UNIX for Advanced & Expert Users

i'm having some problems with syslogging.

i figured out how to allow logging from a specific host (my webramp).

syslogd -a ipaddress subnetmask


first, what file do the logs go to? second, is there anyway i can save the webramp logs into another file?

i checked the man page... i wouldn't post something before i refer to a pertinent man page.

this is beyond that now.

i figured out what i typed earlier through the man page, but that's all i found.

however, i didn't see anything that explained how to log a specific host to it's own file.

i also didn't see a description of which file the outside device would have it's logs stored. i saw where all sorts of other service store their files, but that doesn't help me here.

i would like someone to outline these concerns please.

the man page didn't have all i was looking for, or at least i wasn't able to find it.

The man page for syslog.conf actually has more information pertaining to what you are asking about.

Since you did not post your OS, a generic answer is all that can be provided. As far as most UNIX OS are concerned, you can't do what you want to do without writing a script to move the specific parts of the logging file to another.

To get messages to another server, it points to a server name - it sends the messages to the log file of that server (which means that the two servers are both adding entries into the same file.

kern.err /dev/console
kern.err @server
kern.err /var/adm/messages

All kernal errors would go to these three - on "server", whatever it's syslog.conf file shows for kern.err is where it will put it.

i'm using FreeBSD 4.7

and the man page really doesn't. at least i haven't found anything other than the -a option.

it also doesn't mention anything about specifiying logging into another file.

this is all it says about "-a"

-a allowed_peer
Allow allowed_peer to log to this syslogd using UDP datagrams.
Multiple -a options may be specified.

Allowed_peer can be any of the following:

ipaddr/masklen[:service] Accept datagrams from ipaddr (in the
usual dotted quad notation) with
masklen bits being taken into account
when doing the address comparison.
ipaddr can be also IPv6 address by
enclosing the address with `[' and
`]'. If specified, service is the
name or number of an UDP service (see
services(5)) the source packet must
belong to. A service of `*' allows
packets being sent from any UDP port.
The default service is `syslog'. If
ipaddr is IPv4 address, a missing
masklen will be substituted by the
historic class A or class B netmasks
if ipaddr belongs into the address
range of class A or B, respectively,
or by 24 otherwise. If ipaddr is
IPv6 address, a missing masklen will
be substituted by 128.


i've used the following

syslogd -a x.x.x.x/11:syslog -a x.x.x.x/24:syslog

however, this isn't doing anything. i'm not even getting anything under /var/log/messages.

this is the output of netstat -a

udp4 0 0 *.syslog *.*

but it doesn't say if it's listening or if anything is established. so i don't know if it's working or not.

Again, read the man page for syslog.conf. Check your /etc/syslog.conf. It will show where the error messages are going. The /etc/syslog.conf IS your configuration file.

FreeBSD.org - syslog.conf man page

See the Examples for setting up the configuration file to allow changing where and what gets logged. Make sure you are setting your logging low enough to catch messages (start with the lowest level and if you are getting more than what you wanted, cut it back).

To log to another server:
# emergency messages- log them on another machine.
*.emerg @arpa.berkeley.edu

On that other system you would need your syslog.conf to put those messages into a file:
# Emergency messages to /var/log/spoolerr
*.emerg /var/log/spoolerr

Note that this will send the messages from both servers to this file. You can't get around this via the syslog.conf.

Check that syslogd is running on both servers - once you change syslog.conf, you should be able to send a HUP signal to both syslogd processes and start getting messages from both servers into the spoolerr file.

As far as the -a option, insure the -s option isn't being used on either server (disallows logging from/to servers).

Once you insure you know where your messages are going (/etc/syslog.conf), and that your syslog daemons are allowing logging from/to remote servers (ps -ef|grep syslogd), then you can look to the -a option.

this is find, but it's not what i want. i don't want to log to another server. the other device is a firewall appliance, not another FreeBSD box. i've told the device to log send it's logs to a syslog server. this example tells how to have my FreeBSD box, send it's logs to another server. this isn't what i want, I want to allow the FreeBSD box to RECEIVE logs from my Webramp (Sonicawall SOHO).
[/quote]

one server, and one firewall appliance.

and syslogd is running on the FreeBSD device.

i caught this one, but thanks.

the messages for the FreeBSD box itself are going to /var/log/messages. i was told that all other messages should also go there... but they're not.