call me lazy but I switched to syslog-ng. WAY better control over your logs..

I know doesnt help you now, but just food for thought.

Chet Harvey
Pitbull Technologies <http://www.pittech.com/> 
Protecting your Digital Assets
703.407.7311


Quoting Fred Williams <A20FBW1 at wpo dot cso dot niu dot edu>:

> Hello,
> 
> I am running m0n0wall 1.1 from a generic pc via the cdrom image. It is
> outstanding! Thank you.
> 
> However, I'm a little new to this and was having a little trouble
> setting up remote syslogging to a linux server due to the syslog
> facility field set by m0n0wall...messages in the list archive suggested
> to set a selector such as ipmon.* in syslog.conf on the linux server but
> that didn't work.
> 
> A packet capture yielded:
> <snip off un-interesting bits..>
> User Datagram Protocol, Src Port: syslog (514), Dst Port: syslog (514)
>     Source port: syslog (514)
>     Destination port: syslog (514)
>     Length: 128
>     Checksum: 0xd7cf (correct)
> Syslog message: LOCAL0.WARNING: Aug 31 16:47:21 ipmon[70]: 1...
>     1000 0... = Facility: LOCAL0 - reserved for local use (16)
>     .... .100 = Level: WARNING - warning conditions (4)
>     Message:
> xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx IN 
> 
> which clearly shows the facility field is set to LOCAL0 for firewall
> events. 
> 
> So finally the question. Since the syslog facility specifies the
> subsystem that produced the message, how can I change that from "local0"
> to say "m0n0wall" and hence change my selector in syslog.conf from
> local0.* to m0n0wall.*?
> 
> Thanks
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
> 
>