syslog config

From owner-freebsd-stable Tue Jul 17 11:42:32 2001 Delivered-To: freebsd-stable@freebsd.org Received: from mail.rivenet.com (dns2.rivenet.com [63.150.23.98]) by hub.freebsd.org (Postfix) with ESMTP id E67CC37B403 for ; Tue, 17 Jul 2001 11:42:12 -0700 (PDT) (envelope-from kkanno@rivenet.com) Received: from ex02.ad.rivenet.com (ex02.ad.rivenet.com [10.10.0.15]) by mail.rivenet.com (Postfix) with ESMTP id 3A91864C05 for ; Tue, 17 Jul 2001 13:42:07 -0500 (CDT) Received: by ex02.ad.rivenet.com with Internet Mail Service (5.5.2653.19) id ; Tue, 17 Jul 2001 13:42:07 -0500 Message-ID: <0C3A66859AEF6E42A1B4AB53307B77AA0AF4CF@ex02.ad.rivenet.com> From: "Kanno, Ken" To: "'stable@freebsd.org'" Subject: syslog config Date: Tue, 17 Jul 2001 13:42:06 -0500 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C10EF0.2D9F7790" Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01C10EF0.2D9F7790 Content-Type: text/plain I'm having problems making syslog properly filter out messages to the correct files. We have a PIX that is sending a bunch of logs to the FreeBSD syslog machine. Here is what I'm getting in /var/log/messages : Jul 17 13:34:41 <4.5> gateway Jul 17 2001 12:35:27: %PIX-5-304001: 10.10.2.1 Accessed URL 206.40.47.5:/questions.html Jul 17 13:34:43 <4.5> gateway Jul 17 2001 12:35:30: %PIX-5-304001: 10.10.2.1 Accessed URL 205.188.140.249:/image/93007873/aim/ Jul 17 13:34:47 <4.5> gateway Jul 17 2001 12:35:33: %PIX-5-304001: 10.10.2.9 Accessed URL 216.136.174.172:/slv/not3?v=2.0.1.7&t=12157301&.ta=cg,cc,ci Jul 17 13:34:56 <4.5> gateway Jul 17 2001 12:35:42: %PIX-5-304001: 10.10.2.1 Accessed URL 205.188.140.249:/content/B0/0/iBL1O95LGrmfhtey6QEZXed5_17CpaPb3vA4nkXrnfJRrA Uw7En0qPuQXCOlVMcp2WxXRddrW69mbitMrEl9gFmVB7z2uiEr51o6VNwLYIo$/aol Jul 17 13:35:02 <4.5> gateway Jul 17 2001 12:35:48: %PIX-5-304001: 10.10.2.39 Accessed URL 205.188.136.217:/?action=aim&fields=snpghlocvAa&syms=AOL,INDEX:COMPX,INDEX:I NDU,INDEX:INX ----- How are these messages filtered out to their own files? The syntax of syslog.conf is different than say on redhat linux and lines such as: local4.emerg /var/log/pix/pix_msg0 local4.alert /var/log/pix/pix_msg1 local4.crit /var/log/pix/pix_msg2 local4.error /var/log/pix/pix_msg3 local4.warn /var/log/pix/pix_msg4 local4.notice /var/log/pix/pix_msg5 local4.info /var/log/pix/pix_msg6 local4.debug /var/log/pix/pix_msg7 do not seem to do anything when added to the syslog.conf on FreeBSD. what is the correct syntax? I saw no examples under man for syslog, syslogd or syslog.conf I am currnently running "syslogd -v". Below is my current syslog.conf: # $FreeBSD: src/etc/syslog.conf,v 1.13.2.2 2001/02/26 09:26:11 phk Exp $ # # Spaces are NOT valid field separators in this file. # Consult the syslog.conf(5) manpage. *.err;kern.debug;auth.notice;mail.crit /dev/console *.notice;kern.debug;lpr.info;mail.crit;news.err /var/log/messages security.* /var/log/security mail.info /var/log/maillog lpr.info /var/log/lpd-errs cron.* /var/log/cron *.err root *.notice;news.err root *.alert root *.emerg * # uncomment this to log all writes to /dev/console to /var/log/console.log #console.info /var/log/console.log # uncomment this to enable logging of all log messages to /var/log/all.log #*.* /var/log/all.log # uncomment this to enable logging to a remote loghost named loghost #*.* @loghost # uncomment these if you're running inn # news.crit /var/log/news/news.crit # news.err /var/log/news/news.err # news.notice /var/log/news/news.notice !startslip *.* /var/log/slip.log !ppp *.* /var/log/ppp.log local4.emerg /opt/syslog/pix_msg0 local4.alert /opt/syslog/pix_msg1 local4.crit /opt/syslog/pix_msg2 local4.error /opt/syslog/pix_msg3 local4.warn /opt/syslog/pix_msg4 local4.notice /opt/syslog/pix_msg5 local4.info /opt/syslog/pix_msg6 local4.debug /opt/syslog/pix_msg7 ---- KEN ------_=_NextPart_001_01C10EF0.2D9F7790 Content-Type: text/html Content-Transfer-Encoding: quoted-printable syslog config

I'm having problems making syslog properly filter out = messages to the correct files. We have a PIX that is sending a bunch of = logs to the FreeBSD syslog machine. Here is what I'm getting in = /var/log/messages :

