NetBSD-Bugs archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: bin/58558: syslog.conf(5) man page example does not work.
The following reply was made to PR bin/58558; it has been noted by GNATS.
From: xover2391%hush.com@localhost
To: gnats-bugs%netbsd.org@localhost, gnats-admin%netbsd.org@localhost, netbsd-bugs%netbsd.org@localhost
Cc:
Subject: Re: bin/58558: syslog.conf(5) man page example does not work.
Date: Wed, 04 Sep 2024 07:04:35 +0000
On 8/7/2024 at 7:10 AM, "RVP" <rvp%SDF.ORG@localhost> wrote:
>
>The following reply was made to PR bin/58558; it has been noted by
>GNATS.
>
>From: RVP <rvp%SDF.ORG@localhost>
>To: gnats-bugs%netbsd.org@localhost
>Cc:
>Subject: Re: bin/58558: syslog.conf(5) man page example does not
>work.
>Date: Wed, 7 Aug 2024 07:08:09 +0000 (UTC)
>
> On Wed, 7 Aug 2024, xover2391%hush.com@localhost wrote:
>
> > # Save non-local log messages from all programs to a separate
>file.
> > !*
> > -@
> > *.* /var/log/foreign
> >
>
> There is PR #47529 which _looks_ almost like this PR, except,
>close reading
> of syslog.conf(5) suggests that the duplicate copies should be
>expected with
> the config. file you've shown. Ie. by default, messages will
>"cascade" to
> multiple files unless stopped by other rules or using the `-U'
>flag to syslogd.
>
> Here's a syslog.conf which does work for separating outputs from
>other hosts
> to a different file (works around PR #47529 too):
>
> ```
> # $NetBSD: syslog.conf,v 1.9 2004/07/23 03:45:42 mycroft Exp $
>
> +@
> *.err;kern.*;auth.notice;authpriv.none;mail.crit /dev/console
> *.info;auth,authpriv,cron,ftp,kern,lpr,mail.none /var/log/messages
> kern.debug /var/log/messages
>
> # The authpriv log file should be restricted access; these
> # messages shouldn't go to terminals or publically-readable
> # files.
> auth,authpriv.info /var/log/authlog
>
> cron.info /var/log/cron
> ftp.info /var/log/xferlog
> lpr.info /var/log/lpd-errs
> mail.info /var/log/maillog
> #uucp.info /var/spool/uucp/ERRORS
>
> *.emerg *
> #*.notice root
>
> !*
> +192.168.68.171,qemu
> *.* /var/log/host1.log
> ```
>
> The only additions from the default syslog.conf file are the:
>
> +@
>
> and:
>
> !*
> +192.168.68.171,qemu
> *.* /var/log/host1.log
>
> The `+@' hostname-spec causes the rules following it to be
>applied _only_ to
> the local host. This duplicates the functionality of the default
>config. file.
>
> The other block then sends all output from the named host(s) to a
>separate
> file.
>
> But, for this to work (I've just tested this), the remote host
>has to send
> well formed syslog data to the syslogd program on NetBSD. In my
>test the remote
> host ("qemu") was also NetBSD and the messages in
>`/var/log/host1.log' look
> like this:
>
> ```
> <auth.info>Aug 7 06:29:02 qemu sshd[327]: Server listening on ::
>port 22.
> <auth.info>Aug 7 06:29:02 qemu sshd[327]: Server listening on
>0.0.0.0 port 22.
> <user.debug>Aug 7 06:29:02 qemu sshd: bl_init: connect failed
>for `/var/run/blacklistd.sock' (No such file or directory)
> <mail.info>Aug 7 06:29:02 qemu postfix/postfix-script[466]:
>starting the Postfix mail system
> <mail.info>Aug 7 06:29:02 qemu postfix/master[479]: daemon
>started -- version 3.8.4, configuration /etc/postfix
> <auth.notice>Aug 7 06:29:36 qemu login: ROOT LOGIN (root) on tty
>constty
> <cron.info>Aug 7 06:30:43 qemu cron[549]: (root) CMD START
>(/usr/libexec/atrun)
> <cron.info>Aug 7 06:30:43 qemu cron[537]: (root) CMD FINISH
>(/usr/libexec/atrun)
> ```
>
> The message you posted on netbsd-users@ looks malformed:
>
> ```
> <user.info>Aug 7 10:40:08 Aug -: 7 10:40:08 192.168.1.200-1
>USER_MGR[44365908]: user_mgr_util.c(1588) 5098 %% HTTP Session 30
>started for user admin connected from 192.168.1.210
> ```
>
> Don't know if it's a bug in syslogd which's responsible or it's
>the sender who's
> responsible.
