ToyBed's Life~

toybed.egloos.com

포토로그 방명록


google_adsense




FreeBSD syslog 서버 문제 해결 by 토이베드

Cisco 네트워크 장비에서 올라오는 로그들을 한곳에서 정리하려고 syslog 서버를 두기로 했다.

그래서 하는 일이 조금 덜한 FreeBSD 서버에 syslog 작업을 했는데... 계속 동작이 안되서 구글 선생에게 물어 보고... 메뉴얼도 보고 문제를 해결 했다.


FreeBSD questions 아카이브에 있는 해결 방법은 아래와 같았다.

--------------------------------------------------------------------------------

syslog from Cisco -> FreeBSD - SOLVED


Ewald Jenisch a at jenisch.at
Tue Feb 6 15:29:32 UTC 2007

--------------------------------------------------------------------------------


Hi,

First of all thanks much to all who responded so quickly to my
question about setting up syslogging in order to accept messages from
Cisco (remote) boxes.

I could finally get that thing going. Here's what I did - maybe this
is of help to others running into similar problems:

1) In order for syslogd to accept messages from remote machines you've
got to use the "-a"-flag. Here's what I've got in my /etc/rc.conf:

syslogd_flags="-a 192.168.0.0/16:*"

Don't forget the "*" - it makes sure that syslogd accepts UDP packets
from *every* port on the remote machine, not just the
syslog-port. Typically Cisco-boxes seem to have a high-order
source-port in their syslog-messages.

2) /etc/syslog.conf:
Make sure that the "local7"-messages coming from Cisco boxes aren't
logged multiple times. Typically the vanilla /etc/syslog.conf coming
with FreeBSD has the following line in /etc/syslog.conf (near the top
of the file):

*.notice;authpriv.none;kern.debug;lpr.info;mail.crit;news.err /var/log/message
s

change this to read

*.notice;local7.none;authpriv.none;kern.debug;lpr.info;mail.crit;news.err       /var/log/messages

This makes sure that any syslog-messages with the local7 facility
don't get written to /var/log/messages.

Get to the end of syslog.conf. Here you'll find something like

!ppp
*.*                                             /var/log/ppp.log

These is the setup for log-entries from ppp. You've got to add the
following line:

!*

This resets logging as per man syslog.conf(5): "A program or hostname
specification may be reset by giving the program or hostname as `*'."
Without that line the lines that you add for your Cisco logging at the
end of the file (see below) will only be triggered when coming from
the ppp program which almost never is the case. (You can check this
using the debug-option of syslogd - see below)


3) Add your log-setup for cisco devices at the end of syslog.conf like
so:

local7.*                /var/log/Syslog/cisco-syslog


4) Touch and "chmod 600" the logfile mentioned above

5) Restart syslogd: /etc/rc.d/syslogd restart

Final thoughts & caveats:

1) Use <TAB>s to separate the entries in /etc/syslog.conf

2) Running syslog in debug-mode (i.e. syslogd_flags="-d..." in
etc/rc.conf) is a very helpful tool in tracking down problems. It
keeps syslogd running in the foreground and logs very helpful
information to the console

Be aware though, that syslogd in debug-mode is behaving somewhat
different. It e.g.seems to ignore the "-a ..." flags that are
otherwise necessary in order for syslog to accept messages from remote
machines, i.e. accepting messages from everywhere even without the -a
flag.


Hope this little receipe helps others going...

Thanks again for all your help,
-ewald

--------------------------------------------------------------------------------



그래도 정상적으로 로그가 쌓이지 않아 맨페이지를 찾아보니...

The -a options are ignored if the -s option is also specified.

-s 옵션과 -a 옵션을 같이 사용하다보니 allowed peer 옵션이 정상적으로 동작하지 않은것이다.

* 참고
-a: Allow allowed_peer to log to this syslogd using UDP datagrams.
-s: Operate in secure mode


암튼 삽질 완료...