syslog.conf questions..

Brian A. Seklecki bseklecki at collaborativefusion.com
Tue Jun 26 15:20:52 UTC 2007 

ports/sysutils/syslog-ng2

You can apply an ACL that checks the source(), remote IP, priority,
facility, regexp, etc and route it to a specific destination (file) and
choose to finalize it or not.

Syslogd(8) for minimalistic configs like single-purpose machines.

~BAS

On Thu, 2007-06-14 at 14:25 -0400, B. Cook wrote:
> Hello all,
> 
> I am trying to have different cisco routers log to a different log file. 
>   The log file is located on a 6.2 box running the stock syslogd.  For 
> what it is worth I have nine of these, only three are shown
> 
> syslogd is running with -n -vv -d at the moment.. I did not have to 
> specify -a 10.20.250.54:* to allow it to log.. (is that part of the 
> problem..?)
> 
> But the question is.. I do get logs from the respective hosts in the log 
> files that I have specified, but I do not understand why syslogd is also 
> catching them in the original local7.* /var/log/router/3620.log when as 
> far as I can tell they are setup correctly.
> 
> below is the relevant portions of the syslog.conf.
> 
>   [~]# 18 > egrep -v "#" /etc/syslog.conf  | cat -n
>       1
>       2  +10.20.250.54
>       3  *.*                             /var/log/router/circle.log
>       4  -10.20.250.54
>       5
>       6  +10.20.250.42
>       7  *.*                             /var/log/router/columbus.log
>       8  -10.20.250.42
>       9
>      10  +10.20.250.38
>      11  *.*                             /var/log/router/clinton.log
>      12  -10.20.250.38
>      13
>      14  +10.20.0.10
>      15  *.*                            /var/log/router/tcentral.log
>      16  -10.20.0.10
>      17
>      18  *.err;kern.warning;auth.notice;mail.crit     /dev/console
>      19  *.notice;authpriv.none;kern.debug;lpr.info;mail.crit;news.err 
>   /var/log/messages
>      20  security.*                          /var/log/security
>      21  auth.info;authpriv.info             /var/log/auth.log
>      22  mail.info                          /var/log/maillog
>      23  lpr.info                               /var/log/lpd-errs
>      24  ftp.info                                 /var/log/xferlog
>      25  local7.*                                /var/log/router/3620.log
>      26  cron.*                                   /var/log/cron
>      27  *.=debug                                /var/log/debug.log
>      28  *.emerg                                         *
>      29  !startslip
>      30  *.*                                    /var/log/slip.log
>      31  !ppp
>      32  *.*                                     /var/log/ppp.log
> 
> 
> 
> and with syslogd in debug mode I see this:
> 
> and tcvthname(10.20.250.38)
> logmsg: pri 276, flags 0, from 10.20.250.38, msg 1262: Jun 14 
> 18:13:04.770: %SEC-6-IPACCESSLOGP: list 2044 denied udp 
> 10.20.18.28(1039) -> 10.20.0.212(161), 1 packet
> Logging to FILE /var/log/router/clinton.log
> Logging to FILE /var/log/router/3620.log
> 
> cvthname(10.20.250.42)
> logmsg: pri 276, flags 0, from 10.20.250.42, msg 68: Jun 14 
> 18:13:04.835: %SEC-6-IPACCESSLOGP: list 2044 denied udp 10.20.8.57(1040) 
> -> 10.20.3.60(161), 4 packets
> Logging to FILE /var/log/router/columbus.log
> Logging to FILE /var/log/router/3620.log
> 
> I do not understand why the local7.* is still getting caught.. From what 
> I understood from the man page, the - tells it to stop logging from that 
> host.
> 
> Whatever the last 'host' entry is in the syslog.conf that host will not 
> log into both files.
> 
> from the 10.20.0.10 host I have configured syslog:
> 
> local7.*  @10.20.0.29
> and when I run logger:
> 
> date | logger -p local7.debug
> 
> cvthname(10.20.0.10)
> logmsg: pri 277, flags 0, from 10.20.0.10, msg Jun 14 14:21:03 bcook: 
> Thu Jun 14 14:21:03 EDT 2007
> Logging to FILE /var/log/router/tcentral.log
> 
> I get what I think I should..
> 
> Why do the previous entries not act the same as the last one?
> 
> What am I missing?
> 
> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "freebsd-questions-unsubscribe at freebsd.org"
-- 
Brian A. Seklecki <bseklecki at collaborativefusion.com>
Collaborative Fusion, Inc.




IMPORTANT: This message contains confidential information and is intended only for the individual named. If the reader of this message is not an intended recipient (or the individual responsible for the delivery of this message to an intended recipient), please be advised that any re-use, dissemination, distribution or copying of this message is prohibited.  Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system.

More information about the freebsd-questions mailing list