Syslog server not logging remote machines to file?

Sat Nov 19 17:01:03 UTC 2011

On 11/19/2011 06:52 PM, Robert Bonomi wrote:
>>  From kayasaman at gmail.com  Sat Nov 19 09:33:08 2011
>> Date: Sat, 19 Nov 2011 17:31:50 +0200
>> From: Kaya Saman<kayasaman at gmail.com>
>> To: Robert Bonomi<bonomi at mail.r-bonomi.com>
>> CC: freebsd-questions at freebsd.org
>> Subject: Re: Syslog server not logging remote machines to file?
>>
>> On 11/19/2011 05:21 PM, Robert Bonomi wrote:
>>> Kaya Saman<kayasaman at gmail.com>   wrote:
>>>> Hi,
>>>>
>>>> I've got a really strange problem which seems to either be a bug with
>>>> the syslog server service or perhaps because I'm running jails on my
>>>> system.....
>>>>
>>>> I can log my router syslog information but somehow the syslog server
>>>> doesn't put the information into the designated file; which should be
>>>> /var/log/cisco857w.log???
>>>>
>>> The -usual- 'gotcha' for this situation is that you have to _create_ the
>>> file FIRST, and then tell syslogd to reload it's configuration.  (i.e.
>>> 'kill -HUP' the PID for syslogd)
>>>
>>>
>> That's ok, however due to me running syslogd in debug mode anyway - ctrl
>> + c should do that anyway..... I performed a: ps aux | grep syslog with
>> no result other then my 'grepping' displayed.
>>
>> Meaning that the syslog daemon should have reloaded right? - I mean it's
>> standard for everything else which works in that way!
> Well if ps -aux doesn't show any syslogd entry, then syslogd is -not-
> running -- which would explain why it's not logging anything to the file :)
>
> If you're stopping and restarting syslogd, then, yes, that causes it to
> re-read the configuration.
>
> This begs the question, however, *DOES* that file exist?  syslog does _not_
> _create_ a missing logfile, just because it is mentioned in the syslog.conf
> file.
> g
Robert,

I can assure that syslogd is running, hence the logging posted within my 
first email to the list. When run with the -d and -vv flags set in 
/etc/rc.conf I need to use ctrl +c to break out of it as it logs 
directly to the tty.

Just to go over it again, output from syslogd with -d and -vv flags set 
running in debug mode shows:

{

logmsg: pri 56, flags 4, from Server, msg syslogd: restart
syslogd: restarted
logmsg: pri 6, flags 4, from Server, msg syslogd: kernel boot file is 
/boot/kernel/kernel
Logging to FILE /var/log/messages
syslogd: kernel boot file is /boot/kernel/kernel
logmsg: pri 166, flags 17, from Server, msg Nov 19 12:33:34 <syslog.err> 
Server syslogd: exiting on signal 2
cvthname(192.168.1.1)
validate: dgram from IP 192.168.1.1, port 59189, name router.domain;
accepted in rule 0.
logmsg: pri 275, flags 0, from cisco857w, msg 10048: 010035: Nov 19 
10:33:48.037: %SYS-5-CONFIG_I: Configured from console by admin on vty0 
(192.168.1.120)

}

The file is mentioned in syslogd config and seems to be loaded within 
the configuration:

{

cfline("*.*                        /var/log/cisco857w.log", f, "*", 
"+192.168.1.1")

7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 X FILE: 
/var/log/cisco857w.log

}

The file *has* been created also under /var/log/ dir however self 
creation is possible using the -C flag within /etc/rc.conf file; and 
give 'appropriate' permission 600:

{

# ls -l /var/log | grep cisco857
-rw-------  1 root   wheel             0 Nov 18 16:32 cisco857w.log

}

So after all this looks {**perfect**} what can this mysterious problem be??