DaemonForums  

Go Back   DaemonForums > Miscellaneous > Guides

Guides All Guides and HOWTO's.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 23rd May 2021
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 4,128
Default Splitting relayd log entries from /var/log/daemon

Part of growing up is that you get your own things. You get your own bike instead of sharing it with a sibling. You get your own bedroom, car etc.

So I decided to give relayd(8) a log file of its own and not having to share it with other daemons in /var/log/daemon

After some experimentation I found that the following works:
Code:
 #       $OpenBSD: syslog.conf,v 1.20 2016/12/27 13:38:14 jca Exp $
#

# --- 
!!relayd
*.*                                                     /var/log/relayd

*.notice;auth,authpriv,cron,ftp,kern,lpr,mail,user.none /var/log/messages
kern.debug;syslog,user.info                             /var/log/messages
auth.info                                               /var/log/authlog
authpriv.debug                                          /var/log/secure
cron.info                                               /var/cron/log
daemon.info                                             /var/log/daemon
[snip]
# Uncomment to log messages from doas(1) to its own log file.  Matches are done
# based on the program name.
# Program-specific logs:
#!doas
#*.*                                                    /var/log/doas
When I had those two lines at the end (after the doas entry), relayd log entries, although going to /var/log/relayd still were also logged in var/log/daemon.

From syslog.conf(5)

Quote:
Each block of lines is separated from the previous block by a tag. The
tag is a line beginning with !prog and each block will be associated with
calls to syslog from that specific program (matched using glob(7) rules).
When a message matches multiple blocks, the action of each matching block
is taken. If no tag is specified at the beginning of the file, every
line is checked for a match and acted upon (at least until a tag is
found).

!!prog causes the subsequent block to abort evaluation when a message
matches, ensuring that only a single set of actions is taken. !* can be
used to ensure that any ensuing blocks are further evaluated (i.e.
cancelling the effect of a !prog or !!prog).
To ensure the new settings are being used, remember to restart or reload the syslogd(8) daemon
Code:
# rcctl restart syslogd
syslogd(ok)
syslogd(ok)
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
  #2   (View Single Post)  
Old 23rd May 2021
IdOp's Avatar
IdOp IdOp is offline
Too dumb for a smartphone
 
Join Date: May 2008
Location: twisting on the daemon's fork(2)
Posts: 1,027
Default

I'm a bit confused. In your example, there appears to be a single block, beginning with the tag !!relayd. (At least, ignoring the [snip].) But certainly the line "daemon.info /var/log/daemon" seems to be part of that first block, and not part of a subsequent block. So why is it not executed? I'm probably missing something simple.
Reply With Quote
  #3   (View Single Post)  
Old 24th May 2021
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 4,128
Default

I have to admit I am now confused too. I thought that "!!relayd" acted similar to a "quick" rule in the pf firewall.
And it indeed does....Relayd is now logging to its own log.

But all other logging has stopped.. For example no more ssh logins in /var/log/authlog.

So I moved it back to the end under the commented 'doas' line and am trying with specifying something other than that *.* wildcard.


!relayd
daemon.info
still logs to its own log file, as well as "/var/log/daemon".

So now the question is how to stop logging to the "/var/log/daemon".?
But right now I have no time to pursue this any further.

Feel free to test and with this shell script
Code:
#!/bin/sh

INTERVAL=10
PRIORITY="-p daemon.info"

echo Starting $0 ...... | logger $PRIORITY -t $0

while true ; do
    sleep $INTERVAL
    echo Testing sleeping $INTERVAL seconds ... at $(date)
done 2>&1 | logger $PRIORITY -t $0
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
  #4   (View Single Post)  
Old 24th May 2021
IdOp's Avatar
IdOp IdOp is offline
Too dumb for a smartphone
 
Join Date: May 2008
Location: twisting on the daemon's fork(2)
Posts: 1,027
Default

I think I've resolved the source of my confusion. By "subsequent block" I think they mean the block immediately after the !!prog . I was originally thinking of the !!prog tag as being part of the block, but a careful reading of the man page is more consistent with the tag as not being part of the block, rather it separates blocks.

So I think this would explain why you only get the one action, and only for relayd, because you have only one block and its associated tag is !!relayd.

I'll try to look at it more later, given time, regarding how to get it to do what you want.
Reply With Quote
  #5   (View Single Post)  
Old 24th May 2021
IdOp's Avatar
IdOp IdOp is offline
Too dumb for a smartphone
 
Join Date: May 2008
Location: twisting on the daemon's fork(2)
Posts: 1,027
Default

Ah-ha! Look at the EXAMPLES section of syslog.conf(5), right at the very start.

You may need a third line in your relayd section, consisting of only !*

Hopefully that will work.

Last edited by IdOp; 24th May 2021 at 05:57 PM.
Reply With Quote
  #6   (View Single Post)  
Old 24th May 2021
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 4,128
Default

Quote:
Originally Posted by IdOp View Post
Ah-ha! Look at the EXAMPLES section of syslog.conf(5), right at the very start.

You may need a third line in your relayd section, consisting of only !*
Yes, thank you That made it work. But actually this solution is mentioned in the quotation from the syslog.conf manpage in http://daemonforums.org/showthread.p...1762#post70868 (last paragraph of quote)
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump

Last edited by J65nko; 24th May 2021 at 11:14 PM.
Reply With Quote
  #7   (View Single Post)  
Old 24th May 2021
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 4,128
Default

The solution:
Code:
#       $OpenBSD: syslog.conf,v 1.20 2016/12/27 13:38:14 jca Exp $
#

# --- relayd messages in separate log
# Logfiles already have to exist with the correct permissions
# syslogd does not create them for you!

