Syslog.conf woes

Similar Messages

• Configuration issue of syslog.conf

  Dear All,
  My client is facing a configuration issue of syslog.conf.
  They have set a cacti on a Linux server for monitoring of all servers snmp & syslog.
  The part of snmp has set up successfully but cannot send the syslog to the cacti.
  My client want the syslog can keep on the localhost and send to cacti for monitoring
  we have tried to do the following things for make it work:
  Insert the information (*.* @10.251.99.74) in /etc/syslog.conf
  Restart service of system-log
  Deleted all word of loghost in the /etc/hosts file
  But still not work. Anyone can give me suggestion or idea about this?

  Thank you for your reply.
  It is tab. But I think the problem is solaris cannot use *.* to represent all logs.
  I have used the following is work
  *.err;ker.debug;daemon.notice;mail.crit @10.251.99.74
  If that is not the mail reason, please put me right.

• Missing syslog.conf file in /etc folder!

  How do I create a syslog.conf file that I need in the /etc folder to resolve an isssue with DoorStop?

  /etc/syslog.conf already exists - you just need to edit it to your needs.
  The issue, of course, is that only root can edit this file. Your best bet is to run your favorite text editor using sudo in Terminal.app, e.g.:
  sudo vi /etc/syslog.conf

• Deleted syslog.conf file

  Hello. I was trying to configure proftpd and intended to delete proftpd.conf, but instead I deleted syslog.conf. I am using the following version of Mac OS X:
  System Version: Mac OS X 10.4.10 (8R2232)
  Kernel Version: Darwin 8.10.1
  Could somebody with a similar configuration please post the contents of their syslog.conf file so that I can re-create the file on my system without having to re-install the OS?

  /etc/syslog.conf already exists - you just need to edit it to your needs.
  The issue, of course, is that only root can edit this file. Your best bet is to run your favorite text editor using sudo in Terminal.app, e.g.:
  sudo vi /etc/syslog.conf

• Cisco Prime Soft Appliance not saving changes to syslog.conf

  Greetings,
  I'm having an issue with the syslog.conf file on a Cisco Prime LMS 4.2.4 soft appliance with a Solaris base.  My workplace uses local4 as the logging facility for its network devices, and according to a discussion I found on this site, I need to add the line:
  local4.info  /var/log/syslog_info
  I have attempted this several times; we're approaching at least 5 attempts today.  I have attached text files created from putty logs where I've attempted to make the necessary change.  I appreciate any assistance the community can provide.
  Regards,
  Rob

  Hi, Afroz,
  I really appreciate your assistance, but I'm afraid my hopes have been dashed.  The syslog.conf reverted to its original configuration.  I will go through my steps to be sure that I understood your suggestion properly.
  I edited the syslog.conf to put all messages from local4 in /opt/CSCOpx/conf/syslog-entries.txt.  Then, I exited the shell to the console, issued the 'write mem' command, and closed the session.  Upon my reconnection, I found that my changes to the syslog.conf were not saved.
  Did I make the correct edits in the correct places?  Another question, is this bug present in the versions of Prime LMS running Linux and/or Windows, or does it only exist in the soft appliance running Solaris?
  Regards,
  Rob
  Edit:
  I'm reading the "Installation and Migration of Cisco Prime" PDF, and it gives me the impression that Cisco Prime is only supported as Windows, Solaris, and soft appliance installations.  Is that correct?  If it is correct, then installation of Cisco Prime LMS is not supported on other Linux distros such as Ubuntu Server, CentOS, Fedora, etc.?
  My thanks.

