282 lines
10 KiB
HTML
282 lines
10 KiB
HTML
<!--startcut ======================================================= -->
|
|
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
|
|
<html>
|
|
<head>
|
|
<META NAME="generator" CONTENT="lgazmail v1.3C.e">
|
|
<TITLE>The Answer Guy 51: Syslog Events from a Particular Host to a Particular File</TITLE>
|
|
</HEAD><BODY BGCOLOR="#FFFFFF" TEXT="#000000"
|
|
LINK="#3366FF" VLINK="#A000A0">
|
|
<!-- ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: -->
|
|
<H4>"The Linux Gazette...<I>making Linux just a little more fun!</I>"</H4>
|
|
<P> <hr> <P>
|
|
<!-- ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: -->
|
|
<center>
|
|
<H1><A NAME="answer">
|
|
<img src="../../gx/dennis/qbubble.gif" alt="(?)"
|
|
border="0" align="middle">
|
|
<font color="#B03060">The Answer Guy</font>
|
|
<img src="../../gx/dennis/bbubble.gif" alt="(!)"
|
|
border="0" align="middle">
|
|
</A></H1>
|
|
<BR>
|
|
<H4>By James T. Dennis,
|
|
<a href="mailto:linux-questions-only@ssc.com">linux-questions-only@ssc.com</a><BR>
|
|
LinuxCare,
|
|
<A HREF="http://www.linuxcare.com/">http://www.linuxcare.com/</A>
|
|
</H4>
|
|
</center>
|
|
|
|
<p><hr><p>
|
|
<!-- endcut ======================================================= -->
|
|
<!-- begin 10 -->
|
|
<H3 align="left"><img src="../../gx/dennis/qbubble.gif"
|
|
height="50" width="60" alt="(?) " border="0"
|
|
>Syslog Events from a Particular Host to a Particular File</H3>
|
|
|
|
|
|
<p><strong>From Nathan Keeter on Sat, 19 Feb 2000
|
|
</strong></p>
|
|
<!-- ::
|
|
Syslog Events from a Particular Host to a Particular File
|
|
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|
:: -->
|
|
<P><STRONG>
|
|
Is there any way to specify that syslog log all events from a particular
|
|
host to a particular file?
|
|
</STRONG></P>
|
|
<BLOCKQUOTE><IMG SRC="../../gx/dennis/bbub.gif" ALT="(!)"
|
|
HEIGHT="28" WIDTH="50" BORDER="0"
|
|
>
|
|
That depends.
|
|
</BLOCKQUOTE>
|
|
<BLOCKQUOTE>
|
|
First I'd have to understand what you mean by "events" (and
|
|
what you mean by "from" actually).
|
|
</BLOCKQUOTE>
|
|
<BLOCKQUOTE>
|
|
There are several sorts of "events" that can logged
|
|
"from" a host. For example the TCP Wrappers (tcpd) that is
|
|
pre-installed and configured for use by all major Linux
|
|
distributions will log each access attempt to each wrapper
|
|
protected service.
|
|
</BLOCKQUOTE>
|
|
<BLOCKQUOTE>
|
|
You can figure out most of the "wrappered" services by
|
|
reading the <TT>/etc/inetd.conf</TT> and looking for references to
|
|
tcpd on each of the active lines therein. Also note that
|
|
the portmapper, rcp.mountd and some other "standalone"
|
|
services might also be "wrappered." They would generally
|
|
be compiled with and linked to "libwrap" (the TCP Wrappers
|
|
libraries).
|
|
</BLOCKQUOTE>
|
|
<BLOCKQUOTE>
|
|
(Anyone interested in this should read the <tt>hosts_allow(5)</tt>
|
|
and <tt>tcpd(8)</tt> man pages).
|
|
</BLOCKQUOTE>
|
|
<BLOCKQUOTE>
|
|
Another source of log messages "from" a host might be your
|
|
kernel packet filtering tables. There are options to
|
|
ipfwadm and ipchains to allow you to output/log messages
|
|
about packets that match certain packet filtering rules.
