Syslogd not logging data from remote machines
Micah Bushouse
bushous2 at msu.edu
Wed May 5 10:34:48 PDT 2004
Dear List,
FreeBSD alumi.bushouse.net 4.10-PRERELEASE FreeBSD 4.10-PRERELEASE #0:
Mon Apr 26 08:34:37 EDT 2004
micah at alumi.bushouse.net:/usr/obj/usr/src/sys/APRIL i386
I'm trying to get syslogd on the FBSD system above to log events from my
Watchguard SOHO firewall/router. On this particular network packets
flow from the internet through the SOHO to get to the FBSD machine. The
SOHO is configured to log correctly to the FBSD machine... Also, I poked
a hole (UDP/514) in IPFilter, and both TCPDump and Ethereal (both
running on the FBSD machine) pick up the syslog traffic coming in from
the SOHO.
192.168.111.1 is the router, 192.168.111.9 is the FBSD machine.
Here is the command I'm using to run syslogd
> ps -waux | grep syslogd
root 8284 0.0 0.1 996 684 ?? Is 12:15PM 0:00.01
/usr/sbin/syslogd -a 192.168.111.1 -n
Using Ethereal, I sniffed the traffic that the SOHO is sending to the
FBSD system. Lots of UDP/514 packets flowed in, and all were a
variation on the packet excerpt below (the stuff after LOCAL0.INFO was
obviously different and depended on the information the router was
trying to log):
Syslog message: LOCAL0.INFO: MONITOR: Administrator Access...
1000 0... = Facility: LOCAL0 - reserved for local use (16)
.... .110 = Level: INFO - informational (6)
Message: MONITOR: Administrator access allowed from 192.168.111.9
I kept the default /etc/syslog.conf file, except for one added line:
local0.* /var/log/router.log
Here's what the router.log file looks like:
> ls -l /var/log/router.log
-rw-r--r-- 1 root wheel 0 May 4 22:02 /var/log/router.log
There still is no data being written to this file, even though I'm
sitting here watching TCPDump print out packet after packet of UDP/514
data from the SOHO. What am I doing wrong?
~Micah
More information about the freebsd-questions
mailing list