Alternative to syslogd that actually writes external logs to
files?
Kaya Saman
kayasaman at gmail.com
Mon Nov 28 18:09:48 UTC 2011
[...snip...]
> Properly configured, syslogd will log remotely. However something
> like sysutils/rsyslog may fit your requirements better.
>
> --
> Adam Vande More
Thanks for that. I have tested rsyslog which is backwards compatible
with syslog but again something failed with that in order to write to
the created logfile???
Here is my config just incase something hinky can be seen; although have
already posted it (with minimal responses) in a heading: Syslog server
not logging remote machines to file? {basically please don't lynch me
for double posting!!}
/etc/rc.conf
syslogd_enable="YES"
syslog_flags=""
syslogd_flags="-b 192.168.1.120 -a 192.168.1.1/24:* -C"
#syslogd_flags="-d -b 192.168.1.120 -a 192.168.1.1/24:* -vv -C"
#syslogd_flags="-c"
#rsyslogd_enable="YES"
#rsyslogd_pidfile="/var/run/syslog.pid"
#rsyslogd_config="/etc/syslog.conf"
#rsyslogd_klog_enable="YES"
#rsyslogd_flags="-d"
The extra addition to /etc/syslog.conf under the ppp statement
!*
+192.168.1.1
*.* /var/log/cisco857w.log
Debug from tcpdump:
# tcpdump -tlnvv -i em0 port 514
tcpdump: listening on em0, link-type EN10MB (Ethernet), capture size 96
bytes
IP (tos 0x0, ttl 255, id 337, offset 0, flags [none], proto UDP (17),
length 122)
192.168.1.1.59189 > 192.168.1.120.514: SYSLOG, length: 94
Facility local7 (23), Severity debug (7)
Msg: 10040: 010027: Nov 19 10:28:04.322: ISAKMP:(0): S[|syslog]
IP (tos 0x0, ttl 255, id 338, offset 0, flags [none], proto UDP (17),
length 122)
192.168.1.1.59189 > 192.168.1.120.514: SYSLOG, length: 94
Facility local7 (23), Severity debug (7)
Msg: 10041: 010028: Nov 19 10:28:04.326: ISAKMP:(0): S[|syslog]
IP (tos 0x0, ttl 255, id 339, offset 0, flags [none], proto UDP (17),
length 142)
192.168.1.1.59189 > 192.168.1.120.514: SYSLOG, length: 114
Facility local7 (23), Severity notice (5)
Msg: 10042: 010029: Nov 19 10:28:04.770: %SYS-5-CONFIG[|syslog]
IP (tos 0x0, ttl 255, id 340, offset 0, flags [none], proto UDP (17),
length 122)
192.168.1.1.59189 > 192.168.1.120.514: SYSLOG, length: 94
Facility local7 (23), Severity debug (7)
Msg: 10043: 010030: Nov 19 10:30:30.672: ISAKMP:(0): S[|syslog]
IP (tos 0x0, ttl 255, id 341, offset 0, flags [none], proto UDP (17),
length 122)
192.168.1.1.59189 > 192.168.1.120.514: SYSLOG, length: 94
Facility local7 (23), Severity debug (7)
Msg: 10044: 010031: Nov 19 10:30:30.672: ISAKMP:(0): S[|syslog]
IP (tos 0x0, ttl 255, id 342, offset 0, flags [none], proto UDP (17),
length 189)
192.168.1.1.59189 > 192.168.1.120.514: SYSLOG, length: 161
Facility local7 (23), Severity info (6)
Msg: 10045: 010032: Nov 19 10:30:36.455: %DOT11-6-ASSO[|syslog]
IP (tos 0x0, ttl 255, id 343, offset 0, flags [none], proto UDP (17),
length 203)
192.168.1.1.59189 > 192.168.1.120.514: SYSLOG, length: 175
Facility local7 (23), Severity info (6)
Msg: 10046: 010033: Nov 19 10:30:47.643: %DOT11-6-DISA[|syslog]
Debug from syslogd:
# /etc/rc.d/syslogd restart
syslogd not running? (check /var/run/syslog.pid).
