Setting up the syslog feature

This is a description of how I setup the syslog function of the BIPAC-741GE router to log messages to one of my FreeBSD v4.STABLE machines. It should be equally applicable to any Unix or Unix-like remote log host.

Router setup

• Use the serial console or telnet to access the router's command line interface.

• At the admin> prompt, type the following: system syslog set daemon 192.168.1.25 where 192.168.1.25 is the IP address of your remote log host.

• Check the entry by typing: system syslog show. You should see something like this:

       syslog daemon: 192.168.1.25
     syslog nickname: router.sentry.org

• Now save the settings by typing: system config save.

Log host setup

• Edit your /etc/syslog.conf file to direct the router's syslog messages to a separate log file. For example:
  

     !*
     +router
     *.*                         /var/log/router.log

  Do not forget that (1) you must use tabs to separate tokens in the syslog.conf file; (2) you need to specify the hostname without the domain name (at least under FreeBSD); and (3) failure to include the !* line above will result in all log entries from the immediately preceding program block being logged only when they originate from the router - which is not what you want! Please check the syntax of your syslog.conf file by checking its man page on your system carefully.

• Check the configuration of your syslog daemon. It may not accept syslog messages from remote machines in its default configuration. By default, FreeBSD runs its syslog daemon in secure mode. To override this, you will need to edit the /etc/rc.conf file and add the following line:

     syslogd_flags="-a *sentry.org:50009"

  Do not forget to replace sentry.org with your own domain name :) I found the port number used by the router was 50009 by running tcpdump while manually logging messages from the router via the old console facility (see below). It changes each time the router restarts, so it may make more sense to use a wildcard (ie use * instead of 50009).

• Create the required log file by touching the appropriate filename in your /var/log directory or wherever else you have specified (eg touch /var/log/router.log).

• If the hostname of your router is not in your local DNS server's records, you will need to edit the log host's /etc/hosts file to add it. For example, add the following line:

     192.168.1.154  router  router.sentry.org

  where 192.168.1.254 is the IP address of your router, router is its hostname and router.sentry.org is its fully qualified domain name.

• Find the PID of your running syslog daemon process (eg ps -ax | grep syslog) and kill it (eg kill <pid>).

• Manually start the syslog daemon as follows: syslogd -a "*domainname:*".

Check that it all works

To check that it all works, you will need to again use the serial console or telnet to access the router's command line interface. Once you are at the admin> prompt:

• Type: console enable to enable the "old" console. Press [ENTER] and you should be at the 192.168.1.254> old console prompt.

• Now manually send a log message from the router by typing: 192.168.1.254> syslog log Test and check that it turns up in the router log file on your remote log host. The syslog entry should look something like this:

     Jun 28 16:16:01 router Test

• To exit from the old console prompt type: exit :)

But that's not all ...

Before the syslog facility will become useful, you will also have to setup some of the router's log facilities to actually send their logs to the remote log host. Back to the serial console or telnet to access the router's command line interface. Once you are at the admin> prompt:

• Type system log list to see a list of the available logs. You should see something like the following:

     ProcessName         Level     LogTo
     ==================================================
     ppp                 none      none
     pptp                none      none
     ddns                none      none
     maildemon           none      none 
     firewall            none      none 
     im                  none      none
     snmpr               none      none 
     webserver           none      none

  By default no log messages of any level are being logged anywhere.

• To, for example, log all the ppp process log messages to your remote log host, you would need to type the following commands:
  system log set ppp all
  system log enable ppp to syslog

• Now a system log list command should produce output similar to the following:

     ProcessName         Level     LogTo
     ==================================================
     ppp                 entryExit syslog
     pptp                none      none
     ddns                none      none
     maildemon           none      none 
     firewall            none      none 
     im                  none      none
     snmpr               none      none 
     webserver           none      none

• To test that this now works, you can go to the router's web interface, choose the status page and press the disconnect button, then press the connect button. Once the PPP link has been re-established, check your remote log host log file and you should see something like this:

     Jun 28 17:49:26 router router.sentry.org:ppp:none: Channel Id(1) disconnected after (4 hr 15 min 8 sec) 
     Jun 28 17:49:33 router router.sentry.org:ppp:none: Channel Id(1) connected

The router does not log firewall log entries via syslog even when this option has been selected. Billion are aware of the issue and will be fixing it in a new firmware release (later than v4.21d) in due course.

Enjoy!

Back to the Info Dump