From owner-freebsd-questions@FreeBSD.ORG Tue Jun 26 15:20:52 2007 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 2709416A41F for ; Tue, 26 Jun 2007 15:20:52 +0000 (UTC) (envelope-from bseklecki@collaborativefusion.com) Received: from mx00.pub.collaborativefusion.com (mx00.pub.collaborativefusion.com [206.210.89.199]) by mx1.freebsd.org (Postfix) with ESMTP id D1B7C13C4BD for ; Tue, 26 Jun 2007 15:20:51 +0000 (UTC) (envelope-from bseklecki@collaborativefusion.com) Received: from collaborativefusion.com (mx01.pub.collaborativefusion.com [206.210.89.201]) (TLS: TLSv1/SSLv3,256bits,AES256-SHA) by wingspan with esmtp; Tue, 26 Jun 2007 11:20:51 -0400 id 0005642E.46812ED3.00003837 Received: from Internal Mail-Server by mx01 (envelope-from bseklecki@collaborativefusion.com) with RC4-MD5 encrypted SMTP; 26 Jun 2007 10:20:50 -0500 From: "Brian A. Seklecki" To: "B. Cook" In-Reply-To: <467187FC.30104@poughkeepsieschools.org> References: <467187FC.30104@poughkeepsieschools.org> Organization: Collaborative Fusion, Inc. Date: Tue, 26 Jun 2007 11:20:50 -0400 Message-Id: <1182871250.67654.47.camel@soundwave.pgh.priv.collaborativefusion.com> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 7bit X-Mailer: Evolution 2.6.3 FreeBSD GNOME Team Port x-pineapp-mail-mail-from: bseklecki@collaborativefusion.com x-pineapp-mail-rcpt-to: bcook@poughkeepsieschools.org Cc: FreeBSD Questions Subject: Re: syslog.conf questions.. X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 26 Jun 2007 15:20:52 -0000 ports/sysutils/syslog-ng2 You can apply an ACL that checks the source(), remote IP, priority, facility, regexp, etc and route it to a specific destination (file) and choose to finalize it or not. Syslogd(8) for minimalistic configs like single-purpose machines. ~BAS On Thu, 2007-06-14 at 14:25 -0400, B. Cook wrote: > Hello all, > > I am trying to have different cisco routers log to a different log file. > The log file is located on a 6.2 box running the stock syslogd. For > what it is worth I have nine of these, only three are shown > > syslogd is running with -n -vv -d at the moment.. I did not have to > specify -a 10.20.250.54:* to allow it to log.. (is that part of the > problem..?) > > But the question is.. I do get logs from the respective hosts in the log > files that I have specified, but I do not understand why syslogd is also > catching them in the original local7.* /var/log/router/3620.log when as > far as I can tell they are setup correctly. > > below is the relevant portions of the syslog.conf. > > [~]# 18 > egrep -v "#" /etc/syslog.conf | cat -n > 1 > 2 +10.20.250.54 > 3 *.* /var/log/router/circle.log > 4 -10.20.250.54 > 5 > 6 +10.20.250.42 > 7 *.* /var/log/router/columbus.log > 8 -10.20.250.42 > 9 > 10 +10.20.250.38 > 11 *.* /var/log/router/clinton.log > 12 -10.20.250.38 > 13 > 14 +10.20.0.10 > 15 *.* /var/log/router/tcentral.log > 16 -10.20.0.10 > 17 > 18 *.err;kern.warning;auth.notice;mail.crit /dev/console > 19 *.notice;authpriv.none;kern.debug;lpr.info;mail.crit;news.err > /var/log/messages > 20 security.* /var/log/security > 21 auth.info;authpriv.info /var/log/auth.log > 22 mail.info /var/log/maillog > 23 lpr.info /var/log/lpd-errs > 24 ftp.info /var/log/xferlog > 25 local7.* /var/log/router/3620.log > 26 cron.* /var/log/cron > 27 *.=debug /var/log/debug.log > 28 *.emerg * > 29 !startslip > 30 *.* /var/log/slip.log > 31 !ppp > 32 *.* /var/log/ppp.log > > > > and with syslogd in debug mode I see this: > > and tcvthname(10.20.250.38) > logmsg: pri 276, flags 0, from 10.20.250.38, msg 1262: Jun 14 > 18:13:04.770: %SEC-6-IPACCESSLOGP: list 2044 denied udp > 10.20.18.28(1039) -> 10.20.0.212(161), 1 packet > Logging to FILE /var/log/router/clinton.log > Logging to FILE /var/log/router/3620.log > > cvthname(10.20.250.42) > logmsg: pri 276, flags 0, from 10.20.250.42, msg 68: Jun 14 > 18:13:04.835: %SEC-6-IPACCESSLOGP: list 2044 denied udp 10.20.8.57(1040) > -> 10.20.3.60(161), 4 packets > Logging to FILE /var/log/router/columbus.log > Logging to FILE /var/log/router/3620.log > > I do not understand why the local7.* is still getting caught.. From what > I understood from the man page, the - tells it to stop logging from that > host. > > Whatever the last 'host' entry is in the syslog.conf that host will not > log into both files. > > from the 10.20.0.10 host I have configured syslog: > > local7.* @10.20.0.29 > and when I run logger: > > date | logger -p local7.debug > > cvthname(10.20.0.10) > logmsg: pri 277, flags 0, from 10.20.0.10, msg Jun 14 14:21:03 bcook: > Thu Jun 14 14:21:03 EDT 2007 > Logging to FILE /var/log/router/tcentral.log > > I get what I think I should.. > > Why do the previous entries not act the same as the last one? > > What am I missing? > > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org" -- Brian A. Seklecki Collaborative Fusion, Inc. IMPORTANT: This message contains confidential information and is intended only for the individual named. If the reader of this message is not an intended recipient (or the individual responsible for the delivery of this message to an intended recipient), please be advised that any re-use, dissemination, distribution or copying of this message is prohibited. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system.