The Shed is going Social! Join us on FaceBook and Twitter and chime in on the conversation.
|
 |
|
Dev Shed Forums
> Operating Systems
> BSD Help
|
creating a syslog server
Discuss creating a syslog server in the BSD Help forum on Dev Shed.
creating a syslog server BSD Help forum discussing all BSD based operating systems including FreeBSD, OpenBSD, NetBSD, and more. BSD refers to the distribution of UNIX originally developed by the University of California at Berkeley.
|
|
 |
|
|
|
|
Dev Shed Forums Sponsor:
|
|
|
August 11th, 2004, 01:42 PM
|
|
Registered User
|
|
Join Date: Aug 2004
Posts: 5
Time spent in forums: < 1 sec
Reputation Power: 0
|
|
|
creating a syslog server
I'm trying to create a centralized logging server with syslog. Ideally, I'd like to log each server to a separate directory, for example server1's logs would be in /var/log/server1/whatever.log. I can't seem to figure out how to setup syslogd.conf to tell it if it comes in from host X, log to file Y. I'm sure it's something simple.
|
August 11th, 2004, 02:48 PM
|
|
Contributing User
|
|
Join Date: Jun 2004
Location: Germany
Posts: 394
Time spent in forums: 3 Days 4 h 36 m 25 sec
Warnings Level: 10
Number of bans: 1
Reputation Power: 9
|
|
|
aha, i've seen this one before...
try reading: http://forums.devshed.com/showthread.php?t=118652
-Steven
|
August 11th, 2004, 03:59 PM
|
|
Registered User
|
|
Join Date: Aug 2004
Posts: 5
Time spent in forums: < 1 sec
Reputation Power: 0
|
|
|
Hrm.. I've tried that with no avail. Does the hostname have to be a fqdn? or can it be something I put in my /etc/hosts file.
|
August 11th, 2004, 05:25 PM
|
|
Contributing User
|
|
Join Date: Jun 2004
Location: Germany
Posts: 394
Time spent in forums: 3 Days 4 h 36 m 25 sec
Warnings Level: 10
Number of bans: 1
Reputation Power: 9
|
|
|
I assume that the data is arriving at the server? Can you see the packets in the "all" log? If so, look and see if the individual packets contain the hostname.. (post the pertinent portion of the logfile here)
-Steven
|
August 11th, 2004, 06:07 PM
|
|
Registered User
|
|
Join Date: Aug 2004
Posts: 5
Time spent in forums: < 1 sec
Reputation Power: 0
|
|
|
Yep, it lands in /var/log/messages
Aug 11 13:56:41 rfwireless4 pop3vscan[18057]: Connection from 192.168.254.109:2812
Aug 11 13:56:41 rfwireless4 pop3vscan[18057]: Real-server adress is a.b.c.d:110
Aug 11 13:56:41 rfwireless4 pop3vscan[18057]: USER 'test@test.dom'
Aug 11 13:56:41 rfwireless4 pop3vscan[18057]: Session done (Clean Exit). Mails: 0 Bytes: 0
In my /etc/syslog.conf file after all the default syslog stuff I have:
+rfwireless4
*.* /var/log/rfwireless4/messages.log
I've created the /var/log/rfwireless4 dir and touched the messages.log file in that dir before sending a HUP to syslogd. I've replaced the ip in the log with a.b.c.d, but it actually shows the ip. Not that it's terribly relevant, which is why I left it out.
|
August 12th, 2004, 10:03 AM
|
|
Contributing User
|
|
Join Date: Jun 2004
Location: Germany
Posts: 394
Time spent in forums: 3 Days 4 h 36 m 25 sec
Warnings Level: 10
Number of bans: 1
Reputation Power: 9
|
|
how about the syslogd switches? Did you make sure the correct ones are used? (post the ps output):
ps -ax | grep syslogd
from the manpage:
Code:
-a allowed_peer
Allow allowed_peer to log to this syslogd using UDP datagrams.
Multiple -a options may be specified.
Allowed_peer can be any of the following:
ipaddr/masklen[:service] Accept datagrams from ipaddr (in the
usual dotted quad notation) with
masklen bits being taken into account
when doing the address comparison.
ipaddr can be also IPv6 address by
enclosing the address with `[' and
`]'. If specified, service is the
name or number of an UDP service (see
services(5)) the source packet must
belong to. A service of `*' allows
packets being sent from any UDP port.
The default service is `syslog'. If
ipaddr is IPv4 address, a missing
masklen will be substituted by the
historic class A or class B netmasks
if ipaddr belongs into the address
range of class A or B, respectively,
or by 24 otherwise. If ipaddr is
IPv6 address, a missing masklen will
be substituted by 128.
domainname[:service] Accept datagrams where the reverse
address lookup yields domainname for
the sender address. The meaning of
service is as explained above.
*domainname[:service] Same as before, except that any
source host whose name ends in
domainname will get permission.
make sure secure mode is off ( the -s switch blocks incoming remote logs).