• Syslog.conf settings

  I'm seeing tons of syslog in in var/log/messages. when I look at the logs they are mostly duplicate of what I see in the syslog_info file. Due to this my var/log is filling up so fast. Do I need to update my syslog.conf file, what is the recommended settings for prime LMS 4.2 ?
  -rw------- 1 root  root    808570913 Dec 16 04:05 messages.1
  -rw-rw-r-- 1 root  sys   14259416649 Dec 17 08:59 syslog_info
  -rw------- 1 root  root    201355173 Dec 17 08:59 messages
  Here is my current syslog.conf file
  local6.info                                                                     /var/log/ade/ADE.log
  *.info;mail.none;news.none;authpriv.none;cron.none;local0.none;local1.none      /var/log/messages
  authpriv.*                                                                      /var/log/secure
  mail.*                                                                          -/var/log/maillog
  cron.*                                                                          /var/log/cron
  *.emerg                                                                         *
  uucp,news.crit                                                                  /var/log/spooler
  local7.*                                                                        /var/log/boot.log
  #Application LMS Generated config
  #BEGIN CSCOmd - DO NOT EDIT THESE COMMENTS OR CONTENTS CONTAINED WITHIN - local0 1
  local0.emerg;local0.alert;local0.crit;local0.err;local0.warning;local0.notice;local0.info;local0.debug  /var/adm/CSCOpx/log/dmgtd.lo
  g
  #END CSCOmd DO NOT EDIT BEFORE THIS LINE  1
  local7.info  /var/log/syslog_info

  Usually we dont recommend to change anything on syslog.conf. Syslog_info is the file where all the syslogs coming from network pointed to LMS server is written.
  Usually they should be controlled at the device level by checking the logging level of devices.
  Mostly ASA/FW's send excessively huge amount of syslogs to LMS server which should be controlled. Also, you can check the logrot utility to control the syslog_info log size to keep in check. Logrot is an Log file rotation utilit in LMS.
  Log files can expand and fill up disk space. Log files rotation helps you manage the log files more efficiently. See
  Maintaining Log Files  for an overview of maintaining the log files in LMS Server.
  For more details on logrot check userguide :
  http://www.cisco.com/en/US/docs/net_mgmt/ciscoworks_lan_management_solution/4.2/user/guide/admin/server.html#wp1055307
  -Thanks

• Ifdef statement in syslog.conf

  Hello,
  what means the following lines in syslog.conf:
  auth.notice               
  ifdef(`LOGHOST', /var/log/authlog, @loghost)
  ifdef(`LOGHOST', ,
  user.err                                        /dev/sysmsg
  user.err                                        /var/adm/messages
  user.alert                                      `root, operator'
  user.emerg                                      *
  How to configure syslog to send messages to both local file and loghost server.
  Thanks and regards,
  Piotr

  Hi,
  syslog.conf is processed by m4(1) before it is used. Please see syslog.conf(4):
  The file /etc/syslog.conf contains information used  by  the
  system  log daemon, syslogd(1M), to forward a system message
  to appropriate log files and/or users. syslogd  preprocesses
  this  file  through  m4(1) to obtain the correct information
  for certain log files, defining LOGHOST if  the  address  of
  "loghost"  is  the  same as one of the addresses of the host
  that is running syslogd.
  Taking the first statement: If you want to log auth.notice to both /var/log/authlog and to a remote loghost
  you may want to change the line into something like:
  auth.notice                         /var/log/authlog
  auth.notice                         @loghost
  Make sure not to create forwarding loops that way.
  Regards,
    Ronald