!!relayd
daemon.info                                             /var/log/relayd
!*


*.notice;auth,authpriv,cron,ftp,kern,lpr,mail,user.none /var/log/messages
kern.debug;syslog,user.info                             /var/log/messages
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
  #8   (View Single Post)  
Old 25th May 2021
IdOp's Avatar
IdOp IdOp is offline
Too dumb for a smartphone
 
Join Date: May 2008
Location: twisting on the daemon's fork(2)
Posts: 1,027
Default

Quote:
Originally Posted by J65nko View Post
Yes, thank you That made it work.
That's great to hear.

Quote:
But actually this solution is mentioned in the quotation from the syslog.conf manpage in http://daemonforums.org/showthread.p...1762#post70868 (last paragraph of quote)
Indeed the !* is mentioned there in the text, I read it many times without following, and still cannot see how it jives with what is given in the example.
Reply With Quote
  #9   (View Single Post)  
Old 20th August 2022
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 4,128
Default

After configuring relayd(8) not to log to /var/log/daemon but to a log file by itself, I used the following entry in newsyslog.conf(8) to rotate and compress these logs:
Code:
# logfile_name          owner:group     mode count size when  flags
/var/log/daemon                         640  5     300  *     Z
[snip]
/var/log/relayd                         644  10    1024  *    Z
Because originally it logged to /var/log/daemon I assume it does not need a pkill command like httpd:
Code:
/var/www/logs/access.log                644  4     *    $W0   Z "pkill -USR1 -u root -U root -x httpd"
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
Old 21st August 2022
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 4,128
Default

newsyslog will be run by cron every hour.
But you can view what newsyslog(8) will do if you run it from the command line with the -vn option:
Code:
$ doas newsyslog -vn 

/var/cron/log <3Z>: size (KB): 2.96 [10] --> skipping
/var/log/authlog <7Z>: age (hr): 37 [168] --> skipping
/var/log/daemon <5Z>: size (KB): 26.21 [300] --> skipping
/var/log/lpd-errs <7Z>: size (KB): 0.00 [10] --> skipping
/var/log/maillog <7Z>: age (hr): 13 [24] --> skipping
/var/log/messages <5Z>: size (KB): 39.05 [300] --> skipping
/var/log/secure <7Z>: age (hr): 37 [168] --> skipping
/var/log/wtmp <7B>: --> will trim at Thu Sep  1 04:00:00 2022
/var/log/xferlog <7Z>: size (KB): 0.00 [250] --> skipping

/var/log/pflog <3ZB>: size (KB): 250.57 [250] --> trimming log....
        rm -f /var/log/pflog.2 /var/log/pflog.2.gz
        rm -f /var/log/pflog.3 /var/log/pflog.3.gz
        mv /var/log/pflog.1.gz /var/log/pflog.2.gz
        chmod 600 /var/log/pflog.2.gz
        chown 0:0 /var/log/pflog.2.gz
        mv /var/log/pflog.0.gz /var/log/pflog.1.gz
        chmod 600 /var/log/pflog.1.gz
        chown 0:0 /var/log/pflog.1.gz
        mktemp /var/log/pflog.XXXXXXXXXX
        mv /var/log/pflog to /var/log/pflog.0
        chmod 600 /var/log/pflog.0
        chown 0:0 /var/log/pflog.0
        mv /var/log/pflog.XXXXXXXXXX to /var/log/pflog

/var/log/relayd <20Z>: size (KB): 687.08 [1024] --> skipping
/var/www/logs/http80_access.log <8Z>: size (KB): 965.35 [1024] --> skipping
/var/www/logs/http80_error.log <8Z>: size (KB): 675.55 [1024] --> skipping
run pkill -HUP -u root -U root -t - -x pflogd
gzip /var/log/pflog.0
You see that var/log/relayd at this moment is 687.08 KB which is less than the 1024 KB needed to be rotated.

But /var/log/pflog will be rotated/trimmed and gzipped at the next hourly run.
The pflog files are:
Code:
ls -l /var/log/pflog*
-rw-------  1 root  wheel  267799 Aug 21 04:42 /var/log/pflog
-rw-------  1 root  wheel   62760 Aug 21 00:00 /var/log/pflog.0.gz
-rw-------  1 root  wheel   65112 Aug 20 18:00 /var/log/pflog.1.gz
-rw-------  1 root  wheel   63971 Aug 20 12:00 /var/log/pflog.2.gz
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
Reply

Tags
log file, newsyslog.conf, relayd log file, relayd openbsd, syslog.conf

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Multiple entries in job lists ros2468 OpenBSD General 1 19th February 2010 07:45 AM
Help Limiting/Splitting Bandwidth EverydayDiesel OpenBSD Security 5 1st April 2009 08:19 AM
Approaching the limit on PV entries ccc FreeBSD General 6 14th June 2008 06:58 PM
Approaching the limit on PV entries, consider increasing either the vm.pmap.shpgperp yurtesen FreeBSD General 14 18th May 2008 09:00 AM


All times are GMT. The time now is 11:46 PM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick