Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!


Click here to return to the 'Enable remote logging (syslog) in 10.5' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
Enable remote logging (syslog) in 10.5
Authored by: JimMueller on Apr 18, '09 11:15:48AM

Oh, so close, xr4ti.
Thanks for the wealth of info in your comment.

I had to do some digging into what some terms you were meant. For example how to find the "facility" in the syslog data that was being sent to the syslog server. Adding a -v to the tcpdump command gave me a second line in each incoming message that said:
<code> Facility security (13), Severity info (6)</code>
so my guess that my D-Link router is naming its syslog facility "security" but it is still not writing to the router.log file even after editing the syslog.config to point security.* to /var/logs/router.log.

The Mac we are trying to add syslog ability to has the firewall set to accept all incoming (Slap my wrist if you wish...) which is obviously true because it is seeing the correct tcpdump data coming in on the specified port.
Am I not reading the tcpdump data correctly? Do I need to run it with -vv to read what the facility tag really is?

I just tried a full reboot and there's still nothing getting written to the router log.



[ Reply to This | # ]
Enable remote logging (syslog) in 10.5
Authored by: pediger on Apr 21, '09 12:43:54PM
Facility security (13), Severity info (6) so my guess that my D-Link router is naming its syslog facility "security" but it is still not writing to the router.log file even after editing the syslog.config to point security.* to /var/logs/router.log.
Try remoteauth.* instead of security.*. I recently had the same trouble routing my D-Link log to a Tiger machine. Rather than "security," Wireshark reports:

Facility: LOGAUDIT - log audit (13) and Level INFO - informational (6)

so like you I was trying logaudit.* and audit.*, etc.

If you look at /usr/include/sys/syslog.h you can see how the numbers (13 in this case) map into the facility text codes (remoteauth).

[ Reply to This | # ]