• Can't get syslog to work

  I have been trying to get syslog to work to accept logging from my router (which is directed to syslog to the IP address of my primary Mac), but with no success.
  I've gone through Aaron Adams' procedures:
  http://www.aaronadams.net/index.php/2005/06/02/configuringsyslogd_to_accept_logsfrom
  I've edited my /etc/syslog.conf file:
  .err;kern.;auth.notice;authpriv,remoteauth,install.none;mail.crit /dev/console
  *.notice;authpriv,remoteauth,ftp,install.none;kern.debug;mail.criti /var/log/system.log
  # COMMENT this out for now to see any local4 messages on system log?
  # ;local4.none
  # Send messages normally sent to the console also to the serial port.
  # To stop messages from being sent out the serial port, comment out this line.
  #.err;kern.;auth.notice;authpriv,remoteauth.none;mail.crit /dev/tty.serial
  # The authpriv log file should be restricted access; these
  # messages shouldn't go to terminals or publically-readable
  # files.
  authpriv.*;remoteauth.crit /var/log/secure.log
  lpr.info /var/log/lpr.log
  mail.* /var/log/mail.log
  ftp.* /var/log/ftp.log
  netinfo.err /var/log/netinfo.log
  install.* /var/log/install.log
  install.* @127.0.0.1:32376
  local0.* /var/log/ipfw.log
  *.emerg *
  local0.* /var/log/Airport.log
  local4.* /var/log/local4.log
  # DEBUG: what happens on the other local facilities?
  local1.* /var/log/local1.log
  local2.* /var/log/local2.log
  local3.* /var/log/local3.log
  local5.* /var/log/local5.log
  local6.* /var/log/local6.log
  local7.* /var/log/local7.log
  I've re-loaded /System/Library/LaunchDaemons/com.apple.syslogd.plist, and edited /etc/daily.local, and those mechanisms are working, but always local4.log is an empty file. Empty log files exist in /var/log:
  $ ls -al /var/log | grep "local"
  -rw-r--r-- 1 root wheel 0 Dec 11 11:56 local1.log
  -rw-r--r-- 1 root wheel 41975 Mar 16 16:38 local2.log
  -rw-r--r-- 1 root wheel 0 Dec 11 11:56 local3.log
  -rw-r--r-- 1 root wheel 0 Mar 20 03:15 local4.log
  -rw-r--r-- 1 root wheel 0 Dec 11 11:56 local5.log
  -rw-r--r-- 1 root wheel 0 Dec 11 11:56 local6.log
  -rw-r--r-- 1 root wheel 0 Dec 11 11:56 local7.log
  netstat shows two syslog connections:
  $netstat -f inet -a | grep "syslog"
  udp4 0 0 *.syslog .
  udp46 0 0 *.syslog .
  But a port scan (Apple network Utility) from another LAN computer doesn't show port 514 open. I am not running Apple's software firewall.
  It seems to me that without port 514 open, I'll never get anything, but how do I open it. I had assumed that all of the syslog set-up gyrations would cause it to be open.
  Any ideas?
  G4 "Gigabit" Dual-500   Mac OS X (10.4.8)   1.5GB RAM, 1TB internal, SCSI, 802.11g, USB2.0

  Your question about local4 got me to dig further into a few things.
  Aaron Adams has a couple of good posts on how to set up the syslog.conf and daily actions:
  http://www.aaronadams.net/index.php/2005/06/02/configuringsyslogd_to_accept_logsfrom
  But the following article is what got me on the local4 bandwagon (I don't know why it assumes local4 would be used):
  http://www.macosxhints.com/article.php?story=20060327074531639
  As we now know nothing happens on local4 unless it is specifically set up to do so. The following article has the best big-picture summary and references on how to handle logs from different sources (i.e., setting up syslog to redirect messages from the IP address of my router to a special log:
  http://macosx.com/forums/howto-faqs/47791-howto-syslog-remote-events-etc.html
  Anyway, to make a long story short, the router IS actually sending to syslog (I was expecting messages in local4 and never saw anything in syslog because it only shows *.notice and above, and the router mainly spews out *.info. It took a bunch of playing with tcpdump to figure it out (I can't seem to get tcpflow to show UDP, even though the man page says it uses the same library and expresions as tcpdump). So everything is good now, messages are coming in to a special log and overwhelming syslog, logs get rotated properly overnight, with some filtering I get the distilled info I want, and via GeekTool even see it on my desktop in real-time. Thanks for your help!

• Directing syslog messages to a particular file in console

  Hi Guys,
  I have successfully been able to direct my Airport Extreme Syslog files to my macmini which is acting as a syslog server.
  I uncommented the networking listening section of the /System/Library/LaunchDaemons/com.apple.syslogd.plist in order to achieve the above.
  I am having trouble however directing the feed to a file specific to the airport extreme in the console.
  I have created a file using:
  sudo touch /private/var/log/AirportRouter.log (and it successfully appears in the console)
  I added the line
  local0.* /private/var/log/AirportRouter.log
  to the com.apple.syslogd.plist and restarted the computer but it does not receive the log data from the airport extreme.
  The airport extreme syslog info simply appears in the 'All Messages" part of the console.
  Any ideas on what I have done wrong?
  Thanks in advance!

  Hi M,
  You should manage these log settings editing /private/etc/syslog.conf and asl.conf
  Backup original files before changes.
  Read the related manual pages and UNIX logger related articles in order to know better how these settings will produce expected reports.
  Remember that log messages are produced by the process to the logger, and settings in those files are about how to handle received messages. Some "applications" accept setting for log level they should produce to logger.
  I like this article http://www.softpanorama.org/Logs/syslog.shtml and you can search this site for Syslog Configuration and reach other top two related articles. This should give you a good handle.
  Do not forget asl.conf.
  And for the record, test settings for local0 to local7.
  Good luck.

