[vox-tech] some syslog questions

Ryan Castellucci vox-tech@lists.lugod.org
Tue, 29 Jul 2003 12:11:49 -0700 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Tuesday 29 July 2003 09:49 am, Peter Jay Salzman wrote:
> some questions i've been meaning to ask for awhile...
>
>
> 1. when a logging request is handled and matched by a rule, does loggin=
g
> end there (as with procmail) or does it continue for further logging?
> in other words, in this example:
>
>    *.emerg      *
>
>    mail.emerg   /var/log/mail.emerg
>
> do mail emergencies get forwarded to all logged in users AND get logged
> to a file?  or do they just get forwarded to all logged in users?

A syslog message will be matched multiple times. I'm using a syslog daemo=
n=20
that supports logging to a MySQL database, and I have it logging both to =
the=20
database, AND to the usual flat files.

> 2. is there any way to determine the facility log level of a message?
> for instance, once this message got logged:
>
>    Jul 25 10:29:06 satan lpd[17559]: satan requests printjob lp
>
> were the facility and log level irretrievably lost?  in this example,
> the facility is lpr, not lpd (there's no lpd facility).  and the level
> is probably "info" or something like that.  it would be useful to know
> for sure.

It's not logged to the usual files. Try a diffrent syslog deamon, or look=
 in=20
the man page, there may be a way to make it log that information. At work=
 I'm=20
using msyslog http://msyslog.sf.net/, and the MySQL logger module can sav=
e=20
this information (not by default), and I have it set to do so.

> 3. i wrapped exim with tcpd so i can use hosts.deny to "blackhole"
> domains that constantly spam.  that means i get logs in daemon.log like=
:
>
>    Jul 29 09:18:19 satan exim[26553]: connect from murphy.debian.org
>    Jul 25 09:06:58 satan exim[15324]: refused connect from 218.5.148.24=
6
>
> everytime anybody makes an SMTP connection.  i really don't want to see
> this.  i believe that even though it says "exim", tcpd is doing the
> actual logging.  and since it's a tcpd refusal/acceptance, these
> messages are no different, in principle, from messages saying that some
> hacker is trying to connect with portmap, or lucifer is trying to mount
> an NFS partition from satan.
>
> my gut feeling is that i can't stop these exim messages.  i'm hoping i'=
m
> wrong.   any ideas?

You could drop them in iptables. Iptables rocks :-)

- --=20
PGP/GPG Fingerprint: 3B30 C6BE B1C6 9526 7A90  34E7 11DF 44F3 7217 7BC7
On pgp.mit.edu, import with `gpg --keyserver pgp.mit.edu --recv-key 72177=
BC7`
Also available at http://www.cal.net/~ryan/ryan_at_mother_dot_com.asc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)

iD8DBQE/Jsb+Ed9E83IXe8cRAnz8AJ0cAjwK2m0teCvaCVXOGgBB6De8ewCeMSC8
u8F8oS5GmT1sFGxoG9Az7Ec=3D
=3D4eMG
-----END PGP SIGNATURE-----