From owner-freebsd-questions@FreeBSD.ORG  Tue Nov 29 02:18:27 2011
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id EDAEB106566C
	for <freebsd-questions@freebsd.org>;
	Tue, 29 Nov 2011 02:18:27 +0000 (UTC)
	(envelope-from fbsd8@a1poweruser.com)
Received: from mail-03.name-services.com (mail-03.name-services.com
	[69.64.155.195])
	by mx1.freebsd.org (Postfix) with ESMTP id CC9A68FC12
	for <freebsd-questions@freebsd.org>;
	Tue, 29 Nov 2011 02:18:27 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; q=dns/txt;
	s=DKIM-NAME-SERVICES; d=a1poweruser.com;
	h=From:To:Cc:Subject:Message-ID:X-Sender:X-Envelope-From; l=500;
	bh=wSWMm8HuBeIgV/FODuYQyifvbajtttiL6aEc+xgKeEU=; 
	b=ENmXKUXAl4txpWcUEJ+hfqHCVmZpYEp7e3LiIqnNVn7D3FVYYpXB2OZeNZrojNAhvWfaSvGEW+mXdyQdQGApe7um81lxYG/i3S3RAPdKE4XNeXrY7vjWhEhequZUxrQPVdHoSNtZXd3bPVYt/zIUe6lZr9k6Us9h0Pse8NVOfFM=
Received: from [192.168.1.105] ([120.29.64.121]) by mail-03.name-services.com
	with Microsoft SMTPSVC(6.0.3790.4675); 
	Mon, 28 Nov 2011 18:18:26 -0800
Message-ID: <4ED440EF.8000604@a1poweruser.com>
Date: Tue, 29 Nov 2011 10:18:23 +0800
From: Fbsd8 <fbsd8@a1poweruser.com>
User-Agent: Thunderbird 2.0.0.17 (Windows/20080914)
MIME-Version: 1.0
To: Kaya Saman <kayasaman@gmail.com>
References: <4ED38578.1000501@gmail.com>	<CA+tpaK0rkWX8G3hiapZkutK6xvb+c0z6aTK=U=RsC=Pk68mCEA@mail.gmail.com>
	<4ED3CE66.4020903@gmail.com>
In-Reply-To: <4ED3CE66.4020903@gmail.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-OriginalArrivalTime: 29 Nov 2011 02:18:27.0324 (UTC)
	FILETIME=[2DE6CBC0:01CCAE3D]
X-Sender: fbsd8@a1poweruser.com
X-Envelope-From: fbsd8*a1poweruser.com
Cc: Adam Vande More <amvandemore@gmail.com>,
	"freebsd-questions@freebsd.org" <freebsd-questions@freebsd.org>
Subject: Re: Alternative to syslogd that actually writes external logs to
 files?
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 29 Nov 2011 02:18:28 -0000

Kaya Saman wrote:
> [...snip...]
>> Properly configured, syslogd will log remotely.  However something 
>> like sysutils/rsyslog may fit your requirements better.
>>
>> -- 
>> Adam Vande More
> 
> Thanks for that. I have tested rsyslog which is backwards compatible 
> with syslog but again something failed with that in order to write to 
> the created logfile???
