Firewall and router separate logs

gabsik · 04-15-2006, 05:10 PM

I would like to sort a syslog central server in my lan and i did not find on any of my books(they aren't that many ... )and google decent guides to syslog facilities expecially the local0. local7. and how i can direct a program to write to it.I have a debian sarge 3.1 2.6 and i have put a -r options in the /etc/init.d/sysklog to make him act on the net and get logs sent by the front-router i have choose a facility for the local2.* belonging to cisco.routers i have a netgear and it's /var/log/netgear.log but it stays empty.Separates logs for netfilter too i read somewhere to have separate netfilter logs i have to put this "kern.=debug /var/log/firewall" in /etc/syslog.conf and it stays empty asswell , please help !
Ciao !

scowles · 04-16-2006, 01:57 PM

Looks like you are on the right track. Below is a copy/paste from my syslog.conf file.
NOTE: local2.none in second part. This keeps local2 events from logging in both files.

Code:

# Firewall logs at local2
local2.*                                                /var/log/firewall.log

# Log anything (except mail,local2) of level info
# or higher. Don't log private authentication messages!
*.info;mail.none;local2.none;authpriv.none;cron.none    /var/log/messages

Obviously, the above requires the device sending log events to be configured to log at facility local2.

gabsik · 04-17-2006, 02:53 PM

Yes i'm getting the logs i need but i have a messy syslog.conf now.For firewall logs i'm using target ULOG and pointed logcheck to send me a ULOGD report.The router is seeing the syslog server and sends reports regulary.As i sayd i have a messy syslog.conf:
kern.=debug /var/log/firewall
kern.warning /var/log/firewall
kern.* -/var/log/firewall

Which is the right firewal one?