On Thu, 31 Jan 2002 18:46:22 +0000 bascule <[EMAIL PROTECTED]> wrote:
> so, looking at this example and reading 'man 3 syslog' which tells me:
> facility
> The facility argument is used to specify what type of program
> is logging the mes
> sage. This lets the configuration file specify that messages
> from different facili
> ties will be handled differently.
> ---snip---
> LOG_KERN
> kernel messages
>
> LOG_LOCAL0 through LOG_LOCAL7
> reserved for local use
>
> it would appear that 'local' is sort of like a reference number or a tag
> that can be defined by me and that i can use up to 8 different ones?
Yes... *BUT*... the reporting device must be configured to log with this
facility... Jose reposted some of my earlier comments which should
help...
Think of it this way (all from memory :^):
1. logable event occurs
2. event log entry gets sent to logging host (may be same) with:
facility: (kinda like a port number)
auth, authpriv, cron, daemon, kern, lpr, mail,
news, syslog, user, uucp
local0-local7
priority: debug, info, notice, warning, err, crit, alert, emerg
message: some string
3. logging host determines which (if any) log file(s) to post the message
4. it gets logged... with the logging host's date, time, etc. If the
reporting host want to log the time, it must include in the text of the
message.
> the question remains, the man pages don't give an example of how use
> 'local' in /etc/syslog.conf to set the facility for a host, and if i do
> does this mean that all messages from say, my ftp box will lose their
> identity as 'ftp' or 'kernel' messages and now be simply 'localN'
> messages?
That's a choice... see below where I'll try to disect my syslog.conf for
you...
> i'm trying to sound as though i know what i'm talking about but i
> suspect i'm still off track:-)
Just nee to tuck the real wheel in a tad... :^)
> bascule
>
> On Monday 28 January 2002 6:04 pm, you wrote:
> >ll)
> > logging facility local6 <-- sets facility
> > logging 192.168.1.123 <-- logs to host 192.168.1.123
> >
> > Then, in your syslog host:
> >
> > /etc/syslog.conf:
> > # Cisco logging
> > local6.* /var/log/cisco <-- I use /home/logs/RouterLog
> > to avoid filling /var
> >
> > Forgot to mention that the above log file must exit before restarting
> > the daemon; can be created with: touch /var/log/cisco (assuming
> > that's the name you used in syslog.conf...
> >
> > Note: localN in cisco must match localN in syslog.conf
Here we go... (compare this with your own /etc/syslog.conf)
# Various entry
auth,authpriv.* /var/log/auth.log
*.*;auth,authpriv.none;local5.none;local6.none -/var/log/syslog
^^^^^^^^^^^^^^^^^^^^^^^^
## Added to disable router logging from also going into syslog
user.* -/var/log/user.log
# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;;news.none;authpriv.none;local5.none;local6.none
-/var/log/messages
^^^^^^^^^^^^^^^^^^^^^^^^## Added to disable router logging from also going
into messages
# The authpriv file has restricted access.
authpriv.* /var/log/secure
# Mail logging
mail.=debug;mail.=info;mail.=notice -/var/log/mail/info
mail.=warn -/var/log/mail/warnings
mail.err -/var/log/mail/errors
## Here mail.{debug,info,notice} go into "info"
## mail.warn only go into "warnings"
## mail.err (and higher (no "=") go into "errors"
[snip]
# Everybody gets emergency messages
*.emerg *
## This sends emergency messages to all logs
# Save mail and news errors of level err and higher in a
# special file.
uucp,news.crit -/var/log/spooler
## Starting to make sense...? :^)
# Save boot messages also to boot.log
local7.* -/var/log/boot.log
# added by sympa-3.2.1 rpm Mon Oct 1 15:47:37 EDT 2001
local0.* /var/log/sympa
# Mandrake-Security : if you remove this comment, remove the next line
too.*.* /dev/tty12
## This is how all those messages get to the virtual console at
## Ctrl+Alt+F12...
# Cisco (fw) logging
local6.* /home/logs/RouterLog
## I send all my Cisco logs to one file
## This requires that all Cisco boxes be configured as indicated in the
## message that Jose posted.
# LinkSys (r41) logging
local5.* /home/logs/LinkSys
## and all my LinkSys logs to its own file...
## of course, LinkSys doesn't have a way to select which localN
## to use; so I had to sniff the wire...
I hope that now, my web page makes more sense...
HTH,
Pierre
Want to buy your Pack or Services from MandrakeSoft?
Go to http://www.mandrakestore.com
