Questions on syslog

Харбин Хэйлунцзян · Monday at 5:51 PM

In /var/log/ I see this log:

ipfw.today
ipfw.yesterday

Yet it is not there in /etc/syslog.conf. How can I find the facility to use to syslog into this log?

I observe three instances of syslogd on my system. I guess they must have different configuration files. I have only read about one - /etc/syslog.conf. How can I find the other two?

ShelLuser · Monday at 6:25 PM

I'm not using IPFW myself, but what I gather from the FreeBSD handbook this service can use 2 types of logging: either through syslog or using ipfw0. So my guess is that your service uses its own logging.

PMc · Monday at 7:23 PM

Харбин Хэйлунцзян said:
In /var/log/ I see this log:

ipfw.today
ipfw.yesterday

Yet it is not there in /etc/syslog.conf. How can I find the facility to use to syslog into this log?

It has nothing to do with syslog. The /var/log directory is used for syslog output, and for other things too.
These two files are probably created by periodic/daily by directly writing them.

Let's check:

Code:

-rw-------   1 root    wheel   uarch    3421 Apr 20 03:10 ipfw.today
-rw-------   1 root    wheel   uarch    3421 Apr 19 03:07 ipfw.yesterday

Yes, the timestamps seem to support this.

Харбин Хэйлунцзян said:
I observe three instances of syslogd on my system.

That would be strange. I see only one, plus one in every jail. Do You have jails?

Харбин Хэйлунцзян · Monday at 8:21 PM

PMc said:
These two files are probably created by periodic/daily by directly writing them.

That's interesting. Then where to does ipfw write its story?

PMc said:
That would be strange. I see only one, plus one in every jail. Do You have jails?

I haven't created any jails and actually do not know much about them. These are the instances I observe in the top output:

Code:

 2926 root          1   0    0    14M  3056K kqread   0   0:00   0.00% syslogd
 2929 root          1   0    0    14M  2924K select   0   0:00   0.00% syslogd
 2930 root          1  59    0    14M  2836K select   1   0:00   0.00% syslogd

PMc · Monday at 9:53 PM

Харбин Хэйлунцзян said:
That's interesting. Then where to does ipfw write its story?

To security.info, that is normally /var/log/security
But only when you have logging enabled in a specific rule.

Харбин Хэйлунцзян said:
I haven't created any jails and actually do not know much about them. These are the instances I observe in the top output:

Code:

2926 root 1 0 0 14M 3056K kqread 0 0:00 0.00% syslogd 2929 root 1 0 0 14M 2924K select 0 0:00 0.00% syslogd 2930 root 1 59 0 14M 2836K select 1 0:00 0.00% syslogd

strange...

SirDice · Tuesday at 8:31 AM

Харбин Хэйлунцзян said:
These are the instances I observe in the top output:

Press 'a' in top(1) to see more, or look at ps -ax | grep syslog:

Code:

10116  -  Is        0:00.66 dhclient: system.syslog (dhclient)
10890  -  SCs       0:06.15 /usr/sbin/syslogd -s
10893  -  I         0:00.03 syslogd: syslogd.casper (syslogd)
10894  -  Is        0:00.00 syslogd: system.net (syslogd)
62071  2  S+        0:00.00 grep syslog

Харбин Хэйлунцзян · Tuesday at 10:26 AM

SirDice said:

I guess these are not instances of syslogd. What are they then?

Meanwhile my blocking service syslogs to /var/log/security.

SirDice · Tuesday at 10:44 AM

I'm not intimately familiar with the details, but I suspect syslogd.casper alludes to libcasper(3) (capability framework), while system.net is probably the part that handles sending/receiving syslog messages over the network.

Questions on syslog

Харбин Хэйлунцзян

ShelLuser

PMc

Харбин Хэйлунцзян

PMc

SirDice

Administrator

Харбин Хэйлунцзян

SirDice

Administrator