[nycbug-talk] FreeBSD syslog.conf quickie

Kevin Reiter KReiter at insidefsi.net
Thu Apr 5 13:10:00 EDT 2007


talk-bounces at lists.nycbug.org wrote:
: Rodrique Heron wrote:
:: Kevin Reiter wrote:
::: All,
::: 
::: A quick question on the syntax for defining a remote system logging
::: to a remote syslog server. 
::: 
::: I have a number of routers I want to send their syslogs to a FreeBSD
::: system.  I've checked all the firewall rules and know that not to be
::: a problem.  My question is, in the syslog.conf file itself, how to I
::: define a host to log to a specific logfile?  I've RTFM, checked
::: Google, and checked everything else I thought might have been
::: mucking up the waters, but can't seem to get this straight.
::: 
::: I'm looking to get all syslogs for hostname "ssr" to go to
::: /var/log/router.log 
::: 
::: In my /etc/syslog.conf, I have the following entry:
::: 
::: +ssr.*                 /var/log/router.log
::: 
:::: From man 5 syslog.conf:
::: 
::: A hostname specification of the form `#+hostname' or `+hostname'
::: means the following blocks will be applied to messages received
::: from the speci- fied hostname.  Alternatively, the hostname
::: specification `#-hostname' or `-hostname' causes the following
::: blocks to be applied to messages from any host but the one
::: specified.  If the hostname is given as `@', the local hostname
::: will be used.  As for program specifications, multiple
::: comma-separated values may be specified for hostname
::: specifications.  
::: 
::: I've tried using +ssr, +ssr.*, and a few other variations with no
::: luck. 
::: 
::: Am I just reading the examples wrong?  (In my defense, I've had a
::: headache for the past 3 days, which hasn't helped..)
::: 
::: Thanks,
::: Kev
::: 
::: This message may contain confidential or proprietary information and
::: is intended solely for the individual(s) to whom it is addressed.
::: If you are not a named addressee you should not disseminate,
::: distribute or copy this e-mail or act upon the information contained
::: herein.  Please notify the sender immediately by e-mail if you have
::: received this e-mail by mistake and delete this e-mail from your
::: system. 
::: 
::: _______________________________________________
::: % NYC*BUG talk mailing list
::: http://lists.nycbug.org/mailman/listinfo/talk
::: %Be sure to check out our Jobs and NYCBUG-announce lists
::: %We meet the first Wednesday of the month
::: 
::: 
:: Use minirsyslogd instead, I am don't know why BSD syslog won't work.
:: I created a /va/log/cisco/{device1,device2}, replace device with the
:: address with ip address of your switch or router.
:: 
:: in == /etc/rc.conf ==
:: minirsyslog_enable="YES"
:: minirsyslog_flags="--rootdir /var/log/cisco --umask 022"
:: 
:: syslogd_enable="YES"
:: syslogd_flags="-ss -b 192.168.2.1"
:: 
:: That works for me, minirsyslog only writes when the buffer is full,
:: so you may not see events right away.
: 
: Thanks, but I'd rather use the built-in syslogd for this, without
: having to install anything else.  I know it *should* work, once I get
: the right syntax for the configs figured out.  
: 
: I've changed rc.conf to include:
: syslogd_flags="-b loghost.intranet.com -a ip_of_router:* -a ssr:* -a
: ssr" 
: 
: (ssr being the hostname of the router that resolves via DNS)
: 
: Restarted syslogd, but still nothing.
: 
: root at darkhorse [~]# ls -l /var/log/router.log
: -rw-r--r--  1 root  wheel  64 Apr  5 00:00 /var/log/router.log
: 
: root at darkhorse [~]# sockstat | grep 514
: root     syslogd    21191 6  udp4   my_ip:514      *:*
: 
: ## Router logging starts
: +ssr
: *.*              /var/log/router.log
: ## Router logging ends
: 
: 
: Am I missing something?

OK, I now see messages from my test system, but they're showing up in /var/log/messages as opposed to the logfile I specified in /etc/syslog.conf:

root at tracker [~]# cat /var/log/messages | grep darkhorse

Apr  5 12:01:09 darkhorse kevin: testing123
Apr  5 12:01:44 darkhorse kevin: testing1234
Apr  5 12:04:25 darkhorse kevin: test 1234
Apr  5 12:06:05 darkhorse kevin: test 12
Apr  5 12:07:37 darkhorse kevin: why are they showing up in messages?
Apr  5 12:29:07 darkhorse kevin: why are they showing up in messages instead of darkhorse?
Apr  5 12:34:08 darkhorse kevin: hmmm...
Apr  5 12:58:46 darkhorse kevin: another test

Here is what I have configured on my test syslog server:

Darkhorse = host sending syslog entries to syslog server
Tracker = test syslog server

root at tracker [~]# ls -l /var/log/darkhorse.log
-rw-r--r--  1 root  wheel  5 Apr  5 11:37 /var/log/darkhorse.log
(It's readable by others so a Perl script I have parsing the file and displaying it in a browser can actually read it.)

In /etc/syslog.conf on tracker:
###################################
# Remote syslog testing starts here
###################################
`+darkhorse'
*.*     /var/log/darkhorse.log

In /etc/rc.conf on tracker:
# Syslog testing
syslogd_flags=""
(when I use: syslogd_flags="-a darkhorse" I get nothing in any log from that host)

The only thing currently not working as expected is the logs not going into the specified logfile.

Any ideas?

Thanks,
Kev



More information about the talk mailing list