Starting syslogd.
allowaddr: rule 0: numeric, addr = 192.168.1.0, mask = 255.255.255.0;
port = 0
listening on inet and/or inet6 socket
sending on inet and/or inet6 socket
off & running....
init
cfline("*.err;kern.warning;auth.notice;mail.crit /dev/console",
f, "*", "+Server.domain")
cfline("*.notice;local7.none;authpriv.none;kern.debug;lpr.info;mail.crit;news.err
/var/log/messages", f, "*", "+Server.domain")
cfline("security.* /var/log/security", f, "*",
"+Server.domain")
cfline("auth.info;authpriv.info /var/log/auth.log", f,
"*", "+Server.domain")
cfline("mail.info /var/log/maillog", f, "*",
"+Server.domain")
cfline("lpr.info /var/log/lpd-errs", f, "*",
"+Server.domain")
cfline("ftp.info /var/log/xferlog", f, "*",
"+Server.domain")
cfline("cron.* /var/log/cron", f, "*",
"+Server.domain")
cfline("*.=debug /var/log/debug.log", f, "*",
"+Server.domain")
cfline("*.emerg *", f, "*", "+Server.domain")
cfline("*.* /var/log/ppp.log", f, "ppp",
"+Server.domain")
cfline("*.* /var/log/cisco857w.log", f, "*",
"+192.168.1.1")
4 3 2 3 5 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3 X CONSOLE: /dev/console
7 5 2 5 5 5 6 3 5 5 X 5 5 5 5 5 5 5 5 5 5 5 5 X X FILE: /var/log/messages
X X X X X X X X X X X X X 7 X X X X X X X X X X X FILE: /var/log/security
X X X X 6 X X X X X 6 X X X X X X X X X X X X X X FILE: /var/log/auth.log
X X 6 X X X X X X X X X X X X X X X X X X X X X X FILE: /var/log/maillog
X X X X X X 6 X X X X X X X X X X X X X X X X X X FILE: /var/log/lpd-errs
X X X X X X X X X X X 6 X X X X X X X X X X X X X FILE: /var/log/xferlog
X X X X X X X X X 7 X X X X X X X X X X X X X X X FILE: /var/log/cron
7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 X FILE: /var/log/debug.log
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 X WALL:
7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 X FILE: /var/log/ppp.log
(ppp)
7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 X FILE:
/var/log/cisco857w.log
logmsg: pri 56, flags 4, from Server, msg syslogd: restart
syslogd: restarted
logmsg: pri 6, flags 4, from Server, msg syslogd: kernel boot file is
/boot/kernel/kernel
Logging to FILE /var/log/messages
syslogd: kernel boot file is /boot/kernel/kernel
logmsg: pri 166, flags 17, from Server, msg Nov 19 12:33:34 <syslog.err>
Server syslogd: exiting on signal 2
cvthname(192.168.1.1)
validate: dgram from IP 192.168.1.1, port 59189, name router.domain;
accepted in rule 0.
logmsg: pri 275, flags 0, from cisco857w, msg 10048: 010035: Nov 19
10:33:48.037: %SYS-5-CONFIG_I: Configured from console by admin on vty0
(192.168.1.120)
And finally permissions for the log file to be 'logged' to:
# ls -l /var/log/cisco857w.log
-rw------- 1 root wheel 0 Nov 18 16:32 /var/log/cisco857w.log
I actually tried the same setup with rsyslog and even amended the file
as such:
!Cisco857w
:fromhost-ip, isequal, "192.168.1.1" /var/log/cisco857w.log
while commenting out the rest of the legacy syslogd information
regarding the device at hand. But still unfortunately no luck :-(
I really need to get this going as I need to be able to track what's
going on at the network level.
Thanks to Robert Bonomi, the error was thought to be here: logmsg: pri
275 with the log priority value. I did manage to change that using the
Cisco command: logging facility kern - to give the message a 'higher'
priority value of which outputted this:
accepted in rule 0.
logmsg: pri 15, flags 0, from cisco857w, msg 10146: 010133: Nov 19
23:05:54.538: %SYS-5-CONFIG_I: Configured from console by admin on vty0
(192.168.0.53
but whatever happens it doesn't even try to attempt to log the
information to file after receiving it.......
Regards,
Kaya
More information about the freebsd-questions
mailing list