[CentOS] syslog remote computers

Craig White craigwhite at azapple.com
Thu Nov 20 01:37:48 UTC 2008 

On Wed, 2008-11-19 at 19:19 -0600, Larry Vaden wrote:
> On Wed, Nov 19, 2008 at 6:36 PM, Craig White <craigwhite at azapple.com> wrote:
> > On Wed, 2008-11-19 at 18:19 -0600, Larry Vaden wrote:
> >> On Wed, Nov 19, 2008 at 6:02 PM, Craig White <craigwhite at azapple.com> wrote:
> >> > Trying to figure out if there's a way to get syslog.conf to direct
> >> > remote logging from a wireless access point to log to a separate file
> >> > instead of the main syslog and can't figure out how that could be done
> >> > from man syslog.conf (or man 2/3 of syslog)
> >> >
> >> > this clearly doesn't work
> >> >
> >> > 192.168.1.251.*                               /var/log/WAP-2.log
> >> >
> >> > which according to the man page, makes sense since this the IP address
> >> > is not a facility.
> >> >
> >> > Is there a way to do this that I am missing?
> >>
> >> The AP's syslog parms must match the syslog.conf parms.
> >>
> >> e.g., for a MikroTik AP,
> >>
> >> [root at catch22 ~]# grep -i mikrotik /etc/syslog.conf
> >> # MikroTik router messages
> >> user.*                                                  /var/log/mikrotik.log
> > ----
> > I suspect I'm SOL...(Linksys WAP is Linux I think. They do have the
> > source code available for D/L)
> >
> > local0.*                /var/log/local0.log
> > local1.*                /var/log/local1.log
> > local2.*                /var/log/local2.log
> > local3.*                /var/log/local3.log
> > local4.*                /var/log/local4.log
> > local5.*                /var/log/local5.log
> > local6.*                /var/log/local6.log
> > user.*                  /var/log/user.log
> >
> > restarted syslog service and then rebooted WAP but all of those files
> > are still empty  ;-(
> 
> <http://www.linuxquestions.org/questions/linux-networking-3/linksys-rv042-to-red-hat-syslog-337424/>
> suggests that perhaps daemon.info would work, I dunno.  At any rate,
> one of the articles found by Google should reveal the answer.
----
tcpdump is my friend (but also the bearer of what appears to be bad
news)...

# tcpdump -nvvX udp port 514 -s 1500 -i eth1
tcpdump: listening on eth1, link-type EN10MB (Ethernet), capture size
1500 bytes
18:32:16.412516 IP (tos 0x0, ttl  64, id 0, offset 0, flags [DF], proto:
UDP (17), length: 74) 192.168.1.251.clearvisn > 192.168.1.5.syslog: [udp
sum ok] SYSLOG, length: 46 
        Facility kernel (0), Severity info (6)
        Msg: WAP-2 rg_system_full:255: killall rt2500apd
        0x0000:  3c36 3e57 4150 2d32 2072 675f 7379 7374
        0x0010:  656d 5f66 756c 6c3a 3235 353a 206b 696c
        0x0020:  6c61 6c6c 2072 7432 3530 3061 7064
        0x0000:  4500 004a 0000 4000 4011 a452 c0a8 0afb
E..J.. at .@..R.... 
        0x0010:  c0a8 0a05 0804 0202 0036 2c32 3c36
3e57  .........6,2<6>W
        0x0020:  4150 2d32 2072 675f 7379 7374 656d 5f66
AP-2.rg_system_f
        0x0030:  756c 6c3a 3235 353a 206b 696c 6c61 6c6c
ull:255:.killall
        0x0040:  2072 7432 3530 3061 7064                 .rt2500apd

I gather that this means that it's facility is kernel and thus I can't
separate it from the local machine.

Craig

More information about the CentOS mailing list