From owner-freebsd-security  Sun Oct 25 20:28:45 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id UAA24444
          for freebsd-security-outgoing; Sun, 25 Oct 1998 20:28:45 -0800 (PST)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from peak.mountin.net (peak.mountin.net [207.227.119.2])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id UAA24437
          for <freebsd-security@FreeBSD.ORG>; Sun, 25 Oct 1998 20:28:44 -0800 (PST)
          (envelope-from jeff-ml@mountin.net)
Received: (from daemon@localhost)
	by peak.mountin.net (8.9.1/8.9.1) id WAA12352;
	Sun, 25 Oct 1998 22:28:13 -0600 (CST)
Received: from harkol-68.isdn.mke.execpc.com(169.207.64.196) by peak.mountin.net via smap (V1.3)
	id sma012349; Sun Oct 25 22:27:51 1998
Message-Id: <3.0.3.32.19981025222819.00fd1a00@207.227.119.2>
X-Sender: jeff-ml@207.227.119.2
X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.3 (32)
Date: Sun, 25 Oct 1998 22:28:19 -0600
To: Mike Jenkins <mjenkins@carp.gbr.epa.gov>, madrapour@hotmail.com
From: "Jeffrey J. Mountin" <jeff-ml@mountin.net>
Subject: RE: Again logging!
Cc: freebsd-security@FreeBSD.ORG
In-Reply-To: <199810260125.TAA06945@carp.gbr.epa.gov>
References: <19981025111336.23216.qmail@hotmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

At 07:25 PM 10/25/98 -0600, Mike Jenkins wrote:
>I just installed the tcp_wrappers package and wrapped telnetd to test.
>The first thing I noticed was that tcpd only syslogged denied connections.
>(The message went to /var/log/messages.)  The second thing I noticed was
>that argv[0] is the service name (telnetd) and not tcpd.  Therefore,
>the tag for tcpd in syslog.conf is not going to work.

Interesting.

>Turns out tcpd logs both allowed and denied connections. You only
>see the denied ones because the default syslog.conf logs auth.notice 
>but not auth.info (the tcp_wrappers port/package uses the auth facility).
>Add an auth line to the top of syslog.conf sort of like this:
>
>  auth.*<TAB><TAB><TAB><TAB><TAB><TAB>/var/log/auth.log
>
>And, of course, create /var/log/auth.log and HUP syslogd.

I don't think he wanted it to go to auth.  Still prefer to change line 319
of patch-aa, recompile, and edit syslog.conf.

  ################################################################
  # Optional: Changing the default disposition of logfile records
***************
*** 484,490 ****
  #
  # The LOG_XXX names below are taken from the /usr/include/syslog.h file.

! FACILITY= LOG_MAIL    # LOG_MAIL is what most sendmail daemons use
 
  # The syslog priority at which successful connections are logged.
  
--- 484,491 ----
  # 
  # The LOG_XXX names below are taken from the /usr/include/syslog.h file.

! #FACILITY= LOG_MAIL   # LOG_MAIL is what most sendmail daemons use
! FACILITY= LOG_LOCAL7
            ^^^^^^^^^^

Pretty simple.


Jeff Mountin - Unix Systems TCP/IP networking
jeff@mountin.net

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message