# syslog difficulties



## jem (Jun 9, 2014)

Hi forum.

On my home network, I have an ADSL router on 192.168.0.1 and a FreeBSD host on 192.168.0.2.  The ADSL router can be configured to send its log messages to a syslog host and as I've been having connection stability issues, I thought I'd set this up to gather diagnostic information to send to my ISP.

I started by modifying /etc/rc.conf thus:

```
> syslogd_flags="-a 192.168.0.1/32:*"
```

The router web interface doesn't give details of which syslog facility or severity it uses for its messages, so I ran syslogd(8) in debug mode for a short time as follows: `/usr/sbin/syslogd -a 192.168.0.1/32:\* -d -v`.

Here's the debug output showing a message from the router:

```
cvthname(192.168.0.1)
validate: dgram from IP 192.168.0.1, port 52898, name router.home;
accepted in rule 0.
logmsg: pri 32, flags 0, from router, msg  syslog: The user from 192.168.0.2 has logined in. 
Logging to CONSOLE /dev/console
Logging to FILE /var/log/messages
logmsg: pri 166, flags 17, from atom, msg Jun  9 10:28:02 <3.2> router syslog: The user from 192.168.0.2 has logined in.
```

'pri 166' decodes to 'local4.info', so I then modified /etc/syslog.conf thus:

```
< *.notice;authpriv.none;kern.debug;lpr.info;mail.crit;news.err       /var/log/messages
> *.notice;local4.none;authpriv.none;kern.debug;lpr.info;mail.crit;news.err       /var/log/messages

> +router.home
> local4.*                                        /var/log/router.log
```

I created /var/log/router.log as root.

Log messages from the router are being received and logged, but they're going into /var/log/messages instead, while /var/log/router.log remains empty.  I'm puzzled by this.

Closer inspection of the syslogd debug output revealed some ambiguity.  It seems to be showing each router log message twice, once received from the router with priority 32 and then again from the FreeBSD host itself with priority 166.

Can anyone clarify what's going on here so that I fix the syslog configuration?


----------



## jem (Jun 9, 2014)

It seems that I was misinterpreting syslogd's debug output.  The pri number on each logmsg line is in octal, so 166 octal is 118 decimal, which corresponds to console.info  (facility 14, severity 6)

So, it looks like the router is sending out syslog messages using the standard system facility levels, rather than one of the local{0-7} ones that network equipment usually use.  syslogd is receiving these and generating a second message to itself using console.info.

As I can't really select the router's messages using facility and severity (as it may catch other messages not from the router), I've just done this instead:

In /etc/syslog.conf:


```
(At top of the file)
> -router.home

(At bottom of file)
> +router.home
> *.*                                              /var/log/router.log
```

Things now work as required.


----------

