|
Guides All Guides and HOWTO's. |
|
Thread Tools | Display Modes |
|
|||
Splitting relayd log entries from /var/log/daemon
Part of growing up is that you get your own things. You get your own bike instead of sharing it with a sibling. You get your own bedroom, car etc.
So I decided to give relayd(8) a log file of its own and not having to share it with other daemons in /var/log/daemon After some experimentation I found that the following works: Code:
# $OpenBSD: syslog.conf,v 1.20 2016/12/27 13:38:14 jca Exp $ # # --- !!relayd *.* /var/log/relayd *.notice;auth,authpriv,cron,ftp,kern,lpr,mail,user.none /var/log/messages kern.debug;syslog,user.info /var/log/messages auth.info /var/log/authlog authpriv.debug /var/log/secure cron.info /var/cron/log daemon.info /var/log/daemon [snip] # Uncomment to log messages from doas(1) to its own log file. Matches are done # based on the program name. # Program-specific logs: #!doas #*.* /var/log/doas From syslog.conf(5) Quote:
Code:
# rcctl restart syslogd syslogd(ok) syslogd(ok)
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump |
|
|||
I have to admit I am now confused too. I thought that "!!relayd" acted similar to a "quick" rule in the pf firewall.
And it indeed does....Relayd is now logging to its own log. But all other logging has stopped.. For example no more ssh logins in /var/log/authlog. So I moved it back to the end under the commented 'doas' line and am trying with specifying something other than that *.* wildcard. !relayd daemon.info still logs to its own log file, as well as "/var/log/daemon". So now the question is how to stop logging to the "/var/log/daemon".? But right now I have no time to pursue this any further. Feel free to test and with this shell script Code:
#!/bin/sh INTERVAL=10 PRIORITY="-p daemon.info" echo Starting $0 ...... | logger $PRIORITY -t $0 while true ; do sleep $INTERVAL echo Testing sleeping $INTERVAL seconds ... at $(date) done 2>&1 | logger $PRIORITY -t $0
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump |
|
||||
I think I've resolved the source of my confusion. By "subsequent block" I think they mean the block immediately after the !!prog . I was originally thinking of the !!prog tag as being part of the block, but a careful reading of the man page is more consistent with the tag as not being part of the block, rather it separates blocks.
So I think this would explain why you only get the one action, and only for relayd, because you have only one block and its associated tag is !!relayd. I'll try to look at it more later, given time, regarding how to get it to do what you want. |
|
||||
Ah-ha! Look at the EXAMPLES section of syslog.conf(5), right at the very start.
You may need a third line in your relayd section, consisting of only !* Hopefully that will work. Last edited by IdOp; 24th May 2021 at 05:57 PM. |
|
|||
Quote:
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump Last edited by J65nko; 24th May 2021 at 11:14 PM. |
|
|||
The solution:
Code:
# $OpenBSD: syslog.conf,v 1.20 2016/12/27 13:38:14 jca Exp $ # # --- relayd messages in separate log # Logfiles already have to exist with the correct permissions # syslogd does not create them for you! !!relayd daemon.info /var/log/relayd !* *.notice;auth,authpriv,cron,ftp,kern,lpr,mail,user.none /var/log/messages kern.debug;syslog,user.info /var/log/messages
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump |
|
||||
That's great to hear.
Quote:
|
|
|||
After configuring relayd(8) not to log to /var/log/daemon but to a log file by itself, I used the following entry in newsyslog.conf(8) to rotate and compress these logs:
Code:
# logfile_name owner:group mode count size when flags /var/log/daemon 640 5 300 * Z [snip] /var/log/relayd 644 10 1024 * Z Code:
/var/www/logs/access.log 644 4 * $W0 Z "pkill -USR1 -u root -U root -x httpd"
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump |
|
|||
newsyslog will be run by cron every hour.
But you can view what newsyslog(8) will do if you run it from the command line with the -vn option: Code:
$ doas newsyslog -vn /var/cron/log <3Z>: size (KB): 2.96 [10] --> skipping /var/log/authlog <7Z>: age (hr): 37 [168] --> skipping /var/log/daemon <5Z>: size (KB): 26.21 [300] --> skipping /var/log/lpd-errs <7Z>: size (KB): 0.00 [10] --> skipping /var/log/maillog <7Z>: age (hr): 13 [24] --> skipping /var/log/messages <5Z>: size (KB): 39.05 [300] --> skipping /var/log/secure <7Z>: age (hr): 37 [168] --> skipping /var/log/wtmp <7B>: --> will trim at Thu Sep 1 04:00:00 2022 /var/log/xferlog <7Z>: size (KB): 0.00 [250] --> skipping /var/log/pflog <3ZB>: size (KB): 250.57 [250] --> trimming log.... rm -f /var/log/pflog.2 /var/log/pflog.2.gz rm -f /var/log/pflog.3 /var/log/pflog.3.gz mv /var/log/pflog.1.gz /var/log/pflog.2.gz chmod 600 /var/log/pflog.2.gz chown 0:0 /var/log/pflog.2.gz mv /var/log/pflog.0.gz /var/log/pflog.1.gz chmod 600 /var/log/pflog.1.gz chown 0:0 /var/log/pflog.1.gz mktemp /var/log/pflog.XXXXXXXXXX mv /var/log/pflog to /var/log/pflog.0 chmod 600 /var/log/pflog.0 chown 0:0 /var/log/pflog.0 mv /var/log/pflog.XXXXXXXXXX to /var/log/pflog /var/log/relayd <20Z>: size (KB): 687.08 [1024] --> skipping /var/www/logs/http80_access.log <8Z>: size (KB): 965.35 [1024] --> skipping /var/www/logs/http80_error.log <8Z>: size (KB): 675.55 [1024] --> skipping run pkill -HUP -u root -U root -t - -x pflogd gzip /var/log/pflog.0 But /var/log/pflog will be rotated/trimmed and gzipped at the next hourly run. The pflog files are: Code:
ls -l /var/log/pflog* -rw------- 1 root wheel 267799 Aug 21 04:42 /var/log/pflog -rw------- 1 root wheel 62760 Aug 21 00:00 /var/log/pflog.0.gz -rw------- 1 root wheel 65112 Aug 20 18:00 /var/log/pflog.1.gz -rw------- 1 root wheel 63971 Aug 20 12:00 /var/log/pflog.2.gz
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump |
Tags |
log file, newsyslog.conf, relayd log file, relayd openbsd, syslog.conf |
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Multiple entries in job lists | ros2468 | OpenBSD General | 1 | 19th February 2010 07:45 AM |
Help Limiting/Splitting Bandwidth | EverydayDiesel | OpenBSD Security | 5 | 1st April 2009 08:19 AM |
Approaching the limit on PV entries | ccc | FreeBSD General | 6 | 14th June 2008 06:58 PM |
Approaching the limit on PV entries, consider increasing either the vm.pmap.shpgperp | yurtesen | FreeBSD General | 14 | 18th May 2008 09:00 AM |