Re: syslog / ipmon chaos

[Saad Kadhi <bsdguy@noos.fr>]

James Moore wrote:

> On 1 May 2001, Saad Kadhi wrote:
> 
> 
>> Hi there
>> 
>> ipmon uses LOG_INFO, LOG_NOTICE, LOG_WARNING, and LOG_ERR levels to log different actions/packets through syslog
>> using the local0 facility. LOG_ERR is used on the first line:
>>  > *.err;kern.debug;auth.notice;authpriv.none;mail.crit	/dev/console
>> and the 4th before last line:
>>  > *.err		 
>> 				root
>> LOG_ERR is used for packets that are considered short. So any packet 
>> that is logged and is "short" is displayed on the terminal of all 
>> connected roots + the console. Moreover, LOG_NOTICE is used for passed 
>> packets that are logged. It appears in:
>>  > *.notice;auth.debug		 
>> 		root
>> That means that any packet that is passed & loggued  is displayed on the 
>> terminal of all connected roots too !
>> So if you really want to tweak this behavior, modify those lines 
>> accordingly.
>> 
>> BTW, upon reading your email I have just "man ipmon" and found the info 
>> almost immediately. Nothing replaces a good rtfming :))
> 
> 
> Yep - in fact I did read ipmon (and syslogd as well). I s'pose it's 
> logical enough to infer that "LOG_WARNING" = warning level, but my 
> confusion occurred in that my ipf rules log only blocked packets... 
> this means they'd have to be level = "LOG_WARNING". I found nothing in 
> syslog.conf that directs "LOG_WARNING" to the terminal - do you?
 From syslog.conf manual page:
If a received message matches the specified facility and is of the 
specified level (or a higher level),

WARNING is a higher level than NOTICE. I can then safely infer that the 
culprit is *.notice since this logs NOTICE & above (WARNING, ERR, ALERT, 
EMERG).

HTH


-- 
Saad

"Authoritarians thrive on censorship and secrecy. And
they distrust voluntary cooperation and information
sharing-- they only like cooperation that they control."