Alternative to syslogd that actually writes external logs to files?

Kaya Saman kayasaman at gmail.com
Mon Nov 28 18:09:48 UTC 2011 

[...snip...]
> Properly configured, syslogd will log remotely.  However something 
> like sysutils/rsyslog may fit your requirements better.
>
> -- 
> Adam Vande More

Thanks for that. I have tested rsyslog which is backwards compatible 
with syslog but again something failed with that in order to write to 
the created logfile???


Here is my config just incase something hinky can be seen; although have 
already posted it (with minimal responses) in a heading: Syslog server 
not logging remote machines to file? {basically please don't lynch me 
for double posting!!}


/etc/rc.conf

syslogd_enable="YES"
syslog_flags=""
syslogd_flags="-b 192.168.1.120 -a 192.168.1.1/24:* -C"
#syslogd_flags="-d -b 192.168.1.120 -a 192.168.1.1/24:* -vv -C"
#syslogd_flags="-c"
#rsyslogd_enable="YES"
#rsyslogd_pidfile="/var/run/syslog.pid"
#rsyslogd_config="/etc/syslog.conf"
#rsyslogd_klog_enable="YES"
#rsyslogd_flags="-d"


The extra addition to /etc/syslog.conf under the ppp statement

!*
+192.168.1.1
*.*                        /var/log/cisco857w.log


Debug from tcpdump:


# tcpdump -tlnvv -i em0 port 514
tcpdump: listening on em0, link-type EN10MB (Ethernet), capture size 96 
bytes
IP (tos 0x0, ttl 255, id 337, offset 0, flags [none], proto UDP (17), 
length 122)
     192.168.1.1.59189 > 192.168.1.120.514: SYSLOG, length: 94
     Facility local7 (23), Severity debug (7)
     Msg: 10040: 010027: Nov 19 10:28:04.322: ISAKMP:(0): S[|syslog]
IP (tos 0x0, ttl 255, id 338, offset 0, flags [none], proto UDP (17), 
length 122)
     192.168.1.1.59189 > 192.168.1.120.514: SYSLOG, length: 94
     Facility local7 (23), Severity debug (7)
     Msg: 10041: 010028: Nov 19 10:28:04.326: ISAKMP:(0): S[|syslog]
IP (tos 0x0, ttl 255, id 339, offset 0, flags [none], proto UDP (17), 
length 142)
     192.168.1.1.59189 > 192.168.1.120.514: SYSLOG, length: 114
     Facility local7 (23), Severity notice (5)
     Msg: 10042: 010029: Nov 19 10:28:04.770: %SYS-5-CONFIG[|syslog]
IP (tos 0x0, ttl 255, id 340, offset 0, flags [none], proto UDP (17), 
length 122)
     192.168.1.1.59189 > 192.168.1.120.514: SYSLOG, length: 94
     Facility local7 (23), Severity debug (7)
     Msg: 10043: 010030: Nov 19 10:30:30.672: ISAKMP:(0): S[|syslog]
IP (tos 0x0, ttl 255, id 341, offset 0, flags [none], proto UDP (17), 
length 122)
     192.168.1.1.59189 > 192.168.1.120.514: SYSLOG, length: 94
     Facility local7 (23), Severity debug (7)
     Msg: 10044: 010031: Nov 19 10:30:30.672: ISAKMP:(0): S[|syslog]
IP (tos 0x0, ttl 255, id 342, offset 0, flags [none], proto UDP (17), 
length 189)
     192.168.1.1.59189 > 192.168.1.120.514: SYSLOG, length: 161
     Facility local7 (23), Severity info (6)
     Msg: 10045: 010032: Nov 19 10:30:36.455: %DOT11-6-ASSO[|syslog]
IP (tos 0x0, ttl 255, id 343, offset 0, flags [none], proto UDP (17), 
length 203)
     192.168.1.1.59189 > 192.168.1.120.514: SYSLOG, length: 175
     Facility local7 (23), Severity info (6)
     Msg: 10046: 010033: Nov 19 10:30:47.643: %DOT11-6-DISA[|syslog]



Debug from syslogd:



