Alternative to syslogd that actually writes external logs to
kayasaman at gmail.com
Mon Nov 28 23:42:29 UTC 2011
On 11/28/2011 08:58 PM, Damien Fleuriot wrote:
> On 11/28/11 7:09 PM, Kaya Saman wrote:
>>> Properly configured, syslogd will log remotely. However something
>>> like sysutils/rsyslog may fit your requirements better.
>>> Adam Vande More
>> Thanks for that. I have tested rsyslog which is backwards compatible
>> with syslog but again something failed with that in order to write to
>> the created logfile???
> We have absolutely no problems whatsoever with rsyslogd here.
> It runs on our FreeBSD firewall boxes and logs both to local files and
> a remote server running rsyslogd on debian.
> Additionally and in reply to your need to track what happens on your
> network, I very highly recommend Observium which we have been running
> for over 18 months now and which I use on an almost daily basis.
> The icing on the cake is that you'll be able to export your logs to
> Observium directly.
> freebsd-questions at freebsd.org mailing list
> To unsubscribe, send any mail to "freebsd-questions-unsubscribe at freebsd.org"
Thanks for the vote of confidence!
I have set syslogd to run on the loopback and rsyslogd to run on the
local IP address.
Here is my config file for rsyslog:
$ModLoad immark.so # provides --MARK-- message capability
$ModLoad imuxsock.so # provides support for local system logging
$ModLoad imklog.so # kernel logging
#:msg, contains, "192.168.1.1" /var/log/cisco857w.log
:fromhost-ip, isequal, "192.168.1.1" /var/log/cisco857w.log
According to the rule anything coming in from 192.168.1.1 should be
logged to /var/log/cisco857.log
From rsyslog debug mode I was able to find that the rule was in place
and should be performing properly:
0302.998028819:800c041c0: ruleset 0x800c2b0a0: rsyslog ruleset Cisco857w:
0302.998046140:800c041c0: rule 0x800c14d80: rsyslog rule:
0302.998058991:800c041c0: PROPERTY-BASED Filter:
0302.998070165:800c041c0: Property.: 'fromhost-ip'
0302.998080781:800c041c0: Operation: 'isequal'
0302.998099499:800c041c0: Value....: '192.168.1.1'
0302.998127435:800c041c0: builtin-file: /var/log/cisco857w.log
0302.998153696:800c041c0: use async writer=0
0302.998165150:800c041c0: flush on TX end=1
0302.998175766:800c041c0: flush interval=1
0302.998186661:800c041c0: file cache size=10
0302.998198115:800c041c0: create directories: yes
0302.998208451:800c041c0: file owner 0, group 0
0302.998218788:800c041c0: force chown() for all files: no
0302.998229683:800c041c0: directory owner 0, group 0
0302.998240020:800c041c0: dir create mode 0700, file create mode 0644
0302.998254267:800c041c0: fail if owner/group can not be set: no
However, when using tcpdump it shows that rsyslog is infact receiving
information but still unfortunately not logging to file???
# tcpdump -tlnvv -i em0 port 514
tcpdump: listening on em0, link-type EN10MB (Ethernet), capture size 96
IP (tos 0x0, ttl 255, id 1875, offset 0, flags [none], proto UDP (17),
192.168.1.1.59189 > 192.168.1.120.514: SYSLOG, length: 114
Facility local7 (23), Severity notice (5)
Msg: 11578: 011565: Nov 28 23:34:19.475: %SYS-5-CONFIG[|syslog]
File permissions are correct as I got rsyslog to create the file from
What am I missing here?
More information about the freebsd-questions