#1
  1. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Aug 2004
    Posts
    5
    Rep Power
    0

    creating a syslog server


    I'm trying to create a centralized logging server with syslog. Ideally, I'd like to log each server to a separate directory, for example server1's logs would be in /var/log/server1/whatever.log. I can't seem to figure out how to setup syslogd.conf to tell it if it comes in from host X, log to file Y. I'm sure it's something simple.
  2. #2
  3. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jun 2004
    Location
    Germany
    Posts
    394
    Rep Power
    11
    aha, i've seen this one before...

    try reading: http://forums.devshed.com/showthread.php?t=118652

    -Steven
  4. #3
  5. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Aug 2004
    Posts
    5
    Rep Power
    0
    Hrm.. I've tried that with no avail. Does the hostname have to be a fqdn? or can it be something I put in my /etc/hosts file.
  6. #4
  7. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jun 2004
    Location
    Germany
    Posts
    394
    Rep Power
    11
    I assume that the data is arriving at the server? Can you see the packets in the "all" log? If so, look and see if the individual packets contain the hostname.. (post the pertinent portion of the logfile here)

    -Steven
  8. #5
  9. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Aug 2004
    Posts
    5
    Rep Power
    0
    Yep, it lands in /var/log/messages

    Aug 11 13:56:41 rfwireless4 pop3vscan[18057]: Connection from 192.168.254.109:2812
    Aug 11 13:56:41 rfwireless4 pop3vscan[18057]: Real-server adress is a.b.c.d:110
    Aug 11 13:56:41 rfwireless4 pop3vscan[18057]: USER 'test@test.dom'
    Aug 11 13:56:41 rfwireless4 pop3vscan[18057]: Session done (Clean Exit). Mails: 0 Bytes: 0

    In my /etc/syslog.conf file after all the default syslog stuff I have:

    +rfwireless4
    *.* /var/log/rfwireless4/messages.log

    I've created the /var/log/rfwireless4 dir and touched the messages.log file in that dir before sending a HUP to syslogd. I've replaced the ip in the log with a.b.c.d, but it actually shows the ip. Not that it's terribly relevant, which is why I left it out.
  10. #6
  11. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jun 2004
    Location
    Germany
    Posts
    394
    Rep Power
    11
    how about the syslogd switches? Did you make sure the correct ones are used? (post the ps output):

    ps -ax | grep syslogd

    from the manpage:

    Code:
     -a allowed_peer
                 Allow allowed_peer to log to this syslogd using UDP datagrams.
                 Multiple -a options may be specified.
    
                 Allowed_peer can be any of the following:
    
                 ipaddr/masklen[:service]    Accept datagrams from ipaddr (in the
                                             usual dotted quad notation) with
                                             masklen bits being taken into account
                                             when doing the address comparison.
                                             ipaddr can be also IPv6 address by
                                             enclosing the address with `[' and
                                             `]'.  If specified, service is the
                                             name or number of an UDP service (see
                                             services(5)) the source packet must
                                             belong to.  A service of `*' allows
                                             packets being sent from any UDP port.
                                             The default service is `syslog'.  If
                                             ipaddr is IPv4 address, a missing
                                             masklen will be substituted by the
                                             historic class A or class B netmasks
                                             if ipaddr belongs into the address
                                             range of class A or B, respectively,
                                             or by 24 otherwise.  If ipaddr is
                                             IPv6 address, a missing masklen will
                                             be substituted by 128.
    
                 domainname[:service]        Accept datagrams where the reverse
                                             address lookup yields domainname for
                                             the sender address.  The meaning of
                                             service is as explained above.
    
                 *domainname[:service]       Same as before, except that any
                                             source host whose name ends in
                                             domainname will get permission.

    make sure secure mode is off ( the -s switch blocks incoming remote logs).