• Problem with Syslog in Solaris 10

  I have 2 hosts (both are actually Solaris 10 Zones). One has no issues with syslog and the other won't send its messages to our loghost. Both have the same /etc/syslog.conf files, /etc/resolv.conf and /etc/nsswitch.conf files. The one works and the other just says in the /var/adm/messages files :
  May 3 11:16:42 svanyc128 syslogd: line 22: WARNING: loghost could not be resolved
  May 3 11:16:42 svanyc128 syslogd: line 23: WARNING: loghost could not be resolved
  May 3 11:16:42 svanyc128 syslogd: line 28: WARNING: loghost could not be resolved
  May 3 11:16:42 svanyc128 syslogd: line 29: WARNING: loghost could not be resolved
  May 3 11:16:42 svanyc128 syslogd: line 30: WARNING: loghost could not be resolved
  May 3 11:16:42 svanyc128 syslogd: line 31: WARNING: loghost could not be resolved
  May 3 11:16:42 svanyc128 syslogd: line 32: WARNING: loghost could not be resolved
  May 3 11:16:42 svanyc128 syslogd: line 33: WARNING: loghost could not be resolved
  May 3 11:16:42 svanyc128 syslogd: line 34: WARNING: loghost could not be resolved
  May 3 11:16:42 svanyc128 syslogd: line 35: WARNING: loghost could not be resolved
  May 3 11:16:42 svanyc128 syslogd: line 36: WARNING: loghost could not be resolved
  May 3 11:16:42 svanyc128 syslogd: line 37: WARNING: loghost could not be resolved
  May 3 11:16:42 svanyc128 syslogd: line 38: WARNING: loghost could not be resolved
  May 3 11:16:42 svanyc128 syslogd: line 39: WARNING: loghost could not be resolved
  I can resolve the name loghost though with ping and nslookup and they're going to the correct IP. Does anyone have any other idea why these hosts don't behave the same?

  Ah, one of the guys I work with figured it out. /etc/services file was messed up. It's working now. :)

• PIX logging to syslog on Mac OS X leopard Client - how to make it work?

  We just cant seem to make the log entires show up in the syslog or router.log!!!
  We have enabled remote logging on the PIX firewall.
  On Leopard, we have enabled Stealth Mode. So we get the following message:
  +Stealth Mode connection attempt to UDP 192.168.1.22:514 from 192.168.1.11:514+
  Which means the Mac (w/leopard 10.5.1) is getting the logging messages. This was separately confirmed with tcpdump too. We think it is either:
  a) syslogd config. issue (where UDP/514 messages are not accepted)
  b) Or it is a leopard firewall issue. We have set the Firewall to All all incoming connections. But that didnt help.
  So we think it is a syslogd issue. So we modified the /System/Library/LaunchDaemons/com.apple.syslogd.plist.
  Tried the following:
  1. -n -a srchost_ip/32 - +to limit entires from one specific host+
  2. -udp_in 1 - +saw this in specific version of the syslogd man page+
  Also added entries via ipfw.
  00100 allow udp from 192.168.1.22 to any dst-port 514
  33300 deny icmp from any to me in icmptypes 8
  65535 allow ip from any to any
  We also modified the syslog.conf. And tested entries using logger. That worked.
  But we simply haven't been able to log messages from another box/device (cisco pix firewall in this case).
  What are we doing wrong? Can anyone help?
  Thanks!
  --sp
  Message was edited by: sp2007

  I just noticed some of my messages from a remote device are showing up in ipfw.log - not as stealth notifications or any other type of error message, mind you, but the actual full syslog message just as I would expect. No matter what I do to /etc/syslog.conf, remote message show up there.

