Re: [logs] PIX logging

• Previous message: Allen Crawford: "RE: [logs] PIX logging"
• In reply to: Allen Crawford: "RE: [logs] PIX logging"
• Next in thread: Allen Crawford: "RE: [logs] PIX logging"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi,

----- Original Message -----
From: "Allen Crawford" <AllenCat_private>
To: "'yehuda'" <yehudaat_private>
Cc: "Log Analysis List (E-mail)" <loganalysisat_private>
Sent: Tuesday, September 03, 2002 10:14 PM
Subject: RE: [logs] PIX logging


> Thanks for the tips.  I'll try these out.  I do have another general
> question.  I read up about logrotate.d and I understand that the
> "postrotate" section runs after the logs are rotated.  Well, my question
is,
> why would you kill syslogd AFTER the logs have been rotated?  Shouldn't
you
> have to kill it first, then rotate the logs?

You don't kill syslog in the postrotate section, you send a SIGHUP (not
SIG{KILL,TERM}) to it, because the files descriptors have changed during the
rotation. the SIGHUP tell to syslog to reload it config, so it will reopen
the log files.

++
Jean-luc Leclercq

>  -----Original Message-----
> From: yehuda [mailto:yehudaat_private]
> Sent: Thursday, August 29, 2002 12:10 PM
> To: Allen Crawford
> Cc: Log Analysis List (E-mail)
> Subject: RE: [logs] PIX logging
>
> to prevent your local4 logs from going to /var/log/messages, add the
> following to your syslog.conf:
> local4.none /var/log/messages
>
> you can just tack it on the end of the line for /var/log/messages - for
> example:
> *.info;mail.none;authpriv.none;local5.none;local4.none  /var/log/messages
>
> if you want to rename your log file each night, you can call a script from
> your logrotate.conf
> ( or for redhat, /etc/logrotate.d/syslog)
> for example:
>
> /var/log/messages {
> daily
>     postrotate
>         /usr/bin/killall -HUP syslogd;
>         mv /var/log/messages.1 /var/log/messages$(date +%Y%m%d)
>     endscript
> }
>
>
> here's a quick n dirty script for deleting old log files:
> ------------- begin script
> #!/bin/bash
>
> oldstuff=$(date +%m|sed 's/^0//')
> case $oldstuff in
>         1) oldstuff=10;;
>         2) oldstuff=11;;
>         3) oldstuff=12;;
>         *) oldstuff=$[$oldstuff-3];;
> esac
> rm /var/log/messages$[$(date +%Y)-1]$oldstuff*
> rm /var/log/messages$(date +%Y)$oldstuff*
> ---------- end script
>
> I haven't tested this script, so make sure to test it before putting it
into
> production.
>
>
>
> > -----Original Message-----
> > From: Allen Crawford [SMTP:AllenCat_private]
> > Sent: Thursday, August 29, 2002 11:17 AM
> > To: Log Analysis List (E-mail)
> > Subject: [logs] PIX logging
> >
> > I hope this is the proper forum for this sort of question.  Please let
me
> > know if it is not.
> >
> > I have read up on the basics of using syslog and logrotate to log and
> > rotate
> > my system logs. I have also read the basics of how to make the Cisco PIX
> > send logging information to my syslog server. When turning this on from
> > the
> > PIX, it immediately starts logging to the syslog server (I've already
> > enabled the remote logging ability for syslog) but it logs everything to
> > /var/log/messages.  I had entered the following line to my
> > /etc/syslog.conf
> > file as well.
> >
> > local4.* /var/log/pix
> >
> > Eventually I found out that things were now being logged twice, once to
my
> > pix file above and once to /var/log/messages.
> >
> > My problem/question is that I'd like to have the PIX logs in a separate
> > file, one that gets rotated daily at midnight. In addition to that, I'd
> > like
> > it to append the date as the suffix of the log's filename, such as
> > pix20020815. I would also prefer that the logs were automatically
deleted
> > after say, 3 months, but that is the least of my worries right now.  We
> > may
> > just stick with a manual deletion anyway.
> >
> > If anyone can give me details on this, or if anyone else has already set
> > this up for their PIX, I'd greatly appreciate some examples, either
online
> > or offline.
> >
> > By the way, I'm running Red Hat 7.3 for this.
> > _______________________________________________
> > LogAnalysis mailing list
> > LogAnalysisat_private
> > http://lists.shmoo.com/mailman/listinfo/loganalysis
> _______________________________________________
> LogAnalysis mailing list
> LogAnalysisat_private
> http://lists.shmoo.com/mailman/listinfo/loganalysis
> _______________________________________________
> LogAnalysis mailing list
> LogAnalysisat_private
> http://lists.shmoo.com/mailman/listinfo/loganalysis
>

_______________________________________________
LogAnalysis mailing list
LogAnalysisat_private
http://lists.shmoo.com/mailman/listinfo/loganalysis

• Next message: Sweth Chandramouli: "Re: [logs] perl question relating to log analysis"
• Previous message: Allen Crawford: "RE: [logs] PIX logging"
• In reply to: Allen Crawford: "RE: [logs] PIX logging"
• Next in thread: Allen Crawford: "RE: [logs] PIX logging"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Sep 04 2002 - 10:10:33 PDT