Today I decided to set up some syslog logging of my router.
I enabled syslog logging on the router and pointed it in direction of the syslogd box.
I could see that the syslog packets got to the interface of the syslogd box, but nothing in the logs.
First removed -s from syslogd_flags in /etc/rc.conf, then added -a syslog_src_ip/bitmask to syslogd_flags.
Still nothing in the logs.
Then added -dv to the flags, and found that i got:
rejected in rule 0 due to port mismatch
Well after some searching i found that one could add :* to the -a ip:bitmask line.
Did so and messages got into syslogd, but they did not end up in the right log file.
'+hostname' to the rescue, added it at the end of /etc/syslog.conf, still nothing in the right logfile.
Then noticed that the logfile specified in the +hostname block was assigned to the last !program block.
I figured that the right order of /etc/syslog.conf should be:
1) General logging.
2) +hostname block(s).
3) !program block(s).
If not in this order it will not work.
handbook/printing: Remove sections about print/apsfilter
12 minutes ago
Try using syslog-ng. It's much simpler to configure.
ReplyDeleteThanks! :D very useful. Only problem I had is that I don't seem to be able to get the bitmask format right. I'm using the domain name for now but I'd like to use the ip/bitmask combination as it will continue to work even if my DNS goes down. What format does this take?
ReplyDeleteGreat post. Thanks! :D Only problem I had is that I don't seem to be able to get the bitmask format right. I'm using the domain name for now but I'd like to use the ip/bitmask combination as it will continue to work even if my DNS goes down. What format does this take?
ReplyDeleteThanks for the -a tip with the port (i.e.: :*)
ReplyDeleteFor your info, I put my stuff directly at the end of the syslog.conf file because specifying a +hostname remains until you override it with some other host.
I just put a !* before to clear out the program problem.
Would you mind posting you working /etc/rc.conf and /etc/syslog.conf?
ReplyDeleteNevermind I was able to figure it out. Just used:
ReplyDelete#syslogd_flags="-a 172.16.0.0/24:*"
syslogd_flags=""
since the first one wouldn't work.
@Stephen
ReplyDeleteI'm using "-a x.y.z.t/32:*", and then have one "-a .." per host i would log from.