Solved ARP log to a separate file

M

mlevel

Hi,
Is there any way to redirect all ARP log messages to a separate file?
Those messages look like this:
Code: 
Apr  1 15:03:59 router kernel: arp: fa:4b:bc:12:7a:7d attempts to modify permanent entry for 192.168.29.30 on vlan3
Right now I have them in /var/log/messages in pair with a lof of other stuff, but I need to process them further and I want to avoid grep'ing them from the entire messages log file.

I've looked into /etc/syslog.conf file and it's manual but I can't find a way to redirect only entire kernel ARP entries to a separate file.

Can anyone suggest how to deal with that? Is there any straightforward UNIX-way solution?
Thanks.
 
The "arp:" in the message seems to be handled as the "program name". I tried, not having another PC at the moment to trigger arp messages, following instead
Code: 
!u3g0
*.*  /var/log/u3g0.log
and lo and behold, all 3G messages now go into that file but nothing else.

Code: 
 # less u3g0.log   
Apr  2 20:29:53 hopo kernel: u3g0: at uhub2, port 2, addr 4 (disconnected)
Apr  2 20:30:03 hopo kernel: u3g0: <Qualcomm Incorporated HP un2420 Mobile Broadband Module, class 0/0, rev 2.00/0.02, addr 4> on usbus0
Apr  2 20:30:03 hopo kernel: u3g0: Found 1 port.
Apr  2 20:30:14 hopo kernel: u3g0: at uhub2, port 2, addr 4 (disconnected)
Apr  2 20:30:16 hopo kernel: u3g0: <Qualcomm Incorporated HP un2420 Mobile Broadband Module, class 0/0, rev 2.00/0.02, addr 4> on usbus0
Apr  2 20:30:16 hopo kernel: u3g0: Found 4 ports.

Juha
 
I've tried to place next piece of configuration in /etc/syslog.conf and it's not working:
Code: 
!arp
*.*  /var/log/arp.log
I've tried to place this in the head and tail of file, result if the same.
 
These messages are generated by the kernel and not some process.
 
syslogd(8) takes the program name from the message string, no matter where it came from, I think.
u3g0: and arp: kernel messages should not be any different wrt syslogd, did you killall -HUP syslogd after the edit ?

Juha

BTW, according to arp(8) manpage, there's one message with a different tag:
!arp,arpresolve

That order is important, syslogd(8) parses the list in an ... inventive way.
 
My full syslog.conf looks like this:
Code: 
# $FreeBSD: releng/10.1/etc/syslog.conf 260519 2014-01-10 17:56:23Z asomers $
#
#   Spaces ARE valid field separators in this file. However,
#   other *nix-like systems still insist on using tabs as field
#   separators. If you are sharing this file between systems, you
#   may want to use only tabs as field separators here.
#   Consult the syslog.conf(5) manpage.

!arp,arpresolve
*.*             /var/log/arp.log

*.err;kern.warning;auth.notice;mail.crit     /dev/console
*.notice;authpriv.none;kern.debug;lpr.info;mail.crit;news.err   /var/log/messages
security.*           /var/log/security
auth.info;authpriv.info         /var/log/auth.log
mail.info           /var/log/maillog
lpr.info           /var/log/lpd-errs
ftp.info           /var/log/xferlog
cron.*             /var/log/cron
!-devd
*.=debug           /var/log/debug.log
*.emerg             *
# uncomment this to log all writes to /dev/console to /var/log/console.log
# touch /var/log/console.log and chmod it to mode 600 before it will work
#console.info           /var/log/console.log
# uncomment this to enable logging of all log messages to /var/log/all.log
# touch /var/log/all.log and chmod it to mode 600 before it will work
#*.*             /var/log/all.log
# uncomment this to enable logging to a remote loghost named loghost
#*.*             @loghost
# uncomment these if you're running inn
# news.crit           /var/log/news/news.crit
# news.err           /var/log/news/news.err
# news.notice           /var/log/news/news.notice
# Uncomment this if you wish to see messages produced by devd
# !devd
# *.>=notice           /var/log/devd.log

!ppp
*.*             /var/log/ppp.log


!*

Of course I've tried to restart syslogd(8) after I've made changes in two different ways:
Code: 
$ killall -HUP syslogd
$ service syslogd restart

But it's not working anyways.
 
You must log in or register to reply here.
Back
Top