|
|
</BLOCKQUOTE>
|
|
<BLOCKQUOTE>
|
|
(Anyone interested in more details on this should read the
|
|
<tt>ipfwadm(8)</tt> and/or <tt>ipchains(8)</tt> man pages,
|
|
looking for the -o and -l option respectively).
|
|
</BLOCKQUOTE>
|
|
|
|
<em><p>[ For those of you keeping up with the newer kernel
|
|
series, Rusty is trying to encourage people to use
|
|
and debug the new netfiler code. See the homepage
|
|
<a href="http://netfilter.kernelnotes.org/"
|
|
>http://netfilter.kernelnotes.org/</a>
|
|
for the latest scoreboard.
|
|
<br>-- Heather.]</p></em>
|
|
|
|
<BLOCKQUOTE>
|
|
Yet another source of syslog messages "from" a given
|
|
host might be that you've configured your syslogd to
|
|
accept remote (UDP) messages (by adding the appropriate
|
|
command option to its <tt>rc*</tt> script), and you've configured
|
|
the hosts in question to forward their messages to that
|
|
loghost (using appropriate "<tt>@</tt>" directives in the
|
|
<TT>/etc/syslog.conf</TT> files of the loghost clients).
|
|
</BLOCKQUOTE>
|
|
<BLOCKQUOTE>
|
|
(Anyone interested in these topics should read the
|
|
<tt>syslogd(8)</tt> and <tt>syslog.conf(5)</tt> man pages).
|
|
</BLOCKQUOTE>
|
|
<BLOCKQUOTE>
|
|
Obviously any other services my have their own logging
|
|
features in addition to these.
|
|
</BLOCKQUOTE>
|
|
<BLOCKQUOTE>
|
|
(Thus you see what I mean by "it depends on what you
|
|
mean by 'from.'" Do you mean: "log messages from
|
|
localhost services that involve (stem from interactions
|
|
with) a host" or do you mean "log messages received by
|
|
my syslog daemon that were purportely issued from
|
|
the hosts in question").
|
|
</BLOCKQUOTE>
|
|
<BLOCKQUOTE>
|
|
Anyway, it is not possible to configure the normal syslog
|
|
daemon to separate the messsages into separate files based
|
|
on the hosts from which they were received. The normal
|
|
configuration directives allow separation and filtering
|
|
based on the "facility" and "severity" (read that
|
|
syslog.conf man page for an explanation and lists of
|
|
these).
|
|
</BLOCKQUOTE>
|
|
<BLOCKQUOTE>
|
|
One way to do what you want would be to feed the messages
|
|
into a processing script (awk, or PERL). It's even possible
|
|
to do this "in real time" by configuring your loghost to
|
|
feed messages into one or more FIFOs (named pipes) and
|
|
running your processing script(s) to read from that
|
|
(or them). Again, the details should be in your
|
|
syslog.conf man page but the short form would be
|
|
something like this:
|
|
</BLOCKQUOTE>
|
|
<BLOCKQUOTE>
|
|
Add a line to <TT>/etc/syslog.conf</TT> like:
|
|
</BLOCKQUOTE>
|
|
|
|
<blockquote><pre>*.* |/dev/myloggingnode
|
|
</pre></blockquote>
|
|
<BLOCKQUOTE>
|
|
Create "myloggingnode" (conventionally in
|
|
the <TT>/dev/</TT> directory, though a <TT>/var/run</TT> or
|
|
other suitable place might be better). Use
|
|
a command like:
|
|
</BLOCKQUOTE>
|
|
|
|
<blockquote><pre> mkfifo /dev/myloggingnode
|
|
</pre></blockquote>
|
|
<BLOCKQUOTE>
|
|
or with:
|
|
</BLOCKQUOTE>
|
|
|
|
<blockquote><pre> mknod -m 0600 p /dev/myloggingnode
|
|
</pre></blockquote>
|
|
<BLOCKQUOTE>
|
|
(You'll need to make this writable by your syslog daemon,
|
|
of course).