> 
> 
> Here is my config just incase something hinky can be seen; although have 
> already posted it (with minimal responses) in a heading: Syslog server 
> not logging remote machines to file? {basically please don't lynch me 
> for double posting!!}
> 
> 
> /etc/rc.conf
> 
> syslogd_enable="YES"
> syslog_flags=""
> syslogd_flags="-b 192.168.1.120 -a 192.168.1.1/24:* -C"
> #syslogd_flags="-d -b 192.168.1.120 -a 192.168.1.1/24:* -vv -C"
> #syslogd_flags="-c"
> #rsyslogd_enable="YES"
> #rsyslogd_pidfile="/var/run/syslog.pid"
> #rsyslogd_config="/etc/syslog.conf"
> #rsyslogd_klog_enable="YES"
> #rsyslogd_flags="-d"
> 
> 
> The extra addition to /etc/syslog.conf under the ppp statement
> 
> !*
> +192.168.1.1
> *.*                        /var/log/cisco857w.log
> 
> 
> Debug from tcpdump:
> 
> 
> # tcpdump -tlnvv -i em0 port 514
> tcpdump: listening on em0, link-type EN10MB (Ethernet), capture size 96 
> bytes
> IP (tos 0x0, ttl 255, id 337, offset 0, flags [none], proto UDP (17), 
> length 122)
>     192.168.1.1.59189 > 192.168.1.120.514: SYSLOG, length: 94
>     Facility local7 (23), Severity debug (7)
>     Msg: 10040: 010027: Nov 19 10:28:04.322: ISAKMP:(0): S[|syslog]
> IP (tos 0x0, ttl 255, id 338, offset 0, flags [none], proto UDP (17), 
> length 122)
>     192.168.1.1.59189 > 192.168.1.120.514: SYSLOG, length: 94
>     Facility local7 (23), Severity debug (7)
>     Msg: 10041: 010028: Nov 19 10:28:04.326: ISAKMP:(0): S[|syslog]
> IP (tos 0x0, ttl 255, id 339, offset 0, flags [none], proto UDP (17), 
> length 142)
>     192.168.1.1.59189 > 192.168.1.120.514: SYSLOG, length: 114
>     Facility local7 (23), Severity notice (5)
>     Msg: 10042: 010029: Nov 19 10:28:04.770: %SYS-5-CONFIG[|syslog]
> IP (tos 0x0, ttl 255, id 340, offset 0, flags [none], proto UDP (17), 
> length 122)
>     192.168.1.1.59189 > 192.168.1.120.514: SYSLOG, length: 94
>     Facility local7 (23), Severity debug (7)
>     Msg: 10043: 010030: Nov 19 10:30:30.672: ISAKMP:(0): S[|syslog]
> IP (tos 0x0, ttl 255, id 341, offset 0, flags [none], proto UDP (17), 
> length 122)
>     192.168.1.1.59189 > 192.168.1.120.514: SYSLOG, length: 94
>     Facility local7 (23), Severity debug (7)
>     Msg: 10044: 010031: Nov 19 10:30:30.672: ISAKMP:(0): S[|syslog]
> IP (tos 0x0, ttl 255, id 342, offset 0, flags [none], proto UDP (17), 
> length 189)
>     192.168.1.1.59189 > 192.168.1.120.514: SYSLOG, length: 161
>     Facility local7 (23), Severity info (6)
>     Msg: 10045: 010032: Nov 19 10:30:36.455: %DOT11-6-ASSO[|syslog]
> IP (tos 0x0, ttl 255, id 343, offset 0, flags [none], proto UDP (17), 
> length 203)
>     192.168.1.1.59189 > 192.168.1.120.514: SYSLOG, length: 175
>     Facility local7 (23), Severity info (6)
>     Msg: 10046: 010033: Nov 19 10:30:47.643: %DOT11-6-DISA[|syslog]
> 
> 
> 
> Debug from syslogd:
> 
> 
> 
> # /etc/rc.d/syslogd restart
> syslogd not running? (check /var/run/syslog.pid).
> Starting syslogd.
> allowaddr: rule 0: numeric, addr = 192.168.1.0, mask = 255.255.255.0; 
> port = 0
> listening on inet and/or inet6 socket
> sending on inet and/or inet6 socket
> off & running....