Jul 17 13:34:41 <4.5> gateway Jul 17 2001 = 12:35:27: %PIX-5-304001: 10.10.2.1 Accessed URL = 206.40.47.5:/questions.html
Jul 17 13:34:43 <4.5> gateway Jul 17 2001 = 12:35:30: %PIX-5-304001: 10.10.2.1 Accessed URL = 205.188.140.249:/image/93007873/aim/

Jul 17 13:34:47 <4.5> gateway Jul 17 2001 = 12:35:33: %PIX-5-304001: 10.10.2.9 Accessed URL = 216.136.174.172:/slv/not3?v=3D2.0.1.7&t=3D12157301&.ta=3Dcg,cc,c= i

Jul 17 13:34:56 <4.5> gateway Jul 17 2001 = 12:35:42: %PIX-5-304001: 10.10.2.1 Accessed URL = 205.188.140.249:/content/B0/0/iBL1O95LGrmfhtey6QEZXed5_17CpaPb3vA4nkXrnf= JRrAUw7En0qPuQXCOlVMcp2WxXRddrW69mbitMrEl9gFmVB7z2uiEr51o6VNwLYIo$/aol

Jul 17 13:35:02 <4.5> gateway Jul 17 2001 = 12:35:48: %PIX-5-304001: 10.10.2.39 Accessed URL = 205.188.136.217:/?action=3Daim&fields=3DsnpghlocvAa&syms=3DAOL,I= NDEX:COMPX,INDEX:INDU,INDEX:INX

-----

How are these messages filtered out to their own = files? The syntax of syslog.conf is different than say on redhat linux = and lines such as:

local4.emerg        &nb= sp;           &nb= sp;           &nb= sp;   /var/log/pix/pix_msg0
local4.alert        &nb= sp;           &nb= sp;           &nb= sp;   /var/log/pix/pix_msg1
local4.crit        &nbs= p;           &nbs= p;           &nbs= p;    /var/log/pix/pix_msg2
local4.error        &nb= sp;           &nb= sp;           &nb= sp;   /var/log/pix/pix_msg3
local4.warn        &nbs= p;           &nbs= p;           &nbs= p;    /var/log/pix/pix_msg4
local4.notice        &n= bsp;           &n= bsp;           &n= bsp; /var/log/pix/pix_msg5
local4.info        &nbs= p;           &nbs= p;           &nbs= p;    /var/log/pix/pix_msg6
local4.debug        &nb= sp;           &nb= sp;           &nb= sp;   /var/log/pix/pix_msg7

do not seem to do anything when added to the = syslog.conf on FreeBSD. what is the correct syntax? I saw no examples = under man for syslog, syslogd or syslog.conf

I am currnently running "syslogd -v". Below = is my current syslog.conf:

# $FreeBSD: src/etc/syslog.conf,v 1.13.2.2 2001/02/26 = 09:26:11 phk Exp $
#
#       Spaces are NOT = valid field separators in this file.
#       Consult the = syslog.conf(5) manpage.
*.err;kern.debug;auth.notice;mail.crit    &= nbsp;     /dev/console
*.notice;kern.debug;lpr.info;mail.crit;news.err = /var/log/messages
security.*         = ;            = ;            = ;     /var/log/security
mail.info         =             =             =       /var/log/maillog
lpr.info         &= nbsp;           &= nbsp;           &= nbsp;      /var/log/lpd-errs
cron.*         &nb= sp;           &nb= sp;           &nb= sp;        /var/log/cron
*.err         &nbs= p;           &nbs= p;           &nbs= p;         root
*.notice;news.err       &nbs= p;           &nbs= p;           = root
*.alert         &n= bsp;           &n= bsp;           &n= bsp;       root
*.emerg         &n= bsp;           &n= bsp;           &n= bsp;       *
# uncomment this to log all writes to /dev/console = to /var/log/console.log
#console.info        &n= bsp;           &n= bsp;           &n= bsp; /var/log/console.log
# uncomment this to enable logging of all log = messages to /var/log/all.log
#*.*          = ;            = ;            = ;          = /var/log/all.log
# uncomment this to enable logging to a remote = loghost named loghost
#*.*          = ;            = ;            = ;          @loghost
# uncomment these if you're running inn
# = news.crit          &nb= sp;           &nb= sp;           &nb= sp; /var/log/news/news.crit
# = news.err          &nbs= p;           &nbs= p;           &nbs= p;   /var/log/news/news.err
# = news.notice          &= nbsp;           &= nbsp;            = /var/log/news/news.notice
!startslip
*.*          =             =             =            = /var/log/slip.log
!ppp
*.*          =             =             =            = /var/log/ppp.log

local4.emerg        &nb= sp;           &nb= sp;           &nb= sp; /opt/syslog/pix_msg0
local4.alert        &nb= sp;           &nb= sp;           &nb= sp; /opt/syslog/pix_msg1
local4.crit        &nbs= p;           &nbs= p;           &nbs= p;   /opt/syslog/pix_msg2
local4.error        &nb= sp;           &nb= sp;           &nb= sp; /opt/syslog/pix_msg3
local4.warn        &nbs= p;           &nbs= p;           &nbs= p;   /opt/syslog/pix_msg4
local4.notice        &n= bsp;           &n= bsp;           &n= bsp; /opt/syslog/pix_msg5
local4.info        &nbs= p;           &nbs= p;           &nbs= p;   /opt/syslog/pix_msg6
local4.debug        &nb= sp;           &nb= sp;           &nb= sp; /opt/syslog/pix_msg7
----

KEN

------_=_NextPart_001_01C10EF0.2D9F7790-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message