>
> Can you do a tcpdump like this and show the output?
>
> ```
> root# tcpdump -Alnt -i <IF> host 192.168.1.200 and udp dst port
>syslog
> ```
>
> -RVP
Apologies that it has taken me so long to be able to get you the info you requested. There has been some progress on this issue which I detailed in a separate message in this thread, relating to the setting of a hostname for the NetBSD server. After setting the NetBSD server hostname, and altering /etc/syslog.conf to include a "+@" line near the top and a "-@" line near the bottom, syslogd now puts the non-local/remote syslog messages into a separate file, which is a good start.
I still want to extend things so that each remote host/device has its syslog messages put into a separate file, so I tried replacing the "-@" line with "+192.168.1.200". After doing that (and rebooting the NetBSD server) the syslog messages from 192.168.1.200 are not saved anywhere. Clearly, those messages are not local, but they are also not identified as "being from" 192.168.1.200. So I changed the line back to "-@" and ran the tcpdump command you mentioned above.
netbsd1# tcpdump -Alnt -i re0 host 192.168.1.200 and udp dst port syslog
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on re0, link-type EN10MB (Ethernet), capture size 262144 bytes
IP 192.168.1.200.514 > 192.168.1.100.514: SYSLOG user.info, length: 154
E.....@.@.................k.<14> Sep 4 14:57:10 192.168.1.200-1 USER_MGR[44365908]: user_mgr_util.c(1638) 9758 %% HTTP Session 46 ended for user admin connected from 192.168.1.210
.
^C
1 packet captured
23 packets received by filter
0 packets dropped by kernel
netbsd1#
I also configured a total of nine other devices (seven routers, one different network switch, and a Synology NAS unit) to send their syslog messages to the NetBSD server. The /etc/syslog.conf file now looks like this (The only differences are line 3 which has "+@" and everything from the line that has "-@" until End Of File):
# $NetBSD: syslog.conf,v 1.9 2004/07/23 03:45:42 mycroft Exp $
+@
*.err;kern.*;auth.notice;authpriv.none;mail.crit /dev/console
*.info;auth,authpriv,cron,ftp,kern,lpr,mail.none /var/log/messages
kern.debug /var/log/messages
# The authpriv log file should be restricted access; these
# messages shouldn't go to terminals or publically-readable
# files.
auth,authpriv.info /var/log/authlog
cron.info /var/log/cron
ftp.info /var/log/xferlog
lpr.info /var/log/lpd-errs
mail.info /var/log/maillog
#uucp.info /var/spool/uucp/ERRORS
*.emerg *
#*.notice root
-@
*.* /var/log/foreign
# HP network switch
+192.168.1.200
*.* /var/log/host-192.168.1.200
# Other network switch
+192.168.1.201
*.* /var/log/host-192.168.1.201
# DrayTek router
+192.168.1.202
*.* /var/log/host-192.168.1.202
# NetComm router 1
+192.168.1.203
*.* /var/log/host-192.168.1.203
# NetComm router 2
+192.168.1.204
*.* /var/log/host-192.168.1.204
# Sonicwall router
+192.168.1.205
*.* /var/log/host-192.168.1.205
# TP-Link router
+192.168.1.206
*.* /var/log/host-192.168.1.206
# Netgear router
+192.168.1.207
*.* /var/log/host-192.168.1.207
# Sagemcom router
+192.168.1.208
*.* /var/log/host-192.168.1.208
# Synology NAS
+192.168.1.209
*.* /var/log/host-192.168.1.209
The NetBSD server is saving the syslog messages from each of the seven routers to their respective /var/log/host-192.168.1.20x files as well as to the /var/log/foreign file. It is not saving the syslog messages from the two network switches or the Synology NAS unit to their respective files, even though it is saving them to the /var/log/foreign file (at least it recognises that they're "not local"). I'm not sure if a tcpdump of a syslog message from the Synology NAS or the other network switch would be useful, but I can provide that if requested.
The Synology NAS unit has the option to send its syslog messages in either "BSD (RFC 3164)" or "IETF (RFC 5424)" format. I can see the difference in the syslog message structure of either format from that unit as they are saved in the /var/log/foreign file, but neither format results in the saving of the messages in the /var/log/host-192.168.1.209 file.
Hints, tips, or suggestions are welcome. Thanks.
Home |
Main Index |
Thread Index |
Old Index