# A syslog question



## qsecofr (Nov 22, 2012)

Hi,

I've got a FreeBSD 7.4-RELEASE machine running hostapd.  And by default it seems that all messages generated end up in /var/log/messages.  I've been able to direct them also into a file of my choice, /var/log/hostapd.log, in an effort to try and keep messages file more clean.  But that's where I'm stuck.  I've tried a few different lines in /etc/syslog.conf, but to no avail.

This is the working directive into hostapd.log:

```
!hostapd
*.*                                             /var/log/hostapd.log
```

A helping hand to show me how to keep these out of /var/log/messages would be greatly appreciated.


----------



## fonz (Nov 22, 2012)

qsecofr said:
			
		

> A helping hand to show me how to keep these out of /var/log/messages would be greatly appreciated.


Can you post your /etc/syslog.conf, or at least the entries referring to /var/log/messages?

Fonz


----------



## qsecofr (Nov 22, 2012)

These entries point to /var/log/messages


```
kern.=debug                                     /var/log/messages
#*.notice                                       /var/log/messages
!-hostapd.notice                                /var/log/messages
daemon.info;mail.crit                           /var/log/messages
*.emerg                                         *
```


----------



## fonz (Nov 22, 2012)

Start your /etc/syslog.conf with 
	
	



```
!-hostapd
```
All the following rules will disregard hostapd until you say otherwise, so this is the place to put all non-hostapd-related rules. Then, write

```
!hostapd
```
and add any rules specific to hostapd.

Example (tweak to your liking but you'll probably get the idea):

```
# First, exclude hostapd until further notice.
!-hostapd

# Everything (except hostapd) goes to /var/log/messages and important
# messages go to root's terminal(s) too.
*.*   /var/log/messages
*.err root

# Example of some other random program (nginx) of which the messages
# will go in a seperate logfile IN ADDITION TO what's specified above
# (i.e. /var/log/messages and root).
!nginx
*.*   /var/log/nginx.log

# Now, specify where hostapd goes.
!hostapd
*.*   /var/log/hostapd.log
```

Hope this helps,

Fonz


----------



## qsecofr (Nov 23, 2012)

The explanation makes sense and helps me understand better.  I've edited /etc/syslog.conf so that the hostapd exclusion is the very first line.


```
!-hostapd
```

cut

Followed by some entries that pertain to /var/log/messages


```
kern.=debug                                     /var/log/messages
#*.notice                                       /var/log/messages
daemon.info                                     /var/log/messages
```

and possibly 

```
*.emerg                                         *
```

and then down the bottom

```
!hostapd
*.*                                             /var/log/hostapd.log
```

But yet after restarting hostapd I still see entries like the following in messages

```
Nov 23 10:41:50 hostname hostapd: ral0: STA 20:4e:7f:e4:1a:37 IEEE 802.11: associated
Nov 23 10:41:50 hostname hostapd: ral0: STA 20:4e:7f:e4:1a:37 WPA: pairwise key handshake completed (WPA)
Nov 23 10:41:50 hostname hostapd: ral0: STA 20:4e:7f:e4:1a:37 WPA: group key handshake completed (WPA)
```

Is reboot necessary in addition to restarting hostapd?  Or is it possible these log entries fall into one of those few categories still pointing to /var/log/messages?


----------



## fonz (Nov 23, 2012)

qsecofr said:
			
		

> Is reboot necessary in addition to restarting hostapd?


Rebooting is rarely necessary on UN*X systems. But besides hostapd you do also need to restart syslogd for the changes to take effect: `# /etc/rc.d/syslogd restart`
I had to do that several times trying to find your answer 

Fonz


----------



## qsecofr (Nov 24, 2012)

I wish it worked as well for me as it worked for you.  I restarted both syslogd and hostapd, but still observe the duplication of log messages.

In the end I went through /etc/syslog.conf and commented out line-by-line anything pertaining to /var/log/messages.  It seems daemon.info is the guilty party.


```
#daemon.info                                    /var/log/messages
```


```
# tail /var/log/hostapd.log
Nov 23 21:25:50 hostname hostapd: ral0: STA 20:4e:7f:e4:1a:37 WPA: group key handshake completed (WPA)
Nov 23 21:27:20 hostname hostapd: ral0: STA 20:4e:7f:e4:1a:37 IEEE 802.11: associated
Nov 23 21:27:20 hostname hostapd: ral0: STA 20:4e:7f:e4:1a:37 WPA: pairwise key handshake completed (WPA)
Nov 23 21:27:20 hostname hostapd: ral0: STA 20:4e:7f:e4:1a:37 WPA: group key handshake completed (WPA)
Nov 23 21:28:50 hostname hostapd: ral0: STA 20:4e:7f:e4:1a:37 IEEE 802.11: associated
Nov 23 21:28:50 hostname hostapd: ral0: STA 20:4e:7f:e4:1a:37 WPA: pairwise key handshake completed (WPA)
Nov 23 21:28:50 hostname hostapd: ral0: STA 20:4e:7f:e4:1a:37 WPA: group key handshake completed (WPA)
Nov 23 21:30:21 hostname hostapd: ral0: STA 20:4e:7f:e4:1a:37 IEEE 802.11: associated
Nov 23 21:30:21 hostname hostapd: ral0: STA 20:4e:7f:e4:1a:37 WPA: pairwise key handshake completed (WPA)
Nov 23 21:30:21 hostname hostapd: ral0: STA 20:4e:7f:e4:1a:37 WPA: group key handshake completed (WPA)
```

and


```
# tail /var/log/messages
Nov 23 21:21:20 hostname hostapd: ral0: STA 20:4e:7f:e4:1a:37 WPA: group key handshake completed (WPA)
Nov 23 21:22:50 hostname hostapd: ral0: STA 20:4e:7f:e4:1a:37 IEEE 802.11: associated
Nov 23 21:22:50 hostname hostapd: ral0: STA 20:4e:7f:e4:1a:37 WPA: pairwise key handshake completed (WPA)
Nov 23 21:22:50 hostname hostapd: ral0: STA 20:4e:7f:e4:1a:37 WPA: group key handshake completed (WPA)
Nov 23 21:23:33 hostname hostapd: ral0: STA 20:4e:7f:e4:1a:37 IEEE 802.11: associated
Nov 23 21:23:33 hostname hostapd: ral0: STA 20:4e:7f:e4:1a:37 WPA: pairwise key handshake completed (WPA)
Nov 23 21:23:33 hostname hostapd: ral0: STA 20:4e:7f:e4:1a:37 WPA: group key handshake completed (WPA)
Nov 23 21:24:20 hostname hostapd: ral0: STA 20:4e:7f:e4:1a:37 IEEE 802.11: associated
Nov 23 21:24:20 hostname hostapd: ral0: STA 20:4e:7f:e4:1a:37 WPA: pairwise key handshake completed (WPA)
Nov 23 21:24:20 hostname hostapd: ral0: STA 20:4e:7f:e4:1a:37 WPA: group key handshake completed (WPA)
```

But I don't know what impact that may have.  What other services use facility daemon and log level info (or greater than)?


----------

