Good Day,
A few days ago, I put freebsd on a Netra X1 to serve as our primary
log host for our network devices, primarily to log for our CISCO ASA
firewall.
Once I configured syslog to capture remotely, I realized that syslog
by default logs local information to /var/log/messages via: *.err
*.info amongst others, causing duplicate firewall logs in
/var/log/messages and in /var/log/firewall/logs
My syslog:
http://www.dalan.us/download/log
From what I understand, in syslog.conf I can specify a process id (or
string? (e.g. ftpd) and give it an action? Thus, redirect messages
sent to the wrong facility and logged in the proper place, as in my
example given below:
!ftpd
ftpd.err /var/log/ftp/1.log
ftpd.info /var/log/ftp/2.log
I fired up tcpdump and saw the following:
09:47:28.413584 IP 192.168.1.1.syslog > 192.168.1.42.syslog: SYSLOG
local7.info, length: 154
09:47:28.413596 IP 192.168.1.1.syslog > 192.168.1.42.syslog: SYSLOG
local7.info, length: 155
09:47:28.415157 IP 192.168.1.1.syslog > 192.168.1.42.syslog: SYSLOG
local7.info, length: 134
09:47:28.415166 IP 192.168.1.1.syslog > 192.168.1.42.syslog: SYSLOG
local7.info, length: 178
So the big question is, what best method can I employ to stop syslog
from duplicating these messages?
Can I use SYSLOG as a string?
!SYSLOG
local7.err /var/log/firewall/log
local7.info /var/log/firewall/1.log
Alternative?
+firewall
local7.err /var/log/firewall/log
local7.info /var/log/firewall/1.log
Lastly, I quickly reviewed syslog-ng, but I really want to keep this
as simple as possible so no.
Thanks much for your help!
David
This message was sent using IMP, the Internet Messaging Program.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
