Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 24 Nov 2008 12:05:52 -0600
From:      David Alanis <canito@dalan.us>
To:        freebsd-questions@freebsd.org
Subject:   Syslog Suggestion - Help!
Message-ID:  <20081124120552.5l2vjjzjxpgkw04k@mail.dalan.us>
In-Reply-To: <20081121060619.GA1057@gmail.com>
References:  <20081121060619.GA1057@gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help 

Good Day,

A few days ago, I put freebsd on a Netra X1 to serve as our primary  
log host for our network devices, primarily to log for our CISCO ASA  
firewall.

Once I configured syslog to capture remotely, I realized that syslog  
by default logs local information to /var/log/messages via: *.err  
*.info amongst others, causing duplicate firewall logs in  
/var/log/messages and in /var/log/firewall/logs

My syslog:

http://www.dalan.us/download/log

 From what I understand, in syslog.conf I can specify a process id (or  
string? (e.g. ftpd) and give it an action? Thus, redirect messages  
sent to the wrong facility and logged in the proper place, as in my  
example given below:

!ftpd
ftpd.err  /var/log/ftp/1.log
ftpd.info /var/log/ftp/2.log

I fired up tcpdump and saw the following:

09:47:28.413584 IP 192.168.1.1.syslog > 192.168.1.42.syslog: SYSLOG  
local7.info, length: 154
09:47:28.413596 IP 192.168.1.1.syslog > 192.168.1.42.syslog: SYSLOG  
local7.info, length: 155
09:47:28.415157 IP 192.168.1.1.syslog > 192.168.1.42.syslog: SYSLOG  
local7.info, length: 134
09:47:28.415166 IP 192.168.1.1.syslog > 192.168.1.42.syslog: SYSLOG  
local7.info, length: 178

So the big question is, what best method can I employ to stop syslog  
from duplicating these messages?

Can I use SYSLOG as a string?
!SYSLOG
local7.err  /var/log/firewall/log
local7.info /var/log/firewall/1.log

Alternative?
+firewall
local7.err  /var/log/firewall/log
local7.info /var/log/firewall/1.log

Lastly, I quickly reviewed syslog-ng, but I really want to keep this  
as simple as possible so no.

Thanks much for your help!
David


----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20081124120552.5l2vjjzjxpgkw04k>