SUMMARY: Syslog

From: Mike DeMarco (mdemarco@mail.intracorp.com)
Date: Wed Nov 15 2000 - 08:53:30 CST


Thank you for the quick responses!

        I was able to configure syslog.conf to send local4.<level> to
        /var/netlogs/ and more important use local4.none to stop the
        router logs from going to /var/adm/messages. Works just as I needed!
        
        Thank You.
        
The answers were as follows:

Andrew Diederich <andrew@NETdelivery.com>
-----------------------------------------
Unfortunately there is not a filter option for /etc/syslog.conf to filter by
machine name. You'd have to create a named pipe to do the filtering, and
specify that named pipe as the "file" in /etc/syslog.conf, and allow the
named pipe to push stuff to /var/adm/messages or /var/netlog/messages.

bergman@panix.com
-----------------
Well, you could replace /var/adm/messages with a named pipe, attach the stdin
of a script to that pipe, and have the script redirect messages as you choose.

Another alternative would be to use something that scans log files (swatch
would probably be the best choice) and use that to split /var/adm/messages into
multiple files. This would leave /var/adm/messages unchanged.

Can you tell the network equipment to use a particular syslog facility, like
LOCAL5, and then just direct all LOCAL5 messages to /var/netlog/messages via
your syslogd.conf file?

Steve Hastings <SteveH@corbis.com>
----------------------------------
I have done this with a Cisco localdirector, the steps are this:

I assume because you are getting logging on the sun box that some of the
config on the router is correct. You will need to edit /etc/syslog.conf to
have something like the following. I created a seven files in a directory
call localdirector, to keep the messages separate. Make sure and HUP the
syslogd daemon after editing.

local7.emerg /var/log/localdirector/ld_dev_0_emerg
local7.alert /var/log/localdirector/ld_dev_1_alert
local7.crit /var/log/localdirector/ld_dev_2_crit
local7.err /var/log/localdirector/ld_dev_3_err
local7.warning /var/log/localdirector/ld_dev_4_warning
local7.notice /var/log/localdirector/ld_dev_5_notice
local7.info /var/log/localdirector/ld_dev_6_info
local7.debug /var/log/localdirector/ld_dev_7_debug

What your looking at is that I am using the logging facility local7 or in
cisco terms 23.
Then each local7. entry is followed by the level of logging to be written to
the path to the right. As an example local7.alert sends alert level
messages or level 1 messages to the path on my sun server
/var/log/localdirector/ld_dev_1_alert. I initially setup all eight levels
of messages because I wanted to better understand what was at each level.

One of those things not well written was that there are eight logging
facilities local0-7 or 16-23 in cisco syslog output terms, and eight levels
of messages.

The default for Cisco was a syslog output of 20.3 or local4 level 3 or
emerg, alert, crit errors being logged.
1. edit /etc/syslog.conf
2. # ps -ef |grep sys
    root 199 1 0 08:10:21 ? 0:00 /usr/sbin/syslogd
    root 1020 371 0 14:00:18 pts/3 0:00 grep sys
# kill -HUP 199

3. How ever on your router set the logging output to match that of what you
added to syslog.conf.

local7.emerg....This is cisco lingo. Those are tabs between the columns and
I believe thats important.Sticks in my head.

Best of luck, hope this helps.

Rick von Richter <rickv@mwh.com>
--------------------------------
You must specify a different syslog facility on the routers. I.e. have the
routers send their syslog info to one of the LOCALx facilities of syslog.
Then you can redirect those facilities to different log hosts. Syslog
doesn't know about different INCOMING machines so it can't route. I.e. If
two hosts are using the LOCAL0 facility then there is no way for native
syslog to parse that and send it to different locations. You might be able
to write a script to go thru the syslog files and based on the host field
of each entry move the logs somewhere else but, what a pain. The easiest
way is to make the routers use different facilities if you are going to use
one loghost.

Alan Orndorff <dwarf@solarisresources.com>
------------------------------------------
goto www.google.com and search on syslog-ng,
the first hit is the home page.

S
U BEFORE POSTING please READ the FAQ located at
N ftp://ftp.cs.toronto.edu/pub/jdd/sun-managers/faq
. and the list POLICY statement located at
M ftp://ftp.cs.toronto.edu/pub/jdd/sun-managers/policy
A To submit questions/summaries to this list send your email message to:
N sun-managers@sunmanagers.ececs.uc.edu
A To unsubscribe from this list please send an email message to:
G majordomo@sunmanagers.ececs.uc.edu
E and in the BODY type:
R unsubscribe sun-managers
S Or
. unsubscribe sun-managers original@subscription.address
L To view an archive of this list please visit:
I http://www.latech.edu/sunman.html
S
T



This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:14:23 CDT