-Steven
|
August 12th, 2004, 11:22 AM
|
|
Registered User
|
|
Join Date: Aug 2004
Posts: 5
Time spent in forums: < 1 sec
Reputation Power: 0
|
|
|
ps waux | grep syslogd | grep -v grep
root 53637 0.0 0.1 1016 644 ?? Ss 4:13PM 0:01.32 /usr/sbin/syslogd -a 192.168.100.1/255.255.255.255
|
August 12th, 2004, 11:38 AM
|
|
Contributing User
|
|
Join Date: Jun 2004
Location: Germany
Posts: 394
Time spent in forums: 3 Days 4 h 36 m 25 sec
Warnings Level: 10
Number of bans: 1
Reputation Power: 9
|
|
|
ok, what does the rest of your syslog.conf look like? Do you have any open program blocks before the remote host?
-Steven
|
August 12th, 2004, 11:55 AM
|
|
Registered User
|
|
Join Date: Aug 2004
Posts: 5
Time spent in forums: < 1 sec
Reputation Power: 0
|
|
|
# $FreeBSD: src/etc/syslog.conf,v 1.13.2.3 2002/04/15 00:44:13 dougb Exp $
#
# Spaces ARE valid field separators in this file. However,
# other *nix-like systems still insist on using tabs as field
# separators. If you are sharing this file between systems, you
# may want to use only tabs as field separators here.
# Consult the syslog.conf(5) manpage.
*.err;kern.debug;auth.notice;mail.crit /dev/console
*.notice;kern.debug;lpr.info;mail.crit;news.err /var/log/messages
security.* /var/log/security
auth.info;authpriv.info /var/log/auth.log
mail.info /var/log/maillog
lpr.info /var/log/lpd-errs
cron.* /var/log/cron
*.emerg *
# uncomment this to log all writes to /dev/console to /var/log/console.log
#console.info /var/log/console.log
# uncomment this to enable logging of all log messages to /var/log/all.log
# touch /var/log/all.log and chmod it to mode 600 before it will work
#*.* /var/log/all.log
# uncomment this to enable logging to a remote loghost named loghost
#*.* @loghost
# uncomment these if you're running inn
# news.crit /var/log/news/news.crit
# news.err /var/log/news/news.err
# news.notice /var/log/news/news.notice
!startslip
*.* /var/log/slip.log
!ppp
*.* /var/log/ppp.log
+rfwireless4
*.* /var/log/rfwireless4/messages.log
|
August 12th, 2004, 02:04 PM
|
|
Contributing User
|
|
Join Date: Jun 2004
Location: Germany
Posts: 394
Time spent in forums: 3 Days 4 h 36 m 25 sec
Warnings Level: 10
Number of bans: 1
Reputation Power: 9
|
|
from my understanding of the manpage, those program blocks cascade.
Code:
Each block of lines is separated from the previous block by a program or
hostname specification. A block will only log messages corresponding to
the most recent program and hostname specifications given. Thus, with a
block which selects `ppp' as the program, directly followed by a block
that selects messages from the hostname `dialhost', the second block will
only log messages from the ppp(8) program on dialhost.
A program specification is a line beginning with `#!prog' or `!prog' (the
former is for compatibility with the previous syslogd, if one is sharing
syslog.conf files, for example) and the following blocks will be associ-
ated with calls to syslog(3) from that specific program. A program spec-
ification for `foo' will also match any message logged by the kernel with
the prefix `foo: '. The `#!+prog' or `!+prog' specification works just
like the previous one, and the `#!-prog' or `!-prog' specification will
match any message but the ones from that program. Multiple programs may
be listed, separated by commas: `!prog1,prog2' matches messages from
either program, while `!-prog1,prog2' matches all messages but those from
`prog1' or `prog2'.
A hostname specification of the form `#+hostname' or `+hostname' means
the following blocks will be applied to messages received from the speci-
fied hostname. Alternatively, the hostname specification `#-hostname' or
`-hostname' causes the following blocks to be applied to messages from
any host but the one specified. If the hostname is given as `@', the
local hostname will be used. As for program specifications, multiple
comma-seprarated values may be specified for hostname specifications.
A program or hostname specification may be reset by giving the program
or hostname as `*'.
-Steven
|
June 9th, 2006, 07:10 AM
|
|
Registered User
|
|
Join Date: Jun 2006
Posts: 1
Time spent in forums: 7 m 33 sec
Reputation Power: 0
|
|
|
Syslog configuration
Hi,
I have a requirement to setup a Syslog server with the following feature. It should log all the messages received via UDP from syslog daemons in other hosts to a local file. The messages generated by it should not be logged.
If someone could let me know the syslog.conf settings for this, it will be very helpful.
Thanks in advance.
|
Developer Shed Advertisers and Affiliates
| Thread Tools |
Search this Thread |
|
|
|
| Display Modes |
Rate This Thread |
 Linear Mode
|
|
Posting Rules
|
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
HTML code is Off
|
|
|
|
|
Del.icio.us
Digg
Google
Spurl
Blink
Furl
Simpy
Y! MyWeb