|
|
</BLOCKQUOTE>
|
|
<BLOCKQUOTE>
|
|
Then you just run your PERL or awk script on that.
|
|
</BLOCKQUOTE>
|
|
<BLOCKQUOTE>
|
|
Another option is to check out one of the alternative
|
|
syslog systems. I've read a bit about syslog-ng (next
|
|
generation), and I think it can be configured for what
|
|
you want. Have a look at:
|
|
</BLOCKQUOTE>
|
|
<BLOCKQUOTE><BlockQuote>
|
|
<A HREF="http://www.balabit.hu/products/syslog-ng"
|
|
>http://www.balabit.hu/products/syslog-ng</A>
|
|
</BlockQuote></BLOCKQUOTE>
|
|
<BLOCKQUOTE>
|
|
... or at:
|
|
</BLOCKQUOTE>
|
|
<BLOCKQUOTE><BlockQuote>
|
|
<A HREF="http://www.freshmeat.net/appindex/1999/02/17/919286467.html"
|
|
>http://www.freshmeat.net/appindex/1999/02/17/919286467.html</A>
|
|
</BlockQuote></BLOCKQUOTE>
|
|
<BLOCKQUOTE>
|
|
For more on that.
|
|
</BLOCKQUOTE>
|
|
<BLOCKQUOTE>
|
|
For those interested in other aspects of network system
|
|
logging and event monitoring across Linux and UNIX systems,
|
|
I suggest looking at the "secure syslog" (which uses
|
|
cryptographic techniques to authenticate that messages came
|
|
from the host that purports to have sent them, etc) and
|
|
I also recommend "<tt>colortail</tt>" as a great tool for those
|
|
who like monitor their systems with '<tt>tail -f</tt>' logging.
|
|
</BLOCKQUOTE>
|
|
<BLOCKQUOTE>
|
|
You can find those at:
|
|
</BLOCKQUOTE>
|
|
<BLOCKQUOTE><BlockQuote>
|
|
<A HREF="http://www.core-sdi.com/english/slogging/ssyslog.html"
|
|
>http://www.core-sdi.com/english/slogging/ssyslog.html</A>
|
|
</BlockQuote></BLOCKQUOTE>
|
|
<BLOCKQUOTE><DL><DT>
|
|
... and
|
|
<DD><A HREF="http://www.freshmeat.net/appindex/1999/02/20/919554599.html"
|
|
>http://www.freshmeat.net/appindex/1999/02/20/919554599.html</A>
|
|
</DL></BLOCKQUOTE>
|
|
|
|
<!-- sig -->
|
|
|
|
|
|
<!-- end 10 -->
|
|
<!--startcut ======================================================= -->
|
|
<P> <hr> <P>
|
|
<H5 align="center"><a href="http://www.linuxgazette.com/copying.html"
|
|
>Copyright ©</a> 2000, James T. Dennis
|
|
<BR>Published in <I>The Linux Gazette</I> Issue 51 March 2000</H5>
|
|
<H6 ALIGN="center">HTML transformation by
|
|
<A HREF="mailto:star@tuxtops.com">Heather Stern</a> of
|
|
Tuxtops, Inc.,
|
|
<A HREF="http://www.tuxtops.com/">http://www.tuxtops.com/</A>
|
|
</H6>
|
|
<P> <hr> <P>
|
|
<!-- begin tagnav ::::::::::::::::::::::::::::::::::::::::::::::::::-->
|
|
<TABLE WIDTH="95%"><TR VALIGN="center" ALIGN="center">
|
|
<TD colspan="2" rowspan="2"><A
|
|
HREF="../lg_answer51.html"
|
|
><IMG SRC="../../gx/dennis/answernew.gif"
