forget to rotate those logfiles. We use a cron script:
--------------------------------------------------------------------
#
# rotate logfiles -gt 1MB
#
for i in /var/log/*messages ; do
if [ "`du -s $i| awk '{print $1}'`" -gt 1000 ]; then
#echo "rotating $i"
if [ -f $i.10 ]; then cp $i.10 $i.11 ;fi
if [ -f $i.9 ]; then cp $i.9 $i.10 ;fi
if [ -f $i.8 ]; then cp $i.8 $i.9 ;fi
if [ -f $i.7 ]; then cp $i.7 $i.8 ;fi
if [ -f $i.6 ]; then cp $i.6 $i.7 ;fi
if [ -f $i.5 ]; then cp $i.5 $i.6 ;fi
if [ -f $i.4 ]; then cp $i.4 $i.5 ;fi
if [ -f $i.3 ]; then cp $i.3 $i.4 ;fi
if [ -f $i.2 ]; then cp $i.2 $i.3 ;fi
if [ -f $i.1 ]; then cp $i.1 $i.2 ;fi
if [ -f $i.0 ]; then cp $i.0 $i.1 ;fi
cp $i $i.0
cp /dev/null $i
fi
done
--------------------------------------------------------------------
Finally, a bourne shell script is the best way to quickly walk through
all the logs (in order of most recently updated):
--------------------------------------------------------------------
#!/bin/sh
PATH=/bin:/usr/ucb:/usr/bin
LOGDIR=/var/log
if [ -f /usr/local/bin/less ]; then
LESS=-cim
PAGER=/usr/local/bin/less
elif [ "$PAGER" != "" ]; then
continue
else
PAGER=more
fi
#### last logins
last -53 >/tmp/last.$$
#### which logfiles
FILES=" \
/tmp/last.$$ $HOME/.procmail/log \
`ls -lt1 $LOGDIR/*messages|grep -v http|awk '{print $NF}'` \
/usr/aset/reports/latest/*.rpt /etc/dumpdates \
`ls -lt1 $LOGDIR/http*messages|awk '{print $NF}'` \
`ls -lt1 $LOGDIR/*messages.[0-9]|grep -v http|awk '{print $NF}'` "
##### view already
VIEW=""
for i in $FILES ;do
if [ -s $i ]; then
VIEW="${VIEW} $i"
fi
done
$PAGER $VIEW
#### cleanup
rm -f /tmp/last.$$
--------------------------------------------------------------------
Roger Marquis
Roble Systems Consulting
http://www.roble.com/
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.SUN.3.96.981205110029.22829F-100000>