Date: Tue, 29 Nov 2011 04:27:11 +0200 From: Kaya Saman <kayasaman@gmail.com> To: Fbsd8 <fbsd8@a1poweruser.com> Cc: Adam Vande More <amvandemore@gmail.com>, "freebsd-questions@freebsd.org" <freebsd-questions@freebsd.org> Subject: Re: Alternative to syslogd that actually writes external logs to files? Message-ID: <4ED442FF.4030206@gmail.com> In-Reply-To: <4ED440EF.8000604@a1poweruser.com> References: <4ED38578.1000501@gmail.com> <CA%2BtpaK0rkWX8G3hiapZkutK6xvb%2Bc0z6aTK=U=RsC=Pk68mCEA@mail.gmail.com> <4ED3CE66.4020903@gmail.com> <4ED440EF.8000604@a1poweruser.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 11/29/2011 04:18 AM, Fbsd8 wrote:
> Kaya Saman wrote:
>> [...snip...]
>>> Properly configured, syslogd will log remotely. However something
>>> like sysutils/rsyslog may fit your requirements better.
>>>
>>> --
>>> Adam Vande More
>>
>> Thanks for that. I have tested rsyslog which is backwards compatible
>> with syslog but again something failed with that in order to write to
>> the created logfile???
>>
>>
>> Here is my config just incase something hinky can be seen; although
>> have already posted it (with minimal responses) in a heading: Syslog
>> server not logging remote machines to file? {basically please don't
>> lynch me for double posting!!}
>>
>>
>> /etc/rc.conf
>>
>> syslogd_enable="YES"
>> syslog_flags=""
>> syslogd_flags="-b 192.168.1.120 -a 192.168.1.1/24:* -C"
>> #syslogd_flags="-d -b 192.168.1.120 -a 192.168.1.1/24:* -vv -C"
>> #syslogd_flags="-c"
>> #rsyslogd_enable="YES"
>> #rsyslogd_pidfile="/var/run/syslog.pid"
>> #rsyslogd_config="/etc/syslog.conf"
>> #rsyslogd_klog_enable="YES"
>> #rsyslogd_flags="-d"
>>
>>
>> The extra addition to /etc/syslog.conf under the ppp statement
>>
>> !*
>> +192.168.1.1
>> *.* /var/log/cisco857w.log
>>
>>
>> Debug from tcpdump:
>>
>>
>> # tcpdump -tlnvv -i em0 port 514
>> tcpdump: listening on em0, link-type EN10MB (Ethernet), capture size
>> 96 bytes
>> IP (tos 0x0, ttl 255, id 337, offset 0, flags [none], proto UDP (17),
>> length 122)
>> 192.168.1.1.59189 > 192.168.1.120.514: SYSLOG, length: 94
>> Facility local7 (23), Severity debug (7)
>> Msg: 10040: 010027: Nov 19 10:28:04.322: ISAKMP:(0): S[|syslog]
>> IP (tos 0x0, ttl 255, id 338, offset 0, flags [none], proto UDP (17),
>> length 122)
>> 192.168.1.1.59189 > 192.168.1.120.514: SYSLOG, length: 94
>> Facility local7 (23), Severity debug (7)
>> Msg: 10041: 010028: Nov 19 10:28:04.326: ISAKMP:(0): S[|syslog]
>> IP (tos 0x0, ttl 255, id 339, offset 0, flags [none], proto UDP (17),
>> length 142)
>> 192.168.1.1.59189 > 192.168.1.120.514: SYSLOG, length: 114
>> Facility local7 (23), Severity notice (5)
>> Msg: 10042: 010029: Nov 19 10:28:04.770: %SYS-5-CONFIG[|syslog]
>> IP (tos 0x0, ttl 255, id 340, offset 0, flags [none], proto UDP (17),
>> length 122)
>> 192.168.1.1.59189 > 192.168.1.120.514: SYSLOG, length: 94
>> Facility local7 (23), Severity debug (7)
>> Msg: 10043: 010030: Nov 19 10:30:30.672: ISAKMP:(0): S[|syslog]
>> IP (tos 0x0, ttl 255, id 341, offset 0, flags [none], proto UDP (17),
>> length 122)
>> 192.168.1.1.59189 > 192.168.1.120.514: SYSLOG, length: 94
>> Facility local7 (23), Severity debug (7)
>> Msg: 10044: 010031: Nov 19 10:30:30.672: ISAKMP:(0): S[|syslog]
>> IP (tos 0x0, ttl 255, id 342, offset 0, flags [none], proto UDP (17),
>> length 189)
>> 192.168.1.1.59189 > 192.168.1.120.514: SYSLOG, length: 161
>> Facility local7 (23), Severity info (6)
>> Msg: 10045: 010032: Nov 19 10:30:36.455: %DOT11-6-ASSO[|syslog]
>> IP (tos 0x0, ttl 255, id 343, offset 0, flags [none], proto UDP (17),
>> length 203)
>> 192.168.1.1.59189 > 192.168.1.120.514: SYSLOG, length: 175
>> Facility local7 (23), Severity info (6)
>> Msg: 10046: 010033: Nov 19 10:30:47.643: %DOT11-6-DISA[|syslog]
>>
>>
>>
>> Debug from syslogd:
>>
>>
>>
>> # /etc/rc.d/syslogd restart
>> syslogd not running? (check /var/run/syslog.pid).
