Syslog server not logging remote machines to file?
Kaya Saman
kayasaman at gmail.com
Sat Nov 19 11:20:10 UTC 2011
Hi,
I've got a really strange problem which seems to either be a bug with
the syslog server service or perhaps because I'm running jails on my
system.....
I can log my router syslog information but somehow the syslog server
doesn't put the information into the designated file; which should be
/var/log/cisco857w.log???
This is the syslog definition in my /etc/rc.conf file:
{
syslogd_enable="YES"
#syslog_flags=""
syslogd_flags="-d -b 192.168.1.120 -a 192.168.1.1/24:* -vv -C"
}
Additionally here is my /etc/syslog.conf file:
{
# $FreeBSD: src/etc/syslog.conf,v 1.30.2.1.2.1 2009/10/25 01:10:29
kensmith Exp $
#
# Spaces ARE valid field separators in this file. However,
# other *nix-like systems still insist on using tabs as field
# separators. If you are sharing this file between systems, you
# may want to use only tabs as field separators here.
# Consult the syslog.conf(5) manpage.
#+server.domain
*.err;kern.warning;auth.notice;mail.crit /dev/console
*.notice;local7.none;authpriv.none;kern.debug;lpr.info;mail.crit;news.err
/var/log/messages
security.* /var/log/security
auth.info;authpriv.info /var/log/auth.log
mail.info /var/log/maillog
lpr.info /var/log/lpd-errs
ftp.info /var/log/xferlog
cron.* /var/log/cron
*.=debug /var/log/debug.log
*.emerg *
# uncomment this to log all writes to /dev/console to /var/log/console.log
#console.info /var/log/console.log
# uncomment this to enable logging of all log messages to /var/log/all.log
# touch /var/log/all.log and chmod it to mode 600 before it will work
#*.* /var/log/all.log
# uncomment this to enable logging to a remote loghost named loghost
#*.* @loghost
# uncomment these if you're running inn
# news.crit /var/log/news/news.crit
# news.err /var/log/news/news.err
# news.notice /var/log/news/news.notice
!ppp
*.* /var/log/ppp.log
!*
+192.168.1.1
*.* /var/log/cisco857w.log
#local7.* /var/log/cisco857w.log
#!*
#+172.16.0.1
#*.*
}
uname -a shows this:
{
# uname -a
FreeBSD server.domain 8.0-RELEASE FreeBSD 8.0-RELEASE #0: Sat Nov 21
15:02:08 UTC 2009
root at mason.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC amd64
}
The odd thing about this is that I did the same thing on a non-jailed
32bit machine running FreeBSD 8.x and the system worked fine.
In my research for the problem I have covered this material:
{
http://www.freebsd.org/doc/handbook/network-syslogd.html
http://forums.devshed.com/bsd-help-31/remote-syslog-question-router-to-freebsd-118652.html
http://www.freebsd.org/doc/handbook/network-syslogd.html
http://www.daemonforums.org/showthread.php?t=2968
http://bsd.dischaos.com/2009/02/25/logging-cisco-ios-messages-to-external-freebsd-syslog/
http://unix.derkeiler.com/Mailing-Lists/FreeBSD/questions/2007-02/msg00384.html
http://plone.lucidsolutions.co.nz/networking/cisco/ios/logging-to-a-syslog-or-rsyslog-host-from-cisco-ios
http://lists.nycbug.org/pipermail/talk/2007-April/010091.html
http://www.freebsdonline.com/content/view/527/506/
}
They all seem to say more or less the same thing that either putting the:
{
+192.168.1.1
*.* /var/log/cisco857w.log
or
local7.* /var/log/cisco857w.log
}
statements either at the top of the file or changing the syntax slightly
using a + between machines should do the trick; however, non of the
things I tried have worked from any of the material mentioned above!
