Syslog and Panther

Discussion in 'Apple' started by Brad Denham, Nov 18, 2003.

  1. Brad Denham

    Brad Denham Guest

    I have a Netscreen 204 firewall that I can configure to send it's
    syslog messages to my G4 running Panther. How would I configure my G4
    to save these syslog messages? I don't want them to be diplayed by the
    console, I would like them to be saved to a text file then view them
    from there.
    The only settings that I have on my firewall is to point the output to
    an IP address on port 514. From there I am unsure of what to do on my
    Mac.
    Currently the messages are being sent to a Win2k machine and I can view
    them with the Kiwi Syslog Daemon program and they are saved to a
    default file name (SyslogCatchAll) used by Kiwi.

    Thank you for your replies.
     
    Brad Denham, Nov 18, 2003
    #1
    1. Advertisements

  2. You'll need to configure the syslog deamon "syslogd" to accept the messages
    and put them in an appropriate spot. syslogd is by default started at
    startup, but appears to be only listening for messages from the local
    machine. To open it up to network traffic, you'll need to turn on "insecure"
    mode. This tells syslogd to listen for upd packets on port 514 (as specified
    in /etc/services).

    To do this, simply edit the startup script at
    /System/Library/StartupItems/SystemLog/SystemLog

    Just change the line
    syslogd
    to
    syslogd -u

    And to make your changes stick, at the command line type:

    % sudo SystemStarter restart "System Log"

    where % is your command prompt. Finally, you'll probably want to put the
    messages somewhere specific. To do this, you'll need to find out what
    identifier your firewall is using. Your firewall, when sending syslog
    messages, will specifiy a "facility" and a "level" (together, these make up
    a "priority", which is how you identify the message). As a WAG, your
    firewall might be sending LOG_SECURITY facility, and any of the levels:
    emerg, alert, crit, err, warning, notice, info or debug.

    In that case, you might want an extra line in your /etc/syslog.conf file
    like this:

    security.* /var/log/Netscreen.log

    When you make changes to the syslog.conf file, you can put them into effect
    by 'HUP'ing the daemon with this command:

    % kill -HUP `cat /var/run/syslog.pid`

    Now, a warning: I've never tried any of this. I just think it should
    probably work. Hope it all makes sense, and is of use. I small warning - the
    syslogd is started with the "insecure" mode for a reason. It is possible,
    once that mode is turned on, that devices on your network could fill your
    log files as they wish. Of course, that's the tradeoff you have to make.
     
    Heath Raftery, Nov 19, 2003
    #2
    1. Advertisements

  3. Panther syslogd is started in /etc/rc. To enable it for network
    traffic, change the line from "syslogd -s -m 0" to "syslogd -u -m 0".
     
    Ronald Florence, Nov 19, 2003
    #3
  4. Brad Denham

    Brad Denham Guest

    Thank you both for the information, it is greatly appreciated. I will
    give this a shot and let you know if I have any problems.
     
    Brad Denham, Nov 19, 2003
    #4
  5. Oh! Well pointed out. Terribly sorry, I didn't read the question
    completely. My instructions were for Jaguar. But with the appropriate
    modifications, they should still work out.

    Interesting to see that the mark messages have been turned off...
     
    Heath Raftery, Nov 20, 2003
    #5
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.