>> Starting syslogd.
>> allowaddr: rule 0: numeric, addr = 192.168.1.0, mask = 255.255.255.0;
>> port = 0
>> listening on inet and/or inet6 socket
>> sending on inet and/or inet6 socket
>> off & running....
>> init
>> cfline("*.err;kern.warning;auth.notice;mail.crit
>> /dev/console", f, "*", "+Server.domain")
>> cfline("*.notice;local7.none;authpriv.none;kern.debug;lpr.info;mail.crit;news.err
>> /var/log/messages", f, "*", "+Server.domain")
>> cfline("security.* /var/log/security", f, "*",
>> "+Server.domain")
>> cfline("auth.info;authpriv.info /var/log/auth.log", f,
>> "*", "+Server.domain")
>> cfline("mail.info /var/log/maillog", f, "*",
>> "+Server.domain")
>> cfline("lpr.info /var/log/lpd-errs", f, "*",
>> "+Server.domain")
>> cfline("ftp.info /var/log/xferlog", f, "*",
>> "+Server.domain")
>> cfline("cron.* /var/log/cron", f, "*",
>> "+Server.domain")
>> cfline("*.=debug /var/log/debug.log", f, "*",
>> "+Server.domain")
>> cfline("*.emerg *", f, "*", "+Server.domain")
>> cfline("*.* /var/log/ppp.log", f, "ppp",
>> "+Server.domain")
>> cfline("*.* /var/log/cisco857w.log", f, "*",
>> "+192.168.1.1")
>> 4 3 2 3 5 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3 X CONSOLE: /dev/console
>> 7 5 2 5 5 5 6 3 5 5 X 5 5 5 5 5 5 5 5 5 5 5 5 X X FILE:
>> /var/log/messages
>> X X X X X X X X X X X X X 7 X X X X X X X X X X X FILE:
>> /var/log/security
>> X X X X 6 X X X X X 6 X X X X X X X X X X X X X X FILE:
>> /var/log/auth.log
>> X X 6 X X X X X X X X X X X X X X X X X X X X X X FILE: /var/log/maillog
>> X X X X X X 6 X X X X X X X X X X X X X X X X X X FILE:
>> /var/log/lpd-errs
>> X X X X X X X X X X X 6 X X X X X X X X X X X X X FILE: /var/log/xferlog
>> X X X X X X X X X 7 X X X X X X X X X X X X X X X FILE: /var/log/cron
>> 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 X FILE:
>> /var/log/debug.log
>> 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 X WALL:
>> 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 X FILE:
>> /var/log/ppp.log (ppp)
>> 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 X FILE:
>> /var/log/cisco857w.log
>> logmsg: pri 56, flags 4, from Server, msg syslogd: restart
>> syslogd: restarted
>> logmsg: pri 6, flags 4, from Server, msg syslogd: kernel boot file is
>> /boot/kernel/kernel
>> Logging to FILE /var/log/messages
>> syslogd: kernel boot file is /boot/kernel/kernel
>> logmsg: pri 166, flags 17, from Server, msg Nov 19 12:33:34
>> <syslog.err> Server syslogd: exiting on signal 2
>> cvthname(192.168.1.1)
>> validate: dgram from IP 192.168.1.1, port 59189, name router.domain;
>> accepted in rule 0.
>> logmsg: pri 275, flags 0, from cisco857w, msg 10048: 010035: Nov 19
>> 10:33:48.037: %SYS-5-CONFIG_I: Configured from console by admin on
>> vty0 (192.168.1.120)
>>
>>
>>
>>
>> And finally permissions for the log file to be 'logged' to:
>>
>>
>>
>> # ls -l /var/log/cisco857w.log
>> -rw------- 1 root wheel 0 Nov 18 16:32 /var/log/cisco857w.log
>>
>>
>>
>>
>>
>> I actually tried the same setup with rsyslog and even amended the
>> file as such:
>>
>>
>>
>> !Cisco857w
>> :fromhost-ip, isequal, "192.168.1.1" /var/log/cisco857w.log
>>
>>
>>
>> while commenting out the rest of the legacy syslogd information
>> regarding the device at hand. But still unfortunately no luck :-(
>>
>>
>> I really need to get this going as I need to be able to track what's
>> going on at the network level.
>>
>>
>> Thanks to Robert Bonomi, the error was thought to be here: logmsg:
>> pri 275 with the log priority value. I did manage to change that
>> using the Cisco command: logging facility kern - to give the message
>> a 'higher' priority value of which outputted this:
>>
>>
>>
>> accepted in rule 0.
>> logmsg: pri 15, flags 0, from cisco857w, msg 10146: 010133: Nov 19
>> 23:05:54.538: %SYS-5-CONFIG_I: Configured from console by admin on
>> vty0 (192.168.0.53
>>
>>
>>
>> but whatever happens it doesn't even try to attempt to log the
>> information to file after receiving it.......
>>
>>
>>
>>
>> Regards,
>>
>>
>>
>> Kaya
>>
>
> You have never said if you restarted syslog after making your changes
> to syslog.conf, you have to reboot your box or restart syslog for the
> changes to take effect.
Sorry if not mentioned......
I assumed that it was common practice to run:
ps aux | grep rsyslog
kill <pid>
/usr/local/etc/rc.d/rsyslogd restart
which is what I have been doing since day 1.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4ED442FF.4030206>