From owner-freebsd-security Sat Dec 5 11:16:21 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
by hub.freebsd.org (8.8.8/8.8.8) id LAA02720
for freebsd-security-outgoing; Sat, 5 Dec 1998 11:16:21 -0800 (PST)
(envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from roble.com (roble.com [207.5.40.50])
by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id LAA02714
for <security@FreeBSD.ORG>; Sat, 5 Dec 1998 11:16:19 -0800 (PST)
(envelope-from sendmail@roble.com)
Received: from localhost (localhost [127.0.0.1]) by roble.com (Roble) with SMTP id LAA23235 for <security@FreeBSD.ORG>; Sat, 5 Dec 1998 11:16:17 -0800 (PST)
Date: Sat, 5 Dec 1998 11:16:17 -0800 (PST)
From: Roger Marquis <marquis@roble.com>
X-Sender: Roger Marquis <marquis@roble.com>
Reply-To: Roger Marquis <marquis@roble.com>
To: security@FreeBSD.ORG
Subject: Re: Syslog.conf setup
In-Reply-To: <199812050136.RAA18568@hub.freebsd.org>
Message-ID: <Pine.SUN.3.96.981205110029.22829F-100000@roble.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org
butlermd@tgn.net (Michael Butler) wrote:
> Reading the man pages and poking at the www and experimenting leaves
> me still confused on *just how* I can configure my syslog to separate
> logs by function. They grow at different rates and I want to use
> newsyslog (no man page tho I have a newsyslog.cf in /etc) to manage
> them.
Try this syslog.conf. It references every facility:
--------------------------------------------------------------------
syslog,auth,local7,local5.debug;daemon.notice;local6.info;user.none /dev/console
kern.debug /var/log/kern.messages
daemon.debug /var/log/daemon.messages
user.debug /var/log/user.messages
syslog,cron.info /var/cron/log
auth.debug /var/log/auth.messages
news.debug /var/log/news.messages
mail.info /var/log/mail.messages
uucp.notice /var/log/uucp.messages
local0.debug /var/log/local0.messages
local1.debug /var/log/local1.messages
local2.warning /var/log/local2.messages
local3.debug /var/log/local3.messages
local4.debug /var/log/local4.messages
local5.debug /var/log/local5.messages
local6.debug /var/log/local6.messages
local7.debug /var/log/local7.messages
ftp.debug /var/log/ftp.messages
ntp.debug /var/log/ntp.messages
authpriv,lpr.debug /var/log/misc.messages
*.debug,local2.none @loghost2
--------------------------------------------------------------------
> I see references to entries like this with the !program but don't see
> the difference from:
> ftp.* /var/log/ftpd
This example is trying to use "*" as a log level, which is incorrect.
You can use "*" to indicate all facilities but not all log levels.
Debug is the equivalent to "*" in this case:
ftp.debug /var/log/ftpd
And don't forget to rotate those logfiles. We use a cron script:
--------------------------------------------------------------------
#
# rotate logfiles -gt 1MB
#
for i in /var/log/*messages ; do
if [ "`du -s $i| awk '{print $1}'`" -gt 1000 ]; then
#echo "rotating $i"
if [ -f $i.10 ]; then cp $i.10 $i.11 ;fi
if [ -f $i.9 ]; then cp $i.9 $i.10 ;fi
if [ -f $i.8 ]; then cp $i.8 $i.9 ;fi
if [ -f $i.7 ]; then cp $i.7 $i.8 ;fi
if [ -f $i.6 ]; then cp $i.6 $i.7 ;fi
if [ -f $i.5 ]; then cp $i.5 $i.6 ;fi
if [ -f $i.4 ]; then cp $i.4 $i.5 ;fi
if [ -f $i.3 ]; then cp $i.3 $i.4 ;fi
if [ -f $i.2 ]; then cp $i.2 $i.3 ;fi
if [ -f $i.1 ]; then cp $i.1 $i.2 ;fi
if [ -f $i.0 ]; then cp $i.0 $i.1 ;fi
cp $i $i.0
cp /dev/null $i
fi
done
--------------------------------------------------------------------
Finally, a bourne shell script is the best way to quickly walk through
all the logs (in order of most recently updated):
--------------------------------------------------------------------
#!/bin/sh
PATH=/bin:/usr/ucb:/usr/bin
LOGDIR=/var/log
if [ -f /usr/local/bin/less ]; then
LESS=-cim
PAGER=/usr/local/bin/less
elif [ "$PAGER" != "" ]; then
continue
else
PAGER=more
fi
#### last logins
last -53 >/tmp/last.$$
#### which logfiles
FILES=" \
/tmp/last.$$ $HOME/.procmail/log \
`ls -lt1 $LOGDIR/*messages|grep -v http|awk '{print $NF}'` \
/usr/aset/reports/latest/*.rpt /etc/dumpdates \
`ls -lt1 $LOGDIR/http*messages|awk '{print $NF}'` \
`ls -lt1 $LOGDIR/*messages.[0-9]|grep -v http|awk '{print $NF}'` "
##### view already
VIEW=""
for i in $FILES ;do
if [ -s $i ]; then
VIEW="${VIEW} $i"
fi
done
$PAGER $VIEW
#### cleanup
rm -f /tmp/last.$$
--------------------------------------------------------------------
Roger Marquis
Roble Systems Consulting
http://www.roble.com/
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message