syslog - LOCAL7

[IMMike]

Hi,

My /etc/syslog.conf file on Fedora Core 4 contains the following line:

# Save boot messages also to boot.log
local7.*             /var/log/boot.log

How is local7 linked to boot messages? How is this connection made? Where/when is this done? I mean if I use local5 or local6 instead, this won't work, so there has to be something special about local7. I just can't figure it out.

I scoured the web, but wasn't able to find a precise answer.

Thanks.
M.

[mutex]

To understand why this is, you have to understand a little bit about syslog.  the facilities (local7, etc) are just tags that are attached to messages by some program.  In the case of the boot log, fedora the operating system sets this tag to local7 before it send the log message to syslog.  I'm not familiar enough with fedora to know how easily it is to change that, but I'm guessing it would be quite difficult.  Now, most other applications also make use of syslog, and they all apply a tag to the message.  That tag is intended to help you sort out the messages later, so that you can have a line like:
local7.* /var/log/boot.log
Without it, all of the logs would be dumped together.  The .* after the local7 actually means to accept any message with a facility set to local7 and any severity.  The severity is another way of coding messages.  They are the debug, info, critical, emerg, etc. flags that can be used to slice the messages up another way.

I hope that helps some!

[Anonymous]

I understand how syslog works and indeed it was that local7.* entry that got me going. I tried to look around for source files named ``*boot*'' in order to figure out where that tag is set, but wasn't able to.

Thanks for trying.

[mutex]

One thing to keep in mind is that syslog isn't running until much later in the boot process, so I believe that the kernel is queuing up those messages during the boot process.  It's unlikely that you'll actually find references to local7 in the boot code.  You might want to try scanning the qhole source tree for local7.

[Anonymous]

Thanks for the tip. But I don't know what "qhole source tree" is. A web search showed up some Java related stuff which didn't seem to have anything to do with syslog.

[mutex]

I understand.  I thought you had the source code for linux and that was what you were searching for files named "*boot*" in.

[Anonymous]

I was searching in the /usr/src/kernels directory. It's about 68MB.

[mutex]

I'm a bad speller and apparently dyslexic.  By "qhole" source, I meant "whole" source.  I just caught my typo.  Anyhow, I meant to search for local7 in all of the source files.  It shouldn't actually appear too often.

[Anonymous]

I'm trying to use the FC4 local7 to capture cisco logging messages.  I can see that the packets are arriving to the box (using tethereal) but nothing is being added to the log.  Could this be somehow related?

[Anonymous]

Please disregard the above post.  The problem was that syslog was not listening for outside messages --> the "-R" option added to /etc/sysconfig/syslog.

[kellyman]

i've been banging on my red hat 9 for days trying to figure out why syslog messages arriving at the box are not being added to the log file. I also used ethereal to insure that the traffic was hitting the server. Also, i see that local boot messages are being added to the log, so that side is working. I did "netstat -na | grep 514" and got a positive output on that...

I did use "-r" but, i used lower case "r"... guess it would not hurt to try upper case "R", but i didn't see any reference to that option in the man pages.

any other items i might check??? I have "local7.debug <tab> /var/log/router.log". The line works because it is sending boot messages to the file. I am calling "syslogd -r -m 0 -x" or sometimes just "syslogd -r".

suggestions? thanks in advance....

[mutex]

are you certain the the incoming logs are using the faciity local7.debug?  Lowercase -r is the correct syntax to start syslogd, by the way.  Another option is to shut down syslogd and start it back up in debug mode, and tickle something on the remote host to get it to send a log.  You should be able to see what's happening in the syslog process then.

[jlsuzanne]

Hello All,

I am having the same issue with syslog from cisco device.
I can see with tcpdump syslog packets are arriving on my linux fedora but are not logged to the message file i configured in /etc/syslog.conf
My syslogd was started with -r option to allow logging from remote devices.

My syslog.conf is :

.info;mail.none;authpriv.none;cron.none           /var/log/messages
*.debug                                          /var/log/messages

[root@]# cat    /etc/sysconfig/syslog
# Options to syslogd
# -m 0 disables 'MARK' messages.
# -r enables logging from remote machines
# -x disables DNS lookups on messages recieved with -r
# See syslogd( for more details
SYSLOGD_OPTIONS="-m 0 -r -x"
# Options to klogd
# -2 prints all kernel oops messages twice; once for klogd to decode, and
#    once for processing with 'ksymoops'
# -x disables all klogd processing of oops messages entirely
# See klogd( for more details
KLOGD_OPTIONS="-x"
[root@]#

[root@]# ps -ef | grep syslog
root     14654     1  0 11:10 ?        00:00:00 syslogd -m 0 -r -x
root       415 14817  0 12:14 pts/4    00:00:00 grep syslog
[root@]#

[root@suna18-3 log]# uname -a
Linux suna18-3 2.6.11-1.35_FC3smp #1 SMP Mon Jun 13 01:17:35 EDT 2005 i686 i686 i386 GNU/Linux

i see syslog packet arring on my linux
[root@]# /usr/sbin/tcpdump -i eth1.111 -c1000 -s200 udp port 514 -vv
tcpdump: listening on eth1.111, link-type EN10MB (Ethernet), capture size 200 bytes
12:13:56.981968 IP (tos 0x0, ttl 255, id 357, offset 0, flags [none], proto 17, length: 111) zupp1.testcom.net.59130 > 54.54.111.1.syslog: [udp sum ok] UDP, length 83

Also I tested logger to verify i was able to log to the message file without any pb.

Thx in advance,

Jean-Louis.

[mutex]

I believe the problem is something I've run into before.  Most syslog clients will send messages out with a destination port of 514 and a source port of 514, but cisco devices (and some other network equipment) uses a source port that is ephemeral.  I figured out how to get BSD's syslog to take these messages - I'll see if I can find out how to do it in Linux.

[mutex]

It's not obvious if the linux syslog daemon has that behavior too, and how to turn it off if it does. Running syslogd in debug mode and have the cisco box send it some logs.  Post the output of that and we'll see what we can do.