    -Steven
  12. #7
  13. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Aug 2004
    Posts
    5
    Rep Power
    0
    ps waux | grep syslogd | grep -v grep
    root 53637 0.0 0.1 1016 644 ?? Ss 4:13PM 0:01.32 /usr/sbin/syslogd -a 192.168.100.1/255.255.255.255
  14. #8
  15. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jun 2004
    Location
    Germany
    Posts
    394
    Rep Power
    11
    ok, what does the rest of your syslog.conf look like? Do you have any open program blocks before the remote host?

    -Steven
  16. #9
  17. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Aug 2004
    Posts
    5
    Rep Power
    0
    # $FreeBSD: src/etc/syslog.conf,v 1.13.2.3 2002/04/15 00:44:13 dougb Exp $
    #
    # Spaces ARE valid field separators in this file. However,
    # other *nix-like systems still insist on using tabs as field
    # separators. If you are sharing this file between systems, you
    # may want to use only tabs as field separators here.
    # Consult the syslog.conf(5) manpage.
    *.err;kern.debug;auth.notice;mail.crit /dev/console
    *.notice;kern.debug;lpr.info;mail.crit;news.err /var/log/messages
    security.* /var/log/security
    auth.info;authpriv.info /var/log/auth.log
    mail.info /var/log/maillog
    lpr.info /var/log/lpd-errs
    cron.* /var/log/cron
    *.emerg *
    # uncomment this to log all writes to /dev/console to /var/log/console.log
    #console.info /var/log/console.log
    # uncomment this to enable logging of all log messages to /var/log/all.log
    # touch /var/log/all.log and chmod it to mode 600 before it will work
    #*.* /var/log/all.log
    # uncomment this to enable logging to a remote loghost named loghost
    #*.* @loghost
    # uncomment these if you're running inn
    # news.crit /var/log/news/news.crit
    # news.err /var/log/news/news.err
    # news.notice /var/log/news/news.notice
    !startslip
    *.* /var/log/slip.log
    !ppp
    *.* /var/log/ppp.log

    +rfwireless4
    *.* /var/log/rfwireless4/messages.log
  18. #10
  19. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jun 2004
    Location
    Germany
    Posts
    394
    Rep Power
    11

    Post


    from my understanding of the manpage, those program blocks cascade.

    Code:
         Each block of lines is separated from the previous block by a program or
         hostname specification.  A block will only log messages corresponding to
         the most recent program and hostname specifications given.  Thus, with a
         block which selects `ppp' as the program, directly followed by a block
         that selects messages from the hostname `dialhost', the second block will
         only log messages from the ppp(8) program on dialhost.
    
         A program specification is a line beginning with `#!prog' or `!prog' (the
         former is for compatibility with the previous syslogd, if one is sharing
         syslog.conf files, for example) and the following blocks will be associ-
         ated with calls to syslog(3) from that specific program.  A program spec-
         ification for `foo' will also match any message logged by the kernel with
         the prefix `foo: '.  The `#!+prog' or `!+prog' specification works just
         like the previous one, and the `#!-prog' or `!-prog' specification will
         match any message but the ones from that program.  Multiple programs may
         be listed, separated by commas: `!prog1,prog2' matches messages from
         either program, while `!-prog1,prog2' matches all messages but those from
         `prog1' or `prog2'.
    
         A hostname specification of the form `#+hostname' or `+hostname' means
         the following blocks will be applied to messages received from the speci-
         fied hostname.  Alternatively, the hostname specification `#-hostname' or
         `-hostname' causes the following blocks to be applied to messages from
         any host but the one specified.  If the hostname is given as `@', the
         local hostname will be used.  As for program specifications, multiple
         comma-seprarated values may be specified for hostname specifications.
    
         A program or hostname specification may be reset by giving the program
         or hostname as `*'.


    -Steven
  20. #11
  21. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jun 2006
    Posts
    1
    Rep Power
    0

    Syslog configuration


    Hi,

    I have a requirement to setup a Syslog server with the following feature. It should log all the messages received via UDP from syslog daemons in other hosts to a local file. The messages generated by it should not be logged.

    If someone could let me know the syslog.conf settings for this, it will be very helpful.

    Thanks in advance.

IMN logo majestic logo threadwatch logo seochat tools logo