Alternative to syslogd that actually writes external logs to files?

Kaya Saman kayasaman at gmail.com
Mon Nov 28 23:42:29 UTC 2011


On 11/28/2011 08:58 PM, Damien Fleuriot wrote:
> On 11/28/11 7:09 PM, Kaya Saman wrote:
>> [...snip...]
>>> Properly configured, syslogd will log remotely.  However something
>>> like sysutils/rsyslog may fit your requirements better.
>>>
>>> -- 
>>> Adam Vande More
>> Thanks for that. I have tested rsyslog which is backwards compatible
>> with syslog but again something failed with that in order to write to
>> the created logfile???
>>
>
> We have absolutely no problems whatsoever with rsyslogd here.
>
> It runs on our FreeBSD firewall boxes and logs both to local files and
> a remote server running rsyslogd on debian.
>
>
>
> Additionally and in reply to your need to track what happens on your
> network, I very highly recommend Observium which we have been running
> for over 18 months now and which I use on an almost daily basis.
>
> http://www.observium.org/wiki/Main_Page
>
> The icing on the cake is that you'll be able to export your logs to
> Observium directly.
> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "freebsd-questions-unsubscribe at freebsd.org"
Thanks for the vote of confidence!

I have set syslogd to run on the loopback and rsyslogd to run on the 
local IP address.

Here is my config file for rsyslog:



$ModLoad immark.so   # provides --MARK-- message capability
$ModLoad imuxsock.so # provides support for local system logging
$ModLoad imklog.so   # kernel logging
$ModLoad imudp
$UDPServerAddress 192.168.1.120
$UDPServerRun 514
$RuleSet Cisco857w
#:msg, contains, "192.168.1.1"    /var/log/cisco857w.log
:fromhost-ip, isequal, "192.168.1.1"    /var/log/cisco857w.log



According to the rule anything coming in from 192.168.1.1 should be 
logged to /var/log/cisco857.log

 From rsyslog debug mode I was able to find that the rule was in place 
and should be performing properly:



0302.998028819:800c041c0: ruleset 0x800c2b0a0: rsyslog ruleset Cisco857w:
0302.998046140:800c041c0: rule 0x800c14d80: rsyslog rule:
0302.998058991:800c041c0: PROPERTY-BASED Filter:
0302.998070165:800c041c0:       Property.: 'fromhost-ip'
0302.998080781:800c041c0:       Operation: 'isequal'
0302.998099499:800c041c0:       Value....: '192.168.1.1'
0302.998109835:800c041c0:       Action...:
Actions:
0302.998127435:800c041c0: builtin-file: /var/log/cisco857w.log
0302.998143918:800c041c0:       template='/var/log/cisco857w.log'
0302.998153696:800c041c0:       use async writer=0
0302.998165150:800c041c0:       flush on TX end=1
0302.998175766:800c041c0:       flush interval=1
0302.998186661:800c041c0:       file cache size=10
0302.998198115:800c041c0:       create directories: yes
0302.998208451:800c041c0:       file owner 0, group 0
0302.998218788:800c041c0:       force chown() for all files: no
0302.998229683:800c041c0:       directory owner 0, group 0
0302.998240020:800c041c0:       dir create mode 0700, file create mode 0644
0302.998254267:800c041c0:       fail if owner/group can not be set: no


However, when using tcpdump it shows that rsyslog is infact receiving 
information but still unfortunately not logging to file???


# tcpdump -tlnvv -i em0 port 514
tcpdump: listening on em0, link-type EN10MB (Ethernet), capture size 96 
bytes
IP (tos 0x0, ttl 255, id 1875, offset 0, flags [none], proto UDP (17), 
length 142)
     192.168.1.1.59189 > 192.168.1.120.514: SYSLOG, length: 114
     Facility local7 (23), Severity notice (5)
     Msg: 11578: 011565: Nov 28 23:34:19.475: %SYS-5-CONFIG[|syslog]



File permissions are correct as I got rsyslog to create the file from 
scratch.......

What am I missing here?


More information about the freebsd-questions mailing list