Re: syslog / ipmon chaos

["James Moore" <jim.moore@firelinedsl.com>]

On 1 May 2001, Saad Kadhi wrote:

> >> ipmon uses LOG_INFO, LOG_NOTICE, LOG_WARNING, and LOG_ERR levels to log different actions/packets through syslog
> >> using the local0 facility. LOG_ERR is used on the first line:
> >>  > *.err;kern.debug;auth.notice;authpriv.none;mail.crit	/dev/console
> >> and the 4th before last line:
> >>  > *.err		 
> >> 				root
> >> LOG_ERR is used for packets that are considered short. So any packet 
> >> that is logged and is "short" is displayed on the terminal of all 
> >> connected roots + the console. Moreover, LOG_NOTICE is used for passed 
> >> packets that are logged. It appears in:
> >>  > *.notice;auth.debug		 
> >> 		root
> >> That means that any packet that is passed & loggued  is displayed on the 
> >> terminal of all connected roots too !
> >> So if you really want to tweak this behavior, modify those lines 
> >> accordingly.
> >> 
> >> BTW, upon reading your email I have just "man ipmon" and found the info 
> >> almost immediately. Nothing replaces a good rtfming :))
> > 
> > 
> > Yep - in fact I did read ipmon (and syslogd as well). I s'pose it's 
> > logical enough to infer that "LOG_WARNING" = warning level, but my 
> > confusion occurred in that my ipf rules log only blocked packets... 
> > this means they'd have to be level = "LOG_WARNING". I found nothing in 
> > syslog.conf that directs "LOG_WARNING" to the terminal - do you?
>  From syslog.conf manual page:
> If a received message matches the specified facility and is of the 
> specified level (or a higher level),
> 
> WARNING is a higher level than NOTICE. I can then safely infer that the 
> culprit is *.notice since this logs NOTICE & above (WARNING, ERR, ALERT, 
> EMERG).

Well you got me on that one - I didn't notice syslog.conf had a man pg. 

Thanks,
James Moore