LDP
/
old-www
1
1
Fork 0
Code Issues Pull Requests Releases Wiki Activity
old-www/LDP/LG/issue51/tag/10.html

282 lines
10 KiB
HTML
Raw Permalink Blame History

<!--startcut ======================================================= -->
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<html>
<head>
<META NAME="generator" CONTENT="lgazmail v1.3C.e">
<TITLE>The Answer Guy 51: Syslog Events from a Particular Host to a Particular File</TITLE>
</HEAD><BODY BGCOLOR="#FFFFFF" TEXT="#000000"
LINK="#3366FF" VLINK="#A000A0">
<!-- ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: -->
<H4>"The Linux Gazette...<I>making Linux just a little more fun!</I>"</H4>
<P> <hr> <P>
<!-- ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: -->
<center>
<H1><A NAME="answer">
<img src="../../gx/dennis/qbubble.gif" alt="(?)"
border="0" align="middle">
<font color="#B03060">The Answer Guy</font>
<img src="../../gx/dennis/bbubble.gif" alt="(!)"
border="0" align="middle">
</A></H1>
<BR>
<H4>By James T. Dennis,
<a href="mailto:linux-questions-only@ssc.com">linux-questions-only@ssc.com</a><BR>
LinuxCare,
<A HREF="http://www.linuxcare.com/">http://www.linuxcare.com/</A>
</H4>
</center>
<p><hr><p>
<!-- endcut ======================================================= -->
<!-- begin 10 -->
<H3 align="left"><img src="../../gx/dennis/qbubble.gif"
height="50" width="60" alt="(?) " border="0"
>Syslog Events from a Particular Host to a Particular File</H3>
<p><strong>From Nathan Keeter on Sat, 19 Feb 2000
</strong></p>
<!-- ::
Syslog Events from a Particular Host to a Particular File
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
:: -->
<P><STRONG>
Is there any way to specify that syslog log all events from a particular
host to a particular file?
</STRONG></P>
<BLOCKQUOTE><IMG SRC="../../gx/dennis/bbub.gif" ALT="(!)"
HEIGHT="28" WIDTH="50" BORDER="0"
>
That depends.
</BLOCKQUOTE>
<BLOCKQUOTE>
First I'd have to understand what you mean by "events" (and
what you mean by "from" actually).
</BLOCKQUOTE>
<BLOCKQUOTE>
There are several sorts of "events" that can logged
"from" a host. For example the TCP Wrappers (tcpd) that is
pre-installed and configured for use by all major Linux
distributions will log each access attempt to each wrapper
protected service.
</BLOCKQUOTE>
<BLOCKQUOTE>
You can figure out most of the "wrappered" services by
reading the <TT>/etc/inetd.conf</TT> and looking for references to
tcpd on each of the active lines therein. Also note that
the portmapper, rcp.mountd and some other "standalone"
services might also be "wrappered." They would generally
be compiled with and linked to "libwrap" (the TCP Wrappers
libraries).
</BLOCKQUOTE>
<BLOCKQUOTE>
(Anyone interested in this should read the <tt>hosts_allow(5)</tt>
and <tt>tcpd(8)</tt> man pages).
</BLOCKQUOTE>
<BLOCKQUOTE>
Another source of log messages "from" a host might be your
kernel packet filtering tables. There are options to
ipfwadm and ipchains to allow you to output/log messages
about packets that match certain packet filtering rules.
</BLOCKQUOTE>
<BLOCKQUOTE>
(Anyone interested in more details on this should read the
<tt>ipfwadm(8)</tt> and/or <tt>ipchains(8)</tt> man pages,
looking for the -o and -l option respectively).
</BLOCKQUOTE>
<em><p>[ For those of you keeping up with the newer kernel
series, Rusty is trying to encourage people to use
and debug the new netfiler code. See the homepage
<a href="http://netfilter.kernelnotes.org/"
>http://netfilter.kernelnotes.org/</a>
for the latest scoreboard.
<br>-- Heather.]</p></em>
<BLOCKQUOTE>
Yet another source of syslog messages "from" a given
host might be that you've configured your syslogd to
accept remote (UDP) messages (by adding the appropriate
command option to its <tt>rc*</tt> script), and you've configured
the hosts in question to forward their messages to that
loghost (using appropriate "<tt>@</tt>" directives in the
<TT>/etc/syslog.conf</TT> files of the loghost clients).
