Date: Sat, 8 Mar 2003 14:46:14 -0600 From: "Chuck Rock" <carock@epctech.com> To: <freebsd-questions@freebsd.org> Subject: RE: Syslog problem Message-ID: <JDEAIDLKPMMILNJHADGCCEAKKHAA.carock@epctech.com> In-Reply-To: <JDEAIDLKPMMILNJHADGCMEAGKHAA.carock@epctech.com>
next in thread | previous in thread | raw e-mail | index | archive | help
I also ran snort and found these packets coming into my FreeBSD box... 03/08-14:11:42.239335 207.206.185.1:54139 -> 207.206.185.2:514 UDP TTL:255 TOS:0x0 ID:15618 IpLen:20 DgmLen:131 Len: 111 3C 31 38 37 3E 36 30 35 34 38 38 3A 20 4D 61 72 <187>605488: Mar 20 20 38 20 31 34 3A 31 31 3A 34 32 2E 30 37 33 8 14:11:42.073 20 43 53 54 3A 20 25 4C 49 4E 4B 2D 33 2D 55 50 CST: %LINK-3-UP 44 4F 57 4E 3A 20 49 6E 74 65 72 66 61 63 65 20 DOWN: Interface 56 69 72 74 75 61 6C 2D 41 63 63 65 73 73 34 36 Virtual-Access46 2C 20 63 68 61 6E 67 65 64 20 73 74 61 74 65 20 , changed state 74 6F 20 64 6F 77 6E to down =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 03/08-14:11:42.239755 207.206.185.1:54139 -> 207.206.185.2:514 UDP TTL:255 TOS:0x0 ID:15619 IpLen:20 DgmLen:153 Len: 133 3C 31 38 39 3E 36 30 35 34 38 39 3A 20 4D 61 72 <189>605489: Mar 20 20 38 20 31 34 3A 31 31 3A 34 33 2E 30 37 33 8 14:11:43.073 20 43 53 54 3A 20 25 4C 49 4E 45 50 52 4F 54 4F CST: %LINEPROTO 2D 35 2D 55 50 44 4F 57 4E 3A 20 4C 69 6E 65 20 -5-UPDOWN: Line 70 72 6F 74 6F 63 6F 6C 20 6F 6E 20 49 6E 74 65 protocol on Inte 72 66 61 63 65 20 56 69 72 74 75 61 6C 2D 41 63 rface Virtual-Ac 63 65 73 73 34 36 2C 20 63 68 61 6E 67 65 64 20 cess46, changed 73 74 61 74 65 20 74 6F 20 64 6F 77 6E state to down =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ You can see I got the packets with local7 facility and one at Severity 3 and one at Severity 5 The log files are still zero bytes. Chuck -----Original Message----- From: owner-freebsd-questions@FreeBSD.ORG [mailto:owner-freebsd-questions@FreeBSD.ORG]On Behalf Of Chuck Rock Sent: Saturday, March 08, 2003 1:24 PM To: freebsd-questions@FreeBSD.ORG Subject: Syslog problem For the last few versions of FreeBSD, I have not been able to get my syslog to log my dial-up pool from my Cisco router. I changed the syslog startup flags in rc.conf. I'm running it now as /usr/sbin/syslogd -a 207.206.185.1/27 -a 209.83.132.1/27 The router is at .1 and configured to send it's logging messages to local7 syslog.conf is configured like this. *.notice;kern.debug;lpr.info;mail.crit;news.err /var/log/messages security.* /var/log/security auth.info;authpriv.info /var/log/auth.log mail.info /var/log/maillog lpr.info /var/log/lpd-errs cron.* /var/log/cron local0.* /var/log/local-0 local1.* /var/log/local-1 local2.* /var/log/local-2 local3.* /var/log/local-3 local4.* /var/log/local-4 local5.* /var/log/local-5 local6.* /var/log/local-6 local7.* /var/log/cisco etc... None of the syslg files for local facilities gets data. -rw-rw-r-- 1 root wheel 0 Mar 8 11:45 local-0 -rw-rw-r-- 1 root wheel 0 Mar 8 11:45 local-1 -rw-rw-r-- 1 root wheel 0 Mar 8 11:45 local-2 -rw-rw-r-- 1 root wheel 0 Mar 8 11:43 local-3 -rw-rw-r-- 1 root wheel 0 Mar 8 11:43 local-4 -rw-rw-r-- 1 root wheel 0 Mar 8 11:43 local-5 -rw-rw-r-- 1 root wheel 0 Mar 8 11:45 local-6 -rw-rw-r-- 1 root wheel 0 Mar 8 11:35 cisco Yet I do see data coming into this machine on the syslog port using tcpdump. tcpdump -w dumpfile1 -vvv port 514 kira(403):[/var/log]-#tcpdump -r dumpfile1 12:23:05.378296 gw.54139 > kira.epconline.net.syslog: udp 103 12:23:05.378540 gw.54139 > kira.epconline.net.syslog: udp 125 12:23:23.597642 gw.54139 > kira.epconline.net.syslog: udp 101 12:23:24.629645 gw.54139 > kira.epconline.net.syslog: udp 123 12:23:38.321355 gw.54139 > kira.epconline.net.syslog: udp 101 12:23:39.349425 gw.54139 > kira.epconline.net.syslog: udp 123 12:23:43.137243 gw.54139 > kira.epconline.net.syslog: udp 125 12:24:06.577077 gw.54139 > kira.epconline.net.syslog: udp 103 12:24:06.577266 gw.54139 > kira.epconline.net.syslog: udp 125 Cisco config... ! logging 207.206.185.2 gw(config)#logging facility local7 I did notice though while I was messing around with this stuff, this was logged on one of my ssh sessions... kira(416):[/etc]-#Mar 8 12:48:39.517 radiusd[6916] /usr/local/sbin/radiusd:users testing and DEFAULT not found Mar 8 12:48:39.519 radiusd[6916] Authenticate: gw1645, id=54: Neither User Nor Default Name: testing This is the logging information from the router which should be going to a file in /var/log I grep'd for radiusd from /var/log/* and go no results. Does anyone have any ideas? Any suggestions? I really need to get my Cisco logging working. Thanks, Chuck Rock Internet Services Manager EPC, Inc. http://www.epcusa.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?JDEAIDLKPMMILNJHADGCCEAKKHAA.carock>