From owner-freebsd-questions Tue Jan 21 12:16:40 2003 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8AD2237B401 for ; Tue, 21 Jan 2003 12:16:38 -0800 (PST) Received: from mail.speakeasy.net (mail15.speakeasy.net [216.254.0.215]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0476D43E4A for ; Tue, 21 Jan 2003 12:16:38 -0800 (PST) (envelope-from dschrock@speakeasy.net) Received: (qmail 10644 invoked from network); 21 Jan 2003 20:16:43 -0000 Received: from unknown (HELO speakeasy.net) (dschrock@[64.81.225.7]) (envelope-sender ) by mail15.speakeasy.net (qmail-ldap-1.03) with SMTP for ; 21 Jan 2003 20:16:43 -0000 Message-ID: <3E2DAAA9.8010206@speakeasy.net> Date: Tue, 21 Jan 2003 14:16:41 -0600 From: Daniel Schrock User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.2.1) Gecko/20021130 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Bsd Neophyte , freebsd-questions@freebsd.org Subject: Re: still having syslog problems References: In-Reply-To: Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Bsd Neophyte wrote: > > unfortunately, i don't know the severity rating of the messages that the > firewall is sending. Starting syslogd with the '-vv' flags will tell you the facility and priority. This is great for testing new logs. > > maybe you can help me out. a typical message looks like this: > > Jan 20 20:19:08 <16.5> (806 hostname) id=firewall sn=(serial number of > webramp) time="2003-01-20 20:19:07" fw=(some ip address) pri=5 c=256 m=38 > msg="ICMP packet dropped" n=2956 src==(some ip address) dst==(some ip > address) rule=0^M > > again, an assumption, but i think that pri=5 means priority 5, which seems > to be a notification level event with the cisco router. > > if this is the case, how could i redirect only FreeBSD notifications to go > to messages? > > this is what i have right now: > > ------ > # external hosts (router and firewall) > !router > local7.* /var/log/router-logs > #local7.alert /var/log/router-logs > #local7.crit /var/log/router-logs > #local7.debug /var/log/router-logs > #local7.emerg /var/log/router-logs > #local7.err /var/log/router-logs > #local7.info /var/log/router-logs > #local7.notice /var/log/router-logs > #local7.warn /var/log/router-logs > ------ > > i made the files ahead of time by doing a "touch router-logs". also is > noting this as " !router " allowable? > > i didn't get a clear indication of how to do it in the documentation? is > it local0.notice or something? The Cisco logging facility is configurable: ----from my 2509 config: ! logging facility local4 logging 192.168.23.200 ----from my /etc/syslog.conf *.notice;authpriv.none;auth.none;daemon.none;local0.none;local4.none;local5.none ;local7.none;kern.none /var/log/messages [...skip...] !* local0.* /var/log/ipmon.log local4.* /var/log/router.log local5.* /var/log/switch.log local7.* /var/log/dhcpd.log To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message