Re: Syslog not logging remote host
- From: Bill Moran <wmoran@xxxxxxxxxxxxxxxxx>
- Date: Sun, 15 Apr 2007 16:31:21 -0400
web@xxxxxxxxxxxxxx wrote:
At 08:48 PM 4/13/2007, you wrote:
"Janos Dohanics" <web@xxxxxxxxxxxxxx> wrote:
I'm trying capture logs from m0n0wall, but the log file is empty.
Here is my configuration:
On the logging machine, in /etc/rc.conf:
syslogd_flags="-a 10.61.70.1"
In /etc/syslog.conf:
+10.61.70.1
*.* /var/log/m0n0wall.log
/var/log/m0n0wall.log exists and writable:
-rw-rw-r-- 1 root network 0 Apr 13 00:32 /var/log/m0n0wall.log
The m0n0wall is configured to send logs to 10.61.70.100, which is the
logging machine.
What am I missing?
Start with tcpdump on the receiving machine:
tcpdump 'port 514'
to see if you're even receiving messages from the monowall machine.
If not, then double-check your config on the monowall machine. If so,
check the receiving machine.
Did you restart syslogd on both systems after making config changes?
My apologies to everyone trying to help me for wasting their time -
10.61.70.100 is happily logging what 10.61.70.1 is sending.
10.61.70.1 is being logged to /var/log/messages (finally occurred to me to
check that).
What I'm wondering now is that why is 10.61.70.1 not being logged in
/var/log/m0n0wall.log? Here is my /etc/syslog.conf:
*.err;kern.warning;auth.notice;mail.crit /dev/console
*.notice;authpriv.none;kern.debug;lpr.info;mail.crit;news.err
/var/log/messages
security.* /var/log/security
auth.info;authpriv.info /var/log/auth.log
mail.info /var/log/maillog
lpr.info /var/log/lpd-errs
ftp.info /var/log/xferlog
cron.* /var/log/cron
*.=debug /var/log/debug.log
*.emerg *
# uncomment this to log all writes to /dev/console to /var/log/console.log
#console.info /var/log/console.log
# uncomment this to enable logging of all log messages to /var/log/all.log
# touch /var/log/all.log and chmod it to mode 600 before it will work
#*.* /var/log/all.log
# uncomment this to enable logging to a remote loghost named loghost
#*.* @loghost
# uncomment these if you're running inn
# news.crit /var/log/news/news.crit
# news.err /var/log/news/news.err
# news.notice /var/log/news/news.notice
!startslip
*.* /var/log/slip.log
!ppp
*.* /var/log/ppp.log
+10.61.70.1
*.* /var/log/m0n0wall.log
"Each block of lines is separated from the previous block by a program orFrom the syslog.conf man page:
hostname specification. A block will only log messages corresponding to
the most recent program and hostname specifications given. Thus, with a
block which selects `ppp' as the program, directly followed by a block
that selects messages from the hostname `dialhost', the second block will
only log messages from the ppp(8) program on dialhost."
Which tells me that your config file is only logging data from ppp on
10.61.70.1 to where you want. You should be able to move the
+10.61.70.1 before the other program blocks and it should start
working as you expect. Note, however, that this will break logging
fro slip.log and ppp.log unless you put another + line after it.
--
Bill Moran
http://www.potentialtech.com
_______________________________________________
freebsd-questions@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscribe@xxxxxxxxxxx"
- References:
- Syslog not logging remote host
- From: Janos Dohanics
- Re: Syslog not logging remote host
- From: Bill Moran
- Re: Syslog not logging remote host
- From: web
- Syslog not logging remote host
- Prev by Date: RE: linux-flashplugin9 with Mozilla Firefox
- Next by Date: Re: The OX laptop...
- Previous by thread: Re: Syslog not logging remote host
- Next by thread: Cannot delete user???
- Index(es):
Relevant Pages
|
