August 11th, 2004, 01:42 PM
creating a syslog server
I'm trying to create a centralized logging server with syslog. Ideally, I'd like to log each server to a separate directory, for example server1's logs would be in /var/log/server1/whatever.log. I can't seem to figure out how to setup syslogd.conf to tell it if it comes in from host X, log to file Y. I'm sure it's something simple.
August 11th, 2004, 02:48 PM
aha, i've seen this one before...
try reading: http://forums.devshed.com/showthread.php?t=118652
August 11th, 2004, 03:59 PM
Hrm.. I've tried that with no avail. Does the hostname have to be a fqdn? or can it be something I put in my /etc/hosts file.
August 11th, 2004, 05:25 PM
I assume that the data is arriving at the server? Can you see the packets in the "all" log? If so, look and see if the individual packets contain the hostname.. (post the pertinent portion of the logfile here)
August 11th, 2004, 06:07 PM
Yep, it lands in /var/log/messages
Aug 11 13:56:41 rfwireless4 pop3vscan: Connection from 192.168.254.109:2812
Aug 11 13:56:41 rfwireless4 pop3vscan: Real-server adress is a.b.c.d:110
Aug 11 13:56:41 rfwireless4 pop3vscan: USER 'email@example.com'
Aug 11 13:56:41 rfwireless4 pop3vscan: Session done (Clean Exit). Mails: 0 Bytes: 0
In my /etc/syslog.conf file after all the default syslog stuff I have:
I've created the /var/log/rfwireless4 dir and touched the messages.log file in that dir before sending a HUP to syslogd. I've replaced the ip in the log with a.b.c.d, but it actually shows the ip. Not that it's terribly relevant, which is why I left it out.
August 12th, 2004, 10:03 AM
how about the syslogd switches? Did you make sure the correct ones are used? (post the ps output):
ps -ax | grep syslogd
from the manpage:
Allow allowed_peer to log to this syslogd using UDP datagrams.
Multiple -a options may be specified.
Allowed_peer can be any of the following:
ipaddr/masklen[:service] Accept datagrams from ipaddr (in the
usual dotted quad notation) with
masklen bits being taken into account
when doing the address comparison.
ipaddr can be also IPv6 address by
enclosing the address with `[' and
`]'. If specified, service is the
name or number of an UDP service (see
services(5)) the source packet must
belong to. A service of `*' allows
packets being sent from any UDP port.
The default service is `syslog'. If
ipaddr is IPv4 address, a missing
masklen will be substituted by the
historic class A or class B netmasks
if ipaddr belongs into the address
range of class A or B, respectively,
or by 24 otherwise. If ipaddr is
IPv6 address, a missing masklen will
be substituted by 128.
domainname[:service] Accept datagrams where the reverse
address lookup yields domainname for
the sender address. The meaning of
service is as explained above.
*domainname[:service] Same as before, except that any
source host whose name ends in
domainname will get permission.
make sure secure mode is off ( the -s switch blocks incoming remote logs).
August 12th, 2004, 11:22 AM
ps waux | grep syslogd | grep -v grep
root 53637 0.0 0.1 1016 644 ?? Ss 4:13PM 0:01.32 /usr/sbin/syslogd -a 192.168.100.1/255.255.255.255
August 12th, 2004, 11:38 AM
ok, what does the rest of your syslog.conf look like? Do you have any open program blocks before the remote host?
August 12th, 2004, 11:55 AM
# $FreeBSD: src/etc/syslog.conf,v 220.127.116.11 2002/04/15 00:44:13 dougb Exp $
# Spaces ARE valid field separators in this file. However,
# other *nix-like systems still insist on using tabs as field
# separators. If you are sharing this file between systems, you
# may want to use only tabs as field separators here.
# Consult the syslog.conf(5) manpage.
# uncomment this to log all writes to /dev/console to /var/log/console.log
# uncomment this to enable logging of all log messages to /var/log/all.log
# touch /var/log/all.log and chmod it to mode 600 before it will work
# uncomment this to enable logging to a remote loghost named loghost
# uncomment these if you're running inn
# news.crit /var/log/news/news.crit
# news.err /var/log/news/news.err
# news.notice /var/log/news/news.notice
August 12th, 2004, 02:04 PM
from my understanding of the manpage, those program blocks cascade.
Each block of lines is separated from the previous block by a program or
hostname specification. A block will only log messages corresponding to
the most recent program and hostname specifications given. Thus, with a
block which selects `ppp' as the program, directly followed by a block
that selects messages from the hostname `dialhost', the second block will
only log messages from the ppp(8) program on dialhost.
A program specification is a line beginning with `#!prog' or `!prog' (the
former is for compatibility with the previous syslogd, if one is sharing
syslog.conf files, for example) and the following blocks will be associ-
ated with calls to syslog(3) from that specific program. A program spec-
ification for `foo' will also match any message logged by the kernel with
the prefix `foo: '. The `#!+prog' or `!+prog' specification works just
like the previous one, and the `#!-prog' or `!-prog' specification will
match any message but the ones from that program. Multiple programs may
be listed, separated by commas: `!prog1,prog2' matches messages from
either program, while `!-prog1,prog2' matches all messages but those from
`prog1' or `prog2'.
A hostname specification of the form `#+hostname' or `+hostname' means
the following blocks will be applied to messages received from the speci-
fied hostname. Alternatively, the hostname specification `#-hostname' or
`-hostname' causes the following blocks to be applied to messages from
any host but the one specified. If the hostname is given as `@', the
local hostname will be used. As for program specifications, multiple
comma-seprarated values may be specified for hostname specifications.
A program or hostname specification may be reset by giving the program
or hostname as `*'.
I have a requirement to setup a Syslog server with the following feature. It should log all the messages received via UDP from syslog daemons in other hosts to a local file. The messages generated by it should not be logged.
If someone could let me know the syslog.conf settings for this, it will be very helpful.
Thanks in advance.