Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 10 Nov 2000 17:56:56 -0600 (CST)
From:      Mike Meyer <mwm@mired.org>
To:        Daniel Podolsky <daniel.podolsky@twelvehorses.com>
Cc:        questions@freebsd.org
Subject:   RE: Logging to remote syslogd
Message-ID:  <14860.35656.389841.767243@guru.mired.org>
In-Reply-To: <856E94D34FF3D311B5FE00508B6B8BD22A34A9@BlackWidow.twelvehorses.int>
References:  <856E94D34FF3D311B5FE00508B6B8BD22A34A9@BlackWidow.twelvehorses.int>

next in thread | previous in thread | raw e-mail | index | archive | help
Daniel Podolsky <daniel.podolsky@twelvehorses.com> types:
> 
> Dear  Mike,
> 
> Thank you for you answer.
> 
> Especially for you I've run the syslogd with command 
> syslogd -d -a 193.120.127.33/32:* >s.t

Well, you shouldn't do it for me, you should show send it to
-questions. More eyes mean it's more likely that somene will spot the
problem.

> And this is a s.t
> [begin]
> allowaddr: rule 0: numeric, addr = 193.120.127.33, mask = 255.255.255.255;
> port = 0
> off & running....
> init
> cfline("*.err;kern.debug;auth.notice;mail.crit		/dev/console", f,
> "*")
> cfline("*.notice;kern.debug;lpr.info;mail.crit;news.err	/var/log/messages",
> f, "*")
> cfline("security.*					/var/log/security",
> f, "*")
> cfline("mail.info					/var/log/maillog",
> f, "*")
> cfline("lpr.info					/var/log/lpd-errs",
> f, "*")
> cfline("cron.*						/var/log/cron", f,
> "*")
> cfline("*.err						root", f, "*")
> cfline("*.notice;news.err				root", f, "*")
> cfline("*.alert						root", f, "*")
> cfline("*.emerg						*", f, "*")
> cfline("*.*						/var/log/all.log",
> f, "*")
> cfline("local7.*					/var/log/c7200.log",
> f, "*")
> cfline("*.*						/var/log/slip.log",
> f, "startslip")
> cfline("*.*						/var/log/ppp.log",
> f, "ppp")
> cfline("*.*						/var/log/pppd.log",
> f, "pppd")
> cfline("*.*						/var/log/ipfw.log",
> f, "ipfw")
> 7 3 2 3 5 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3 X CONSOLE: /dev/console
> 7 5 2 5 5 5 6 3 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 X FILE: /var/log/messages
> X X X X X X X X X X X X X 8 X X X X X X X X X X X FILE: /var/log/security
> X X 6 X X X X X X X X X X X X X X X X X X X X X X FILE: /var/log/maillog
> X X X X X X 6 X X X X X X X X X X X X X X X X X X FILE: /var/log/lpd-errs
> X X X X X X X X X 8 X X X X X X X X X X X X X X X FILE: /var/log/cron
> 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3 X USERS: root, 
> 5 5 5 5 5 5 5 3 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 X USERS: root, 
> 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 X USERS: root, 
> 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 X WALL: 
> 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 X FILE: /var/log/all.log
> X X X X X X X X X X X X X X X X X X X X X X X 8 X FILE: /var/log/c7200.log
> 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 X FILE: /var/log/slip.log
> (startslip)
> 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 X FILE: /var/log/ppp.log
> (ppp)
> 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 X FILE: /var/log/pppd.log
> (pppd)
> 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 X FILE: /var/log/ipfw.log
> (ipfw)
> logmsg: pri 56, flags 4, from lf, msg syslogd: restart
> Logging to FILE /var/log/all.log
> syslogd: restarted
> logmsg: pri 156, flags 16, from lf, msg ipfw: 1100 Accept UDP
> 193.120.127.33:58896 193.120.127.35:514 in via lnc0
> Logging to FILE /var/log/security
> Logging to FILE /var/log/all.log
> Logging to FILE /var/log/ipfw.log
> logmsg: pri 116, flags 0, from lf, msg Nov 10 23:30:00 CRON[2243]: (root)
> CMD (/usr/libexec/atrun) 
> Logging to FILE /var/log/cron
> Logging to FILE /var/log/all.log
> syslogd: exiting on signal 2
> syslogd: exiting on signal 2
> logmsg: pri 53, flags 4, from lf, msg syslogd: exiting on signal 2
> Logging to CONSOLE /dev/console
> Logging to FILE /var/log/messages
> Logging to USERS
> Logging to USERS
> Logging to FILE /var/log/all.log
> 
> We can see the packet from Cisco, but we can not see the message Cisco's
> mesage.
> 
> Yes, I know, this functionality works. It works for me for Cisco 1005 and
> FreeBSD 3.2. I'm really surprised... It is looks like the syslogd does not
> hear the port 514...

Have you got divert rules in your firewall, perhaps? Possibly
something in your syslog.conf will provide a clue.

Again, don't send them to me, send them to -questions. That will give
more people a chance to look at them and possibly spot the problem.

	<mike

> Thank you for you help.
> 
> With best regards,
> Daniel Podolsky
> 
> >-----Original Message-----
> >From: Mike Meyer [mailto:mwm@mired.org]
> >Sent: Friday, November 10, 2000 9:13 PM
> >To: Daniel Podolsky
> >Cc: questions@freebsd.org
> >Subject: Re: Logging to remote syslogd
> >
> >
> >Daniel Podolsky <daniel.podolsky@twelvehorses.com> types:
> >> Dear All,
> >> 
> >> I'm tryed to configure my Cisco for logging to the syslog on 
> >my FreeBSD
> >> 4.1.1.
> >> I have confugred the Cisco correctly. I can see Cisco's 
> >incoming UDP packets
> >> to port 514 in a ipfw log.
> >
> >They are being accepted, not denied, right? Show us the log 
> >messages, please?
> >
> >> The syslogd run command is "syslogd -a <Cisco1Address>/32
> >> <Cisco2Address>/32".
> >
> >Can we have the actually command or - hopefully - the variables from
> >rc.conf? In more than one similar case, it's been a simple typo that a
> >fresh pair of eyes will immediately spot. However, we can't do that if
> >you don't give us all the information.
> >
> >> For testing purposes I have added the string "*.*	
> >/var/log/all.log" to
> >> the /etc/syslog.conf
> >> However, I can not see Cosco's packets in a all.log. Also, I 
> >can not see the
> >> trace of this packets then I run syslogd with "-d".
> >
> >Can you see *anything* in /var/log/all.log?
> >
> >This kind of functionality works - I use it between FreeBSD boxes.
> >
> >	<mike
> >
> 


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?14860.35656.389841.767243>