[ previous ] [ next ] [ threads ]
 
 From:  "Fred Williams" <A20FBW1 at wpo dot cso dot niu dot edu>
 To:  <m0n0wall at lists dot m0n0 dot ch>
 Subject:  m0n0wall 1.1 syslog facility designation
 Date:  Tue, 31 Aug 2004 18:30:44 -0500
Hello,

I am running m0n0wall 1.1 from a generic pc via the cdrom image. It is
outstanding! Thank you.

However, I'm a little new to this and was having a little trouble
setting up remote syslogging to a linux server due to the syslog
facility field set by m0n0wall...messages in the list archive suggested
to set a selector such as ipmon.* in syslog.conf on the linux server but
that didn't work.

A packet capture yielded:
<snip off un-interesting bits..>
User Datagram Protocol, Src Port: syslog (514), Dst Port: syslog (514)
    Source port: syslog (514)
    Destination port: syslog (514)
    Length: 128
    Checksum: 0xd7cf (correct)
Syslog message: LOCAL0.WARNING: Aug 31 16:47:21 ipmon[70]: 1...
    1000 0... = Facility: LOCAL0 - reserved for local use (16)
    .... .100 = Level: WARNING - warning conditions (4)
    Message:
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx IN 

which clearly shows the facility field is set to LOCAL0 for firewall
events. 

So finally the question. Since the syslog facility specifies the
subsystem that produced the message, how can I change that from "local0"
to say "m0n0wall" and hence change my selector in syslog.conf from
local0.* to m0n0wall.*?

Thanks