syslog from Cisco -> FreeBSD - SOLVED

Ewald Jenisch a at
Tue Feb 6 15:29:32 UTC 2007


First of all thanks much to all who responded so quickly to my
question about setting up syslogging in order to accept messages from
Cisco (remote) boxes. 

I could finally get that thing going. Here's what I did - maybe this
is of help to others running into similar problems:

1) In order for syslogd to accept messages from remote machines you've
got to use the "-a"-flag. Here's what I've got in my /etc/rc.conf:


Don't forget the "*" - it makes sure that syslogd accepts UDP packets
from *every* port on the remote machine, not just the
syslog-port. Typically Cisco-boxes seem to have a high-order
source-port in their syslog-messages.

2) /etc/syslog.conf:
Make sure that the "local7"-messages coming from Cisco boxes aren't
logged multiple times. Typically the vanilla /etc/syslog.conf coming
with FreeBSD has the following line in /etc/syslog.conf (near the top
of the file):

*.notice;authpriv.none;kern.debug;;mail.crit;news.err /var/log/message

change this to read

*.notice;local7.none;authpriv.none;kern.debug;;mail.crit;news.err       /var/log/messages

This makes sure that any syslog-messages with the local7 facility
don't get written to /var/log/messages.

Get to the end of syslog.conf. Here you'll find something like

*.*                                             /var/log/ppp.log

These is the setup for log-entries from ppp. You've got to add the
following line:


This resets logging as per man syslog.conf(5): "A program or hostname
specification may be reset by giving the program or hostname as `*'."
Without that line the lines that you add for your Cisco logging at the
end of the file (see below) will only be triggered when coming from
the ppp program which almost never is the case. (You can check this
using the debug-option of syslogd - see below)

3) Add your log-setup for cisco devices at the end of syslog.conf like

local7.*                /var/log/Syslog/cisco-syslog

4) Touch and "chmod 600" the logfile mentioned above

5) Restart syslogd: /etc/rc.d/syslogd restart

Final thoughts & caveats:

1) Use <TAB>s to separate the entries in /etc/syslog.conf

2) Running syslog in debug-mode (i.e. syslogd_flags="-d..." in
etc/rc.conf) is a very helpful tool in tracking down problems. It
keeps syslogd running in the foreground and logs very helpful
information to the console

Be aware though, that syslogd in debug-mode is behaving somewhat
different. It e.g.seems to ignore the "-a ..." flags that are
otherwise necessary in order for syslog to accept messages from remote
machines, i.e. accepting messages from everywhere even without the -a

Hope this little receipe helps others going...

Thanks again for all your help,

More information about the freebsd-questions mailing list