Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 17 Jul 2001 14:58:46 -0500
From:      "Kanno, Ken" <kkanno@rivenet.com>
To:        'Mike Hoskins' <mike@adept.org>
Cc:        "'stable@freebsd.org'" <stable@freebsd.org>
Subject:   RE: syslog config
Message-ID:  <0C3A66859AEF6E42A1B4AB53307B77AA0AF4D3@ex02.ad.rivenet.com>
next in thread | raw e-mail | index | archive | help 
This message is in MIME format. Since your mail reader does not understand
this format, some or all of this message may not be legible.

------_=_NextPart_001_01C10EFA.E34CAB30
Content-Type: text/plain;
	charset="iso-8859-1"

When I removed the "*.notice" as you suggested, nothing gets logged at all,
period.

-----Original Message-----
From: Mike Hoskins [mailto:mike@adept.org]
Sent: Tuesday, July 17, 2001 2:26 PM
To: Kanno, Ken
Cc: 'stable@freebsd.org'
Subject: Re: syslog config


On Tue, 17 Jul 2001, Kanno, Ken wrote:

> Jul 17 13:34:41 <4.5> gateway Jul 17 2001 12:35:27: %PIX-5-304001:
10.10.2.1
> Accessed URL 206.40.47.5:/questions.html
> Jul 17 13:34:43 <4.5> gateway Jul 17 2001 12:35:30: %PIX-5-304001:
10.10.2.1
> Accessed URL 205.188.140.249:/image/93007873/aim/

Yikes.  Do you really need to log this religiously?  I crank my PIX log
levels down a bit on purpose.  But I'm in a smaller office where I trust
everyone enough to not want/need to look at URLs they're accessing.

I'd like to trim it down when it works properly.


> I saw no examples under man for syslog, syslogd or syslog.conf

Not entirely true.

True enough to where where what I want to do does not work and I don't know
why or know where to look next.

> # $FreeBSD: src/etc/syslog.conf,v 1.13.2.2 2001/02/26 09:26:11 phk Exp $
> #
> #       Spaces are NOT valid field separators in this file.
> #       Consult the syslog.conf(5) manpage.
> *.err;kern.debug;auth.notice;mail.crit          /dev/console
> *.notice;kern.debug;lpr.info;mail.crit;news.err /var/log/messages
  ^^^^^^^^
Here's your problem.  ALL notice messages go to /var/log/messages
regardless of where else they're routed.  Since you're using a facility of
local4 on the PIX, I'd suggest adding 'local4.none' to the line
above.  That will prevent local4.notice messages from being sent to
/var/log.

Later,
-Mike

------_=_NextPart_001_01C10EFA.E34CAB30
Content-Type: text/html;
	charset="iso-8859-1"

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
<META NAME="Generator" CONTENT="MS Exchange Server version 5.5.2653.12">
<TITLE>RE: syslog config</TITLE>
</HEAD>
<BODY>

<P><FONT SIZE=2>When I removed the &quot;*.notice&quot; as you suggested, nothing gets logged at all, period.</FONT>
</P>

<P><FONT SIZE=2>-----Original Message-----</FONT>
<BR><FONT SIZE=2>From: Mike Hoskins [<A HREF="mailto:mike@adept.org">mailto:mike@adept.org</A>]</FONT>
<BR><FONT SIZE=2>Sent: Tuesday, July 17, 2001 2:26 PM</FONT>
<BR><FONT SIZE=2>To: Kanno, Ken</FONT>
<BR><FONT SIZE=2>Cc: 'stable@freebsd.org'</FONT>
<BR><FONT SIZE=2>Subject: Re: syslog config</FONT>
</P>
<BR>

<P><FONT SIZE=2>On Tue, 17 Jul 2001, Kanno, Ken wrote:</FONT>
</P>

<P><FONT SIZE=2>&gt; Jul 17 13:34:41 &lt;4.5&gt; gateway Jul 17 2001 12:35:27: %PIX-5-304001: 10.10.2.1</FONT>
<BR><FONT SIZE=2>&gt; Accessed URL 206.40.47.5:/questions.html</FONT>
<BR><FONT SIZE=2>&gt; Jul 17 13:34:43 &lt;4.5&gt; gateway Jul 17 2001 12:35:30: %PIX-5-304001: 10.10.2.1</FONT>
<BR><FONT SIZE=2>&gt; Accessed URL 205.188.140.249:/image/93007873/aim/</FONT>
</P>

<P><FONT SIZE=2>Yikes.&nbsp; Do you really need to log this religiously?&nbsp; I crank my PIX log</FONT>
<BR><FONT SIZE=2>levels down a bit on purpose.&nbsp; But I'm in a smaller office where I trust</FONT>
<BR><FONT SIZE=2>everyone enough to not want/need to look at URLs they're accessing.</FONT>
</P>

<P><FONT SIZE=2>I'd like to trim it down when it works properly.</FONT>
</P>
<BR>

<P><FONT SIZE=2>&gt; I saw no examples under man for syslog, syslogd or syslog.conf</FONT>
</P>

<P><FONT SIZE=2>Not entirely true.</FONT>
</P>

<P><FONT SIZE=2>True enough to where where what I want to do does not work and I don't know why or know where to look next.</FONT>
</P>

<P><FONT SIZE=2>&gt; # $FreeBSD: src/etc/syslog.conf,v 1.13.2.2 2001/02/26 09:26:11 phk Exp $</FONT>
<BR><FONT SIZE=2>&gt; #</FONT>
<BR><FONT SIZE=2>&gt; #&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Spaces are NOT valid field separators in this file.</FONT>
<BR><FONT SIZE=2>&gt; #&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Consult the syslog.conf(5) manpage.</FONT>
<BR><FONT SIZE=2>&gt; *.err;kern.debug;auth.notice;mail.crit&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; /dev/console</FONT>
<BR><FONT SIZE=2>&gt; *.notice;kern.debug;lpr.info;mail.crit;news.err /var/log/messages</FONT>
<BR><FONT SIZE=2>&nbsp; ^^^^^^^^</FONT>
<BR><FONT SIZE=2>Here's your problem.&nbsp; ALL notice messages go to /var/log/messages</FONT>
<BR><FONT SIZE=2>regardless of where else they're routed.&nbsp; Since you're using a facility of</FONT>
<BR><FONT SIZE=2>local4 on the PIX, I'd suggest adding 'local4.none' to the line</FONT>
<BR><FONT SIZE=2>above.&nbsp; That will prevent local4.notice messages from being sent to</FONT>
<BR><FONT SIZE=2>/var/log.</FONT>
</P>

<P><FONT SIZE=2>Later,</FONT>
<BR><FONT SIZE=2>-Mike</FONT>
</P>

</BODY>
</HTML>
------_=_NextPart_001_01C10EFA.E34CAB30--

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?0C3A66859AEF6E42A1B4AB53307B77AA0AF4D3>