</BLOCKQUOTE>
<BLOCKQUOTE>
(Anyone interested in these topics should read the
<tt>syslogd(8)</tt> and <tt>syslog.conf(5)</tt> man pages).
</BLOCKQUOTE>
<BLOCKQUOTE>
Obviously any other services my have their own logging
features in addition to these.
</BLOCKQUOTE>
<BLOCKQUOTE>
(Thus you see what I mean by "it depends on what you
mean by 'from.'" Do you mean: "log messages from
localhost services that involve (stem from interactions
with) a host" or do you mean "log messages received by
my syslog daemon that were purportely issued from
the hosts in question").
</BLOCKQUOTE>
<BLOCKQUOTE>
Anyway, it is not possible to configure the normal syslog
daemon to separate the messsages into separate files based
on the hosts from which they were received. The normal
configuration directives allow separation and filtering
based on the "facility" and "severity" (read that
syslog.conf man page for an explanation and lists of
these).
</BLOCKQUOTE>
<BLOCKQUOTE>
One way to do what you want would be to feed the messages
into a processing script (awk, or PERL). It's even possible
to do this "in real time" by configuring your loghost to
feed messages into one or more FIFOs (named pipes) and
running your processing script(s) to read from that
(or them). Again, the details should be in your
syslog.conf man page but the short form would be
something like this:
</BLOCKQUOTE>
<BLOCKQUOTE>
Add a line to <TT>/etc/syslog.conf</TT> like:
</BLOCKQUOTE>
<blockquote><pre>*.* |/dev/myloggingnode
</pre></blockquote>
<BLOCKQUOTE>
Create "myloggingnode" (conventionally in
the <TT>/dev/</TT> directory, though a <TT>/var/run</TT> or
other suitable place might be better). Use
a command like:
</BLOCKQUOTE>
<blockquote><pre> mkfifo /dev/myloggingnode
</pre></blockquote>
<BLOCKQUOTE>
or with:
</BLOCKQUOTE>
<blockquote><pre> mknod -m 0600 p /dev/myloggingnode
</pre></blockquote>
<BLOCKQUOTE>
(You'll need to make this writable by your syslog daemon,
of course).
</BLOCKQUOTE>
<BLOCKQUOTE>
Then you just run your PERL or awk script on that.
</BLOCKQUOTE>
<BLOCKQUOTE>
Another option is to check out one of the alternative
syslog systems. I've read a bit about syslog-ng (next
generation), and I think it can be configured for what
you want. Have a look at:
</BLOCKQUOTE>
<BLOCKQUOTE><BlockQuote>
<A HREF="http://www.balabit.hu/products/syslog-ng"
>http://www.balabit.hu/products/syslog-ng</A>
</BlockQuote></BLOCKQUOTE>
<BLOCKQUOTE>
... or at:
</BLOCKQUOTE>
<BLOCKQUOTE><BlockQuote>
<A HREF="http://www.freshmeat.net/appindex/1999/02/17/919286467.html"
>http://www.freshmeat.net/appindex/1999/02/17/919286467.html</A>
</BlockQuote></BLOCKQUOTE>
<BLOCKQUOTE>
For more on that.
</BLOCKQUOTE>
<BLOCKQUOTE>
For those interested in other aspects of network system
logging and event monitoring across Linux and UNIX systems,
I suggest looking at the "secure syslog" (which uses
cryptographic techniques to authenticate that messages came
from the host that purports to have sent them, etc) and
I also recommend "<tt>colortail</tt>" as a great tool for those
who like monitor their systems with '<tt>tail -f</tt>' logging.