# /etc/rc.d/syslogd restart
syslogd not running? (check /var/run/syslog.pid).
Starting syslogd.
allowaddr: rule 0: numeric, addr = 192.168.1.0, mask = 255.255.255.0; 
port = 0
listening on inet and/or inet6 socket
sending on inet and/or inet6 socket
off & running....
init
cfline("*.err;kern.warning;auth.notice;mail.crit        /dev/console", 
f, "*", "+Server.domain")
cfline("*.notice;local7.none;authpriv.none;kern.debug;lpr.info;mail.crit;news.err    
/var/log/messages", f, "*", "+Server.domain")
cfline("security.*                    /var/log/security", f, "*", 
"+Server.domain")
cfline("auth.info;authpriv.info                /var/log/auth.log", f, 
"*", "+Server.domain")
cfline("mail.info                    /var/log/maillog", f, "*", 
"+Server.domain")
cfline("lpr.info                    /var/log/lpd-errs", f, "*", 
"+Server.domain")
cfline("ftp.info                    /var/log/xferlog", f, "*", 
"+Server.domain")
cfline("cron.*                        /var/log/cron", f, "*", 
"+Server.domain")
cfline("*.=debug                    /var/log/debug.log", f, "*", 
"+Server.domain")
cfline("*.emerg                        *", f, "*", "+Server.domain")
cfline("*.*                        /var/log/ppp.log", f, "ppp", 
"+Server.domain")
cfline("*.*                        /var/log/cisco857w.log", f, "*", 
"+192.168.1.1")
4 3 2 3 5 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3 X CONSOLE: /dev/console
7 5 2 5 5 5 6 3 5 5 X 5 5 5 5 5 5 5 5 5 5 5 5 X X FILE: /var/log/messages
X X X X X X X X X X X X X 7 X X X X X X X X X X X FILE: /var/log/security
X X X X 6 X X X X X 6 X X X X X X X X X X X X X X FILE: /var/log/auth.log
X X 6 X X X X X X X X X X X X X X X X X X X X X X FILE: /var/log/maillog
X X X X X X 6 X X X X X X X X X X X X X X X X X X FILE: /var/log/lpd-errs
X X X X X X X X X X X 6 X X X X X X X X X X X X X FILE: /var/log/xferlog
X X X X X X X X X 7 X X X X X X X X X X X X X X X FILE: /var/log/cron
7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 X FILE: /var/log/debug.log
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 X WALL:
7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 X FILE: /var/log/ppp.log 
(ppp)
7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 X FILE: 
/var/log/cisco857w.log
logmsg: pri 56, flags 4, from Server, msg syslogd: restart
syslogd: restarted
logmsg: pri 6, flags 4, from Server, msg syslogd: kernel boot file is 
/boot/kernel/kernel
Logging to FILE /var/log/messages
syslogd: kernel boot file is /boot/kernel/kernel
logmsg: pri 166, flags 17, from Server, msg Nov 19 12:33:34 <syslog.err> 
Server syslogd: exiting on signal 2
cvthname(192.168.1.1)
validate: dgram from IP 192.168.1.1, port 59189, name router.domain;
accepted in rule 0.
logmsg: pri 275, flags 0, from cisco857w, msg 10048: 010035: Nov 19 
10:33:48.037: %SYS-5-CONFIG_I: Configured from console by admin on vty0 
(192.168.1.120)




And finally permissions for the log file to be 'logged' to:



# ls -l /var/log/cisco857w.log
-rw-------  1 root  wheel  0 Nov 18 16:32 /var/log/cisco857w.log





I actually tried the same setup with rsyslog and even amended the file 
as such:



!Cisco857w
:fromhost-ip, isequal, "192.168.1.1"    /var/log/cisco857w.log



while commenting out the rest of the legacy syslogd information 
regarding the device at hand. But still unfortunately no luck :-(


I really need to get this going as I need to be able to track what's 
going on at the network level.


Thanks to Robert Bonomi, the error was thought to be here: logmsg: pri 
275 with the log priority value. I did manage to change that using the 
Cisco command: logging facility kern - to give the message a 'higher' 
priority value of which outputted this:



accepted in rule 0.
logmsg: pri 15, flags 0, from cisco857w, msg 10146: 010133: Nov 19 
23:05:54.538: %SYS-5-CONFIG_I: Configured from console by admin on vty0 
(192.168.0.53



but whatever happens it doesn't even try to attempt to log the 
information to file after receiving it.......




Regards,



Kaya

More information about the freebsd-questions mailing list