> init
> cfline("*.err;kern.warning;auth.notice;mail.crit        /dev/console", 
> f, "*", "+Server.domain")
> cfline("*.notice;local7.none;authpriv.none;kern.debug;lpr.info;mail.crit;news.err    
> /var/log/messages", f, "*", "+Server.domain")
> cfline("security.*                    /var/log/security", f, "*", 
> "+Server.domain")
> cfline("auth.info;authpriv.info                /var/log/auth.log", f, 
> "*", "+Server.domain")
> cfline("mail.info                    /var/log/maillog", f, "*", 
> "+Server.domain")
> cfline("lpr.info                    /var/log/lpd-errs", f, "*", 
> "+Server.domain")
> cfline("ftp.info                    /var/log/xferlog", f, "*", 
> "+Server.domain")
> cfline("cron.*                        /var/log/cron", f, "*", 
> "+Server.domain")
> cfline("*.=debug                    /var/log/debug.log", f, "*", 
> "+Server.domain")
> cfline("*.emerg                        *", f, "*", "+Server.domain")
> cfline("*.*                        /var/log/ppp.log", f, "ppp", 
> "+Server.domain")
> cfline("*.*                        /var/log/cisco857w.log", f, "*", 
> "+192.168.1.1")
> 4 3 2 3 5 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3 X CONSOLE: /dev/console
> 7 5 2 5 5 5 6 3 5 5 X 5 5 5 5 5 5 5 5 5 5 5 5 X X FILE: /var/log/messages
> X X X X X X X X X X X X X 7 X X X X X X X X X X X FILE: /var/log/security
> X X X X 6 X X X X X 6 X X X X X X X X X X X X X X FILE: /var/log/auth.log
> X X 6 X X X X X X X X X X X X X X X X X X X X X X FILE: /var/log/maillog
> X X X X X X 6 X X X X X X X X X X X X X X X X X X FILE: /var/log/lpd-errs
> X X X X X X X X X X X 6 X X X X X X X X X X X X X FILE: /var/log/xferlog
> X X X X X X X X X 7 X X X X X X X X X X X X X X X FILE: /var/log/cron
> 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 X FILE: /var/log/debug.log
> 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 X WALL:
> 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 X FILE: /var/log/ppp.log 
> (ppp)
> 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 X FILE: 
> /var/log/cisco857w.log
> logmsg: pri 56, flags 4, from Server, msg syslogd: restart
> syslogd: restarted
> logmsg: pri 6, flags 4, from Server, msg syslogd: kernel boot file is 
> /boot/kernel/kernel
> Logging to FILE /var/log/messages
> syslogd: kernel boot file is /boot/kernel/kernel
> logmsg: pri 166, flags 17, from Server, msg Nov 19 12:33:34 <syslog.err> 
> Server syslogd: exiting on signal 2
> cvthname(192.168.1.1)
> validate: dgram from IP 192.168.1.1, port 59189, name router.domain;
> accepted in rule 0.
> logmsg: pri 275, flags 0, from cisco857w, msg 10048: 010035: Nov 19 
> 10:33:48.037: %SYS-5-CONFIG_I: Configured from console by admin on vty0 
> (192.168.1.120)
> 
> 
> 
> 
> And finally permissions for the log file to be 'logged' to:
> 
> 
> 
> # ls -l /var/log/cisco857w.log
> -rw-------  1 root  wheel  0 Nov 18 16:32 /var/log/cisco857w.log
> 
> 
> 
> 
> 
> I actually tried the same setup with rsyslog and even amended the file 
> as such:
> 
> 
> 
> !Cisco857w
> :fromhost-ip, isequal, "192.168.1.1"    /var/log/cisco857w.log
> 
> 
> 
> while commenting out the rest of the legacy syslogd information 
> regarding the device at hand. But still unfortunately no luck :-(
> 
> 
> I really need to get this going as I need to be able to track what's 
> going on at the network level.
> 
> 
> Thanks to Robert Bonomi, the error was thought to be here: logmsg: pri 
> 275 with the log priority value. I did manage to change that using the 
> Cisco command: logging facility kern - to give the message a 'higher' 
> priority value of which outputted this:
> 
> 
> 
> accepted in rule 0.
> logmsg: pri 15, flags 0, from cisco857w, msg 10146: 010133: Nov 19 
> 23:05:54.538: %SYS-5-CONFIG_I: Configured from console by admin on vty0 
> (192.168.0.53
> 
> 
> 
> but whatever happens it doesn't even try to attempt to log the 
> information to file after receiving it.......
> 
> 
> 
> 
> Regards,
> 
> 
> 
> Kaya
> 

You have never said if you restarted syslog after making your changes to 
syslog.conf, you have to reboot your box or restart syslog for the 
changes to take effect.