</BLOCKQUOTE>
<BLOCKQUOTE>
You can find those at:
</BLOCKQUOTE>
<BLOCKQUOTE><BlockQuote>
<A HREF="http://www.core-sdi.com/english/slogging/ssyslog.html"
>http://www.core-sdi.com/english/slogging/ssyslog.html</A>
</BlockQuote></BLOCKQUOTE>
<BLOCKQUOTE><DL><DT>
... and
<DD><A HREF="http://www.freshmeat.net/appindex/1999/02/20/919554599.html"
>http://www.freshmeat.net/appindex/1999/02/20/919554599.html</A>
</DL></BLOCKQUOTE>
<!-- sig -->
<!-- end 10 -->
<!--startcut ======================================================= -->
<P> <hr> <P>
<H5 align="center"><a href="http://www.linuxgazette.com/copying.html"
>Copyright &copy;</a> 2000, James T. Dennis
<BR>Published in <I>The Linux Gazette</I> Issue 51 March 2000</H5>
<H6 ALIGN="center">HTML transformation by
<A HREF="mailto:star@tuxtops.com">Heather Stern</a> of
Tuxtops, Inc.,
<A HREF="http://www.tuxtops.com/">http://www.tuxtops.com/</A>
</H6>
<P> <hr> <P>
<!-- begin tagnav ::::::::::::::::::::::::::::::::::::::::::::::::::-->
<TABLE WIDTH="95%"><TR VALIGN="center" ALIGN="center">
<TD colspan="2" rowspan="2"><A
HREF="../lg_answer51.html"
><IMG SRC="../../gx/dennis/answernew.gif"
ALT="[ Answer Guy Current Index ]"></A>
<TD colspan="2" rowspan="2"><A
HREF="../../tag/kb.html"
><IMG SRC="../../gx/dennis/answertoc.gif"
ALT="[ Index of Past Answers ]"></A></td>
<TD WIDTH="11%"><A HREF="../lg_answer51.html#greeting"><img
src="../../gx/dennis/smily.gif" alt="greetings" border="0"></A></TD>
<TD WIDTH="11%"><A HREF="1.html">1</A></TD>
<TD WIDTH="11%"><A HREF="2.html">2</A></TD>
<TD WIDTH="11%"><A HREF="3.html">3</A></TD>
<TD WIDTH="11%"><A HREF="4.html">5</A></TD>
</TR><TR VALIGN="center" ALIGN="center">
<TD WIDTH="11%"><A HREF="5.html">5</A></TD>
<TD WIDTH="11%"><A HREF="6.html">6</A></TD>
<TD WIDTH="11%"><A HREF="7.html">7</A></TD>
<TD WIDTH="11%"><A HREF="8.html">8</A></TD>
<TD WIDTH="11%"><A HREF="9.html">9</A></TD>
</TR><TR VALIGN="center" ALIGN="center">
<TD WIDTH="10%"><A HREF="10.html">10</A></TD>
<TD WIDTH="10%"><A HREF="11.html">11</A></TD>
<TD WIDTH="10%"><A HREF="12.html">12</A></TD>
<TD WIDTH="10%"><A HREF="13.html">13</A></TD>
<TD WIDTH="11%"><A HREF="14.html">14</A></TD>
<TD WIDTH="11%"><A HREF="15.html">15</A></TD>
<TD WIDTH="11%"><A HREF="16.html">16</A></TD>
<TD WIDTH="11%"><A HREF="17.html">17</A></TD>
</TR><TR VALIGN="center" ALIGN="center">
<TD WIDTH="10%"><A HREF="18.html">18</A></TD>
<TD WIDTH="10%"><A HREF="19.html">19</A></TD>
<TD WIDTH="10%"><A HREF="20.html">20</A></TD>
<TD WIDTH="10%"><A HREF="21.html">21</A></TD>
<TD WIDTH="11%"><A HREF="22.html">22</A></TD>
</TR></TABLE>
</TR><TR VALIGN="center" ALIGN="center">
<!-- end tagnav ::::::::::::::::::::::::::::::::::::::::::::::::::::-->
<P> <hr> <P>
<!-- begin lgnav ::::::::::::::::::::::::::::::::::::::::::::::::::: -->
<A HREF="../index.html"
><IMG SRC="../../gx/indexnew.gif" ALT="[ Table Of Contents ]"></A>
<A HREF="../../index.html"
><IMG SRC="../../gx/homenew.gif" ALT="[ Front Page ]"></A>
<A HREF="../lg_bytes51.html"
><IMG SRC="../../gx/back2.gif" ALT="[ Previous Section ]"></A>
<A HREF="../../faq/index.html"
><IMG SRC="../../gx/dennis/faq.gif"
ALT="[ Linux Gazette FAQ ]"></A>
<A HREF="../lg_tips51.html"
><IMG SRC="../../gx/fwd.gif" ALT="[ Next Section ]"></A>
<!-- end lgnav ::::::::::::::::::::::::::::::::::::::::::::::::::::: -->
<!-- ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: -->
</BODY></HTML>
<!--endcut ========================================================= -->
Reference in New Issue View Git Blame Copy Permalink