syslog to a FreeBSD syslogd host.
Today I decided to set up some syslog logging of my router.
I enabled syslog logging on the router and pointed it in direction of the syslogd box.
I could see that the syslog packets got to the interface of the syslogd box, but nothing in the logs.
First removed -s from syslogd_flags in /etc/rc.conf, then added -a syslog_src_ip/bitmask to syslogd_flags.
Still nothing in the logs.
Then added -dv to the flags, and found that i got:
rejected in rule 0 due to port mismatch
Well after some searching i found that one could add :* to the -a ip:bitmask line.
Did so and messages got into syslogd, but they did not end up in the right log file.
‘+hostname’ to the rescue, added it at the end of /etc/syslog.conf, still nothing in the right logfile.
Then noticed that the logfile specified in the +hostname block was assigned to the last !program block.
I figured that the right order of /etc/syslog.conf should be:
1) General logging.
2) +hostname block(s).
3) !program block(s).
If not in this order it will not work.
Try using syslog-ng. It’s much simpler to configure.
Comment by noname — 20070507 @ 22:00:03
Thanks!
very useful. Only problem I had is that I don’t seem to be able to get the bitmask format right. I’m using the domain name for now but I’d like to use the ip/bitmask combination as it will continue to work even if my DNS goes down. What format does this take?
Comment by Alex Lamaison — 20070904 @ 20:32:00
Great post. Thanks!
Only problem I had is that I don’t seem to be able to get the bitmask format right. I’m using the domain name for now but I’d like to use the ip/bitmask combination as it will continue to work even if my DNS goes down. What format does this take?
Comment by Alex Lamaison — 20070904 @ 20:33:08
Thanks for the -a tip with the port (i.e.: :*)
For your info, I put my stuff directly at the end of the syslog.conf file because specifying a +hostname remains until you override it with some other host.
I just put a !* before to clear out the program problem.
Comment by Charles — 20071122 @ 19:47:34
Would you mind posting you working /etc/rc.conf and /etc/syslog.conf?
Comment by Stephen — 20080224 @ 00:00:44
Nevermind I was able to figure it out. Just used:
#syslogd_flags=”-a 172.16.0.0/24:*”
syslogd_flags=””
since the first one wouldn’t work.
Comment by Stephen — 20080224 @ 00:36:38
@Stephen
I’m using “-a x.y.z.t/32:*”, and then have one “-a ..” per host i would log from.
Comment by xride — 20080329 @ 08:35:36