Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 24 Nov 2008 12:05:52 -0600
From:      David Alanis <canito@dalan.us>
To:        freebsd-questions@freebsd.org
Subject:   Syslog Suggestion - Help!
Message-ID:  <20081124120552.5l2vjjzjxpgkw04k@mail.dalan.us>
In-Reply-To: <20081121060619.GA1057@gmail.com>
References:  <20081121060619.GA1057@gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
Good Day,

A few days ago, I put freebsd on a Netra X1 to serve as our primary =20
log host for our network devices, primarily to log for our CISCO ASA =20
firewall.

Once I configured syslog to capture remotely, I realized that syslog =20
by default logs local information to /var/log/messages via: *.err =20
*.info amongst others, causing duplicate firewall logs in =20
/var/log/messages and in /var/log/firewall/logs

My syslog:

http://www.dalan.us/download/log

 From what I understand, in syslog.conf I can specify a process id (or =20
string? (e.g. ftpd) and give it an action? Thus, redirect messages =20
sent to the wrong facility and logged in the proper place, as in my =20
example given below:

!ftpd
ftpd.err  /var/log/ftp/1.log
ftpd.info /var/log/ftp/2.log

I fired up tcpdump and saw the following:

09:47:28.413584 IP 192.168.1.1.syslog > 192.168.1.42.syslog: SYSLOG =20
local7.info, length: 154
09:47:28.413596 IP 192.168.1.1.syslog > 192.168.1.42.syslog: SYSLOG =20
local7.info, length: 155
09:47:28.415157 IP 192.168.1.1.syslog > 192.168.1.42.syslog: SYSLOG =20
local7.info, length: 134
09:47:28.415166 IP 192.168.1.1.syslog > 192.168.1.42.syslog: SYSLOG =20
local7.info, length: 178

So the big question is, what best method can I employ to stop syslog =20
from duplicating these messages?

Can I use SYSLOG as a string?
!SYSLOG
local7.err  /var/log/firewall/log
local7.info /var/log/firewall/1.log

Alternative?
+firewall
local7.err  /var/log/firewall/log
local7.info /var/log/firewall/1.log

Lastly, I quickly reviewed syslog-ng, but I really want to keep this =20
as simple as possible so no.

Thanks much for your help!
David


----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20081124120552.5l2vjjzjxpgkw04k>