|
|
ALT="[ Answer Guy Current Index ]"></A>
|
|
<TD colspan="2" rowspan="2"><A
|
|
HREF="../../tag/kb.html"
|
|
><IMG SRC="../../gx/dennis/answertoc.gif"
|
|
ALT="[ Index of Past Answers ]"></A></td>
|
|
<TD WIDTH="11%"><A HREF="../lg_answer51.html#greeting"><img
|
|
src="../../gx/dennis/smily.gif" alt="greetings" border="0"></A></TD>
|
|
<TD WIDTH="11%"><A HREF="1.html">1</A></TD>
|
|
<TD WIDTH="11%"><A HREF="2.html">2</A></TD>
|
|
<TD WIDTH="11%"><A HREF="3.html">3</A></TD>
|
|
<TD WIDTH="11%"><A HREF="4.html">5</A></TD>
|
|
</TR><TR VALIGN="center" ALIGN="center">
|
|
<TD WIDTH="11%"><A HREF="5.html">5</A></TD>
|
|
<TD WIDTH="11%"><A HREF="6.html">6</A></TD>
|
|
<TD WIDTH="11%"><A HREF="7.html">7</A></TD>
|
|
<TD WIDTH="11%"><A HREF="8.html">8</A></TD>
|
|
<TD WIDTH="11%"><A HREF="9.html">9</A></TD>
|
|
</TR><TR VALIGN="center" ALIGN="center">
|
|
<TD WIDTH="10%"><A HREF="10.html">10</A></TD>
|
|
<TD WIDTH="10%"><A HREF="11.html">11</A></TD>
|
|
<TD WIDTH="10%"><A HREF="12.html">12</A></TD>
|
|
<TD WIDTH="10%"><A HREF="13.html">13</A></TD>
|
|
<TD WIDTH="11%"><A HREF="14.html">14</A></TD>
|
|
<TD WIDTH="11%"><A HREF="15.html">15</A></TD>
|
|
<TD WIDTH="11%"><A HREF="16.html">16</A></TD>
|
|
<TD WIDTH="11%"><A HREF="17.html">17</A></TD>
|
|
</TR><TR VALIGN="center" ALIGN="center">
|
|
<TD WIDTH="10%"><A HREF="18.html">18</A></TD>
|
|
<TD WIDTH="10%"><A HREF="19.html">19</A></TD>
|
|
<TD WIDTH="10%"><A HREF="20.html">20</A></TD>
|
|
<TD WIDTH="10%"><A HREF="21.html">21</A></TD>
|
|
<TD WIDTH="11%"><A HREF="22.html">22</A></TD>
|
|
</TR></TABLE>
|
|
</TR><TR VALIGN="center" ALIGN="center">
|
|
<!-- end tagnav ::::::::::::::::::::::::::::::::::::::::::::::::::::-->
|
|
<P> <hr> <P>
|
|
<!-- begin lgnav ::::::::::::::::::::::::::::::::::::::::::::::::::: -->
|
|
<A HREF="../index.html"
|
|
><IMG SRC="../../gx/indexnew.gif" ALT="[ Table Of Contents ]"></A>
|
|
<A HREF="../../index.html"
|
|
><IMG SRC="../../gx/homenew.gif" ALT="[ Front Page ]"></A>
|
|
<A HREF="../lg_bytes51.html"
|
|
><IMG SRC="../../gx/back2.gif" ALT="[ Previous Section ]"></A>
|
|
<A HREF="../../faq/index.html"
|
|
><IMG SRC="../../gx/dennis/faq.gif"
|
|
ALT="[ Linux Gazette FAQ ]"></A>
|
|
<A HREF="../lg_tips51.html"
|
|
><IMG SRC="../../gx/fwd.gif" ALT="[ Next Section ]"></A>
|
|
<!-- end lgnav ::::::::::::::::::::::::::::::::::::::::::::::::::::: -->
|
|
<!-- ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: -->
|
|
</BODY></HTML>
|
|
<!--endcut ========================================================= -->
|