Remote Syslog

Rick Stevens rstevens at vitalstream.com
Wed May 25 19:48:45 UTC 2005 

Tim Holmes wrote:
> Hello All:
> 
> I am trying to use one of my linux boxes to get information from my
> foundry switches (and eventually a lot of other gear) using the syslog
> facility.  This will be in addition to SNMP which I am already using via
> CACTI
> 
> I have managed to configure things so that the messages are heading to
> /var/logs/messages, but I cannot seem to get them to go to the device
> specific files that I have designated.
> 
> Here is a copy of my /etc/syslog.conf file
> 
> # Log all kernel messages to the console.
> # Logging much else clutters up the screen.
> #kern.*                                                 /dev/console
> 
> # Log anything (except mail) of level info or higher.
> # Don't log private authentication messages!
> *.info;mail.none;authpriv.none;cron.none
> /var/log/messages
> 
> # The authpriv file has restricted access.
> authpriv.*                                              /var/log/secure
> 
> # Log all the mail messages in one place.
> mail.*                                                  /var/log/maillog
> 
> 
> # Log cron stuff
> cron.*                                                  /var/log/cron
> 
> # Everybody gets emergency messages
> *.emerg                                                 *
> 
> # Save news errors of level crit and higher in a special file.
> uucp,news.crit                                          /var/log/spooler
> 
> # Save boot messages also to boot.log
> local7.*
> /var/log/boot.log
> 

The following three configs won't work:

> #send messages from Lancelot to Lancelot.log
> 192.168.0.225.*     /var/log/lancelot.log
> 
> 
> #send messages from tristan. tristan.log
> 192.168.0.231.*    /var/log/tristan.log
> tristan.*          /var/log/tristan.log
> 
> 
> 
> If anyone can help me out, what I would like is for each device to have
> its own separate log file, and then I need suggestions on how to
> properly view them etc

Syslog doesn't support IP addresses or hostnames as selectors, so the
last three lines won't work (I'm sort of amazed that syslog started at
all).

When the remote syslog sends a message, the receiving syslog uses the
normal selector stuff to handle the message.  Note that the message
received contains the hostname of the machine that sent it.
What you could do is, rather than logging to a file, feed the messages
to a series of filters that parse the message, find the hostname and
write an appropriate file.  You must create named pipes for each filter
first (via mkfifo(1)).  The filters can be awk, perl or shell scripts
(or C/C++ programs) that listen on the appropriate named pipe and
process the messages as they come in.  syslog alone can't do it.

If you need help on that, email me directly and I'll see what I can
do to assist you.
----------------------------------------------------------------------
- Rick Stevens, Senior Systems Engineer     rstevens at vitalstream.com -
- VitalStream, Inc.                       http://www.vitalstream.com -
-                                                                    -
- Do not taunt the sysadmins, for they are subtle and quick to anger -
----------------------------------------------------------------------

More information about the fedora-list mailing list