• Directing syslog messages to a particular file

  Hi Guys,
  I have successfully been able to direct my Airport Extreme Syslog files to my macmini which is acting as a syslog server.
  I uncommented the networking listening section of the /System/Library/LaunchDaemons/com.apple.syslogd.plist in order to achieve the above.
  I am having trouble however directing the feed to a file specific to the airport extreme in the console.
  I have created a file using:
  sudo touch /private/var/log/AirportRouter.log (and it successfully appears in the console)
  I added the line
  local0.* /private/var/log/AirportRouter.log
  to the com.apple.syslogd.plist and restarted the computer but it does not receive the log data from the airport extreme.
  The airport extreme syslog info simply appears in the 'All Messages" part of the console.
  Any ideas on what I have done wrong?
  Thanks in advance!

  Try adding your line to the /etc/syslog.conf file instead.
  Message was edited by: mabaeyens

• Ipfw, iTunes and syslog

  Hi,
  I've added my own ipfw rules, but now I can't get Apple Remote (from iPhone) to work. It reports that it cannot connect because there are some firewall rules (sic!).
  I've enabled iTunes'es listening port (3869), allowed anything to 244.0.0.0/4 to go in, and allowed traffic going to 255.255.255.255:9. Unfortunately, still nothing...
  Also, I can't get ipfw to log into /var/log/ipfw.log. I've tried:
  ipfw.* /var/log/ipfw.log
  in /etc/syslog.conf, but it doesn't work.
  Any hints?

  Tim Haigh wrote:
  Did remote login work prior to setting up IPFW rules?
  It is not Apple Remote Login, I'm talking about Apple Remote (you know, that useful app for iPhone/iPod, which lets you control iTunes on your laptop).
  ipfw.* /var/log/ipfw.log
  It does not follow the correct synstax "ipfw.*" is not a command.
  It does. As I stated in my email, it is a line from /etc/syslog.conf, not a command line for the Terminal.
  If you want to look at your IPFW logs use the command
  tail -f /var/log/ipfw.log
  It always shows an empty file.
  It would be a good idea you use an application such as water roof to configure the IPFW firewall.
  Tried, there is no button/option which says - enable iTunes Remote :/
  Cheers,
  Nikola

• LMS 4.2 not processing syslog messages

  I have a new install of LMS 4.2 on a virtual appliance.  No syslog messages are getting into LMS.  They are being received by the server, but are showing up in /var/adm/CSCOpx/log/dmgtd.log, and aren't getting processed by SyslogAnalyser.
  Here's the syslog.conf file:
       local6.info                                                                     /var/log/ade/ADE.log
       *.info;mail.none;news.none;authpriv.none;cron.none;local0.none;local1.none      /var/log/messages
       authpriv.*                                                                      /var/log/secure
       mail.*                                                                          -/var/log/maillog
       cron.*                                                                          /var/log/cron
       *.emerg                                                                         *
       uucp,news.crit                                                                  /var/log/spooler
       local7.*                                                                        /var/log/boot.log
       #Application LMS Generated config
       #BEGIN CSCOmd - DO NOT EDIT THESE COMMENTS OR CONTENTS CONTAINED WITHIN - local0 1
       local0.emerg;local0.alert;local0.crit;local0.err;local0.warning;local0.notice;local0.info;local0.debug  /var/adm/CSCOpx/log/dmgtd.log
       #END CSCOmd DO NOT EDIT BEFORE THIS LINE  1
       local7.info  /var/log/syslog_info
  My guess is that the incoming messages are getting written to the wrong file.  What do I need to change to correct this?

  I found that all of my syslog messages were being captured under /var/log/messages.  This was due to my Cisco devices being configured with "logging facility local5".  Instead of reconfiguring all of my devices to log to facility local7, I just changed the following line in syslog.conf and restarted (/etc/init.d/syslog restart)
  Before:
  local7.info  /var/log/syslog_info
  After:
  local5.*  /var/log/syslog_info
  Probably not the best way to do it, but it worked for me.
  -Rick

• Oracle auditing using syslogs

  Hello all....I am working on setting up the auditing to write to syslogs. I am having trouble understanding what to use for the facility and level. Can anyone point me in the right direction as to what these facilities and levels mean?
  TIA

  i believe those terms are related to syslog which is used on nix systems. if you are using nix then you should check the man page on syslog.conf.
  as the docs state, the facility indicates where the message is coming from (such as the kernel, cron, local0 - local 7), and there's the level, which indicates how urgent the message is (info, warning, critical...).
  i say this with never actually having used it though...
  if you're using windows, well, .... i can't say.