Here is my debug information:
{
# tcpdump -tlnvv -i em0 port 514
tcpdump: listening on em0, link-type EN10MB (Ethernet), capture size 96
bytes
IP (tos 0x0, ttl 255, id 337, offset 0, flags [none], proto UDP (17),
length 122)
192.168.1.1.59189 > 192.168.1.120.514: SYSLOG, length: 94
Facility local7 (23), Severity debug (7)
Msg: 10040: 010027: Nov 19 10:28:04.322: ISAKMP:(0): S[|syslog]
IP (tos 0x0, ttl 255, id 338, offset 0, flags [none], proto UDP (17),
length 122)
192.168.1.1.59189 > 192.168.1.120.514: SYSLOG, length: 94
Facility local7 (23), Severity debug (7)
Msg: 10041: 010028: Nov 19 10:28:04.326: ISAKMP:(0): S[|syslog]
IP (tos 0x0, ttl 255, id 339, offset 0, flags [none], proto UDP (17),
length 142)
192.168.1.1.59189 > 192.168.1.120.514: SYSLOG, length: 114
Facility local7 (23), Severity notice (5)
Msg: 10042: 010029: Nov 19 10:28:04.770: %SYS-5-CONFIG[|syslog]
IP (tos 0x0, ttl 255, id 340, offset 0, flags [none], proto UDP (17),
length 122)
192.168.1.1.59189 > 192.168.1.120.514: SYSLOG, length: 94
Facility local7 (23), Severity debug (7)
Msg: 10043: 010030: Nov 19 10:30:30.672: ISAKMP:(0): S[|syslog]
IP (tos 0x0, ttl 255, id 341, offset 0, flags [none], proto UDP (17),
length 122)
192.168.1.1.59189 > 192.168.1.120.514: SYSLOG, length: 94
Facility local7 (23), Severity debug (7)
Msg: 10044: 010031: Nov 19 10:30:30.672: ISAKMP:(0): S[|syslog]
IP (tos 0x0, ttl 255, id 342, offset 0, flags [none], proto UDP (17),
length 189)
192.168.1.1.59189 > 192.168.1.120.514: SYSLOG, length: 161
Facility local7 (23), Severity info (6)
Msg: 10045: 010032: Nov 19 10:30:36.455: %DOT11-6-ASSO[|syslog]
IP (tos 0x0, ttl 255, id 343, offset 0, flags [none], proto UDP (17),
length 203)
192.168.1.1.59189 > 192.168.1.120.514: SYSLOG, length: 175
Facility local7 (23), Severity info (6)
Msg: 10046: 010033: Nov 19 10:30:47.643: %DOT11-6-DISA[|syslog]
--------------------------
# /etc/rc.d/syslogd restart
syslogd not running? (check /var/run/syslog.pid).
Starting syslogd.
allowaddr: rule 0: numeric, addr = 192.168.1.0, mask = 255.255.255.0;
port = 0
listening on inet and/or inet6 socket
sending on inet and/or inet6 socket
off & running....
init
cfline("*.err;kern.warning;auth.notice;mail.crit /dev/console",
f, "*", "+Server.domain")
cfline("*.notice;local7.none;authpriv.none;kern.debug;lpr.info;mail.crit;news.err
/var/log/messages", f, "*", "+Server.domain")
cfline("security.* /var/log/security", f, "*",
"+Server.domain")
cfline("auth.info;authpriv.info /var/log/auth.log", f,
"*", "+Server.domain")
cfline("mail.info /var/log/maillog", f, "*",
"+Server.domain")
cfline("lpr.info /var/log/lpd-errs", f, "*",
"+Server.domain")
cfline("ftp.info /var/log/xferlog", f, "*",
"+Server.domain")
cfline("cron.* /var/log/cron", f, "*",
"+Server.domain")
cfline("*.=debug /var/log/debug.log", f, "*",
"+Server.domain")
cfline("*.emerg *", f, "*", "+Server.domain")
cfline("*.* /var/log/ppp.log", f, "ppp",
"+Server.domain")
cfline("*.* /var/log/cisco857w.log", f, "*",
"+192.168.1.1")
4 3 2 3 5 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3 X CONSOLE: /dev/console
7 5 2 5 5 5 6 3 5 5 X 5 5 5 5 5 5 5 5 5 5 5 5 X X FILE: /var/log/messages
X X X X X X X X X X X X X 7 X X X X X X X X X X X FILE: /var/log/security
X X X X 6 X X X X X 6 X X X X X X X X X X X X X X FILE: /var/log/auth.log
X X 6 X X X X X X X X X X X X X X X X X X X X X X FILE: /var/log/maillog
X X X X X X 6 X X X X X X X X X X X X X X X X X X FILE: /var/log/lpd-errs
X X X X X X X X X X X 6 X X X X X X X X X X X X X FILE: /var/log/xferlog
X X X X X X X X X 7 X X X X X X X X X X X X X X X FILE: /var/log/cron
7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 X FILE: /var/log/debug.log
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 X WALL:
7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 X FILE: /var/log/ppp.log
(ppp)
7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 X FILE:
/var/log/cisco857w.log
logmsg: pri 56, flags 4, from Server, msg syslogd: restart
syslogd: restarted
logmsg: pri 6, flags 4, from Server, msg syslogd: kernel boot file is
/boot/kernel/kernel
Logging to FILE /var/log/messages
syslogd: kernel boot file is /boot/kernel/kernel
logmsg: pri 166, flags 17, from Server, msg Nov 19 12:33:34 <syslog.err>
Server syslogd: exiting on signal 2
cvthname(192.168.1.1)
validate: dgram from IP 192.168.1.1, port 59189, name router.domain;
accepted in rule 0.
logmsg: pri 275, flags 0, from cisco857w, msg 10048: 010035: Nov 19
10:33:48.037: %SYS-5-CONFIG_I: Configured from console by admin on vty0
(192.168.1.120)
}
As can be seen the server accepts the messages from the gateway but
unfortunately doesn't log them to the file defined in /etc/syslog.conf?
Can anyone help with this???
Am I missing something or is it a bug?
These are the file permissions set to 600, as can be seen no data has
been logged at all:
{
# ls -l /var/log/cisco857w.log
-rw------- 1 root wheel 0 Nov 18 16:32 /var/log/cisco857w.log
}
Regards,
Kaya
More information about the freebsd-questions
mailing list