Syslogd problems

[jxhab]

Hi People,

I am experiencing a weird problem with syslogd on Redhat 7 (Valhalla) ..

In my syslog.conf I have the following:

# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.* /dev/console

# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;local0.none;cron.none;authpriv.none; /var/log/messages
# local0.none /var/log/messages

# The authpriv file has restricted access.
authpriv.* /var/log/secure

# Log all the mail messages in one place.
mail.* /var/log/maillog


# Log cron stuff
cron.* /var/log/cron

# Everybody gets emergency messages
*.emerg *
*.alert
root

# Save news errors of level crit and higher in a special file.
uucp,news.crit /var/log/spooler

# Save boot messages also to boot.log
local7.* /var/log/boot.log

# Firewall on TestNet
<public ip address>.* /var/log/testnet

# Firewall on 2nd NET
<public ip address>.* /var/log/fw2


My problem is that only 1 log is working.. Everything from testnet and 2nd net is beeing logged in the /var/log/fw2 .. and everything else is beeing logged in the /var/log/testnet (including infos, crons, auths etc) ..

They are 2 completly different IP nets.. What makes this a bit weird, is that it dosn't matter if I have the testnet entry in syslog.conf, after I've configured the firewall to parse everything to the linux box, everything gets parsed to the same log.. If i comment out the &quot;fw2&quot; entry in the syslog.conf, nothing appears in the &quot;testnet&quot; logfile.

Have I missed something?

BR & Happy New Year,

Jens Monrad

 

[lvennard]

I might be wrong, so its ok to question my answer here. but instead of using the ip address, try using a different logging facility.


# Firewall on TestNet
local6.* /var/log/testnet

# Firewall on 2nd NET
local5.* /var/log/fw2

Edit the firewalls to send traps out in localX facility.

THEN most importantly, you have to start syslogd to support network devices also, not just local stuff.
(syslogd -r)

I wrote a faq that, if interperted with firewalls instead of cisco devices, might work for you. check it out to see if it helps.

http://www.tek-tips.com/faqs.cfm?spid=557&sfid=899

If im wrong about the ip address not working, tell me. I'd like to see you get this working just for my own knowledge.

 

[jxhab]

Hi,

Thanks for the answer.. Problem is that I cannot edit the facilities, otherwise I would have tried that..

Syslog is with flag -r, because it is working for both of the firewalls.. Meaning I get everything from both firewalls, but it isn't beeing parsed to the different log files..

Im gonna try to see if I can be a bit more specific:

pubip-1 parsed to /var/log/fw1
pubip-2 parsed to /var/log/fw2

Problem:

Everything is beeing parsed to /var/log/fw1 .. Eventhough pubip-2 belongs on a completly different IP net..

So syslog wise, it dosn't matter if I've stated the pubip-2 entry is syslog.conf. If I comment it out, everything still gets parsed to /var/log/fw1 .. If I comment out pubip-1, nothing gets parsed, which makes it weird since they don't really interact..

I am begining to suspect that it is a flaw in syslog, and it might be possible to shell script myself out of the problem, but I would like to see if the regular syslogd could solve it for me.

Thanks for the FAQ though I am going to use that in another syslog matter =)

BR,

Jens Monrad

 

[lvennard]

I think i got it....

when you use the ip address, syslog uses the first period to declare the machine and the item after the period to declare the logging faclilty.

when you use
192.168.1.1.* /var/log/stuff

it thinks you want machine 192 with logging facilities
168....1...1...emerg...local7...and so on.

since your other machine is on a different subnet, im betting it still has the same first octet.

try adding the machines to the host table then trying it again.

zeus.* /var/log/stuff1
orion.* /var/log/stuff2

 

[jxhab]

Hiya ..

Hosts didn't work either (tried it already) =)

fw1 is on 130.x.x.x/24
fw2 is on 80.x.x.x/25

Any suggestions? =) .. It is a weird problem..

BR,

Jens

 

[paleogryph]

I've been reading your conversation with some interest, as I am also trying to configure syslog messages from my Cisco router to my RH 8 box.

From your tutorial I was able to no problem.

One strange thing though, in my /etc/syslog.conf, the last line is:

&quot;local7.* /var/log/bootlog&quot;

So there was already a line logging &quot;User-defined service&quot;/debugging messages to /var/log/bootlog.

So how do I log just messages from the router without them being added to everything else that goes into /var/log/messages?

I also tried adding my router ip/host to /etc/hosts and adding an additional line to log it to /var/cisco.all. It doesn't want to work unless I use &quot;local7&quot;. I tried ip also and nogo.

 

[jxhab]

Well what I did was to state local0.none in the first line of the cfg ..

I've been reading on different solutions, but I found something that might be suitable for me..

Have anyone of you worked with Metalog (

http://metalog.sourceforge.net/README)

.. Looks very interesting, especially because it can regex ..

BR,

Jens

 

[lvennard]

paleogryph, change your logging facility on your router to local6. change your syslog.conf to local6.* /log/cisco.all or whereever its located at.

that way you wont ruin your previous logging that is currently setup on local7

 

[DarthBald]

I don't mean to add to the problem, but I've been working on this as well, and I not sure about a few things.

If you want to capture everything from your Cisco device, wouldn't you have to use the local7 facility? Obviously, local7 is used for the bootlog, causing a conflict. (I know, I've tried it. It works as long as you don't mind your boot messages in your cisco log and vice versa.

Do you have to use local7 to get debugging level logs? For that matter, how does one collect from multiple devices, if the facilities are the same?