«

> And are you passing the switch to syslogd
> which tells it to accept remote messages?
>
Some additional info, I've checked the file permission of cisco.log, it's ok
rw-rw-rw so this can't be the problem.

Syslogd is launched with:
syslogd -a myrouter.ip.address

Here is my router config:
logging facility local0
logging source-interface FastEthernet0
logging myrouter.ip.address

Here is freebsd's syslog.conf (see the last line)
*.err;kern.debug;auth.notice;mail.crit /dev/console
*.notice;authpriv.none;kern.debug;lpr.info;mail.cr it;news.err
/var/log/message
security.* /var/log/security
auth.info;authpriv.info /var/log/auth.log
mail.info /var/log/maillog
lpr.info /var/log/lpd-errs
ftp.info /var/log/xferlog
cron.* /var/log/cron
local0.informational /var/log/cisco.log


Here is the output of show log:
Syslog logging: enabled (0 messages dropped, 10235 messages rate-limited,
365 flushes, 0 overruns)
Console logging: disabled
Monitor logging: level informational, 0 messages logged
Buffer logging: disabled
Logging Exception size (4096 bytes)
Count and timestamp logging messages: disabled
Trap logging: level informational, 15143 message lines logged
Logging to myfreebsd.box.ip, 15143 message lines logged

I'm using this config on fastethernet0:
interface FastEthernet0
ip address myfreebsd.box.ip
ip access-group 111 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip inspect standard in
speed auto
ntp broadcast client
no cdp enable

Here is ip inspect standard:
ip inspect udp idle-time 1800
ip inspect dns-timeout 7
ip inspect tcp idle-time 14400
ip inspect name standard cuseeme
ip inspect name standard ftp
ip inspect name standard h323
ip inspect name standard http
ip inspect name standard rcmd
ip inspect name standard realaudio
ip inspect name standard smtp
ip inspect name standard sqlnet
ip inspect name standard streamworks
ip inspect name standard tcp
ip inspect name standard tftp
ip inspect name standard udp
ip inspect name standard vdolive

And here is show access-list 111:
Extended IP access list 111
permit ip mynetwork any (85973 matches)
deny ip any any log

SORRY FOR THE LONG POST, but I really don't now what else to check!

Hmm,
I think that this must be a freebsd related configuration problem here is a
tcpdump:
route.ip.address = router ip address
freebsd.ip.address = freebsd box
tcpdump: listening on fxp0
00:05:48.156942 route.ip.address.51088 > freebsd.ip.address.syslog: udp 120
00:05:50.888792 route.ip.address.51088 > freebsd.ip.address.syslog: udp 120
00:05:55.160610 route.ip.address.51088 > freebsd.ip.address.syslog: udp 120
00:06:03.160184 route.ip.address.51088 > freebsd.ip.address.syslog: udp 120
00:06:26.103070 route.ip.address.51088 > freebsd.ip.address.syslog: udp 118
00:06:27.103010 route.ip.address.51088 > freebsd.ip.address.syslog: udp 120
00:06:30.834818 route.ip.address.51088 > freebsd.ip.address.syslog: udp 81
00:06:36.190521 route.ip.address.51088 > freebsd.ip.address.syslog: udp 120
00:06:44.190152 route.ip.address.51088 > freebsd.ip.address.syslog: udp 120
00:06:45.190057 route.ip.address.51088 > freebsd.ip.address.syslog: udp 120
00:07:29.979662 route.ip.address.51088 > freebsd.ip.address.syslog: udp 80
00:07:30.979669 route.ip.address.51088 > freebsd.ip.address.syslog: udp 119
00:07:30.980093 route.ip.address.51088 > freebsd.ip.address.syslog: udp 117


The syslog udp packets do arrive at the freebsd box.
Hmm, what do I have to check else?!
Many, many thanks!

"Didier" <> wrote in message
news:40046f3d$...

> Syslogd is launched with:
> syslogd -a myrouter.ip.address

As stated by several people, you need to run with the -r parameter. I
couldn't quite work out from the manual what the -a parameter does, but I
don't think it does what you want it to.

> logging myrouter.ip.address

This should be the ip address of the machine running syslogd, not the ip
address of the router.

> *.err;kern.debug;auth.notice;mail.crit /dev/console
> *.notice;authpriv.none;kern.debug;lpr.info;mail.cr it;news.err
/var/log/message

These lines will match any err and notice messages from your router.

> local0.informational /var/log/cisco.log

This line will only catch the info messages from your router, is that the
class of message you are being sent by your router?

Richard.

"Didier" <> wrote in message
news:40047b9d$...

> The syslog udp packets do arrive at the freebsd box.

Yes, but that doesn't mean there is anything listening for them. Remember
the -r parameter?

Richard.

In article <r__Mb.4536313$> "Richard Antony
Burton" <richardaburton-NOSPAM-@hotmail.com> writes:
>
>"Didier" <> wrote in message
>news:40046f3d$...

>> *.notice;authpriv.none;kern.debug;lpr.info;mail.cr it;news.err
>/var/log/message
>
>These lines will match any err and notice messages from your router.

Also warning, crit, alert, and emerg.

>> local0.informational /var/log/cisco.log
>
>This line will only catch the info messages from your router, is that the
>class of message you are being sent by your router?

Actually it won't catch anything at all, since there is no priority
called "informational" - the name is "info", just like in all the other
entries. It seems syslogd only complains about in debug mode though:

syslogd: unknown priority name "informational"

- but then syslogd was never a very forgiving program... Btw, once it is
changed to "info", it will "catch" anything with "info" *or higher*
priority (i.e. info + all the above). Every match counts, earlier
matches do not prevent later ones.

--Per Hedeland

Found it!
Thx a lot guys for the help!!
For those who want to know:

Here is the answer:
snip from freebsd mailing list:
You have to specify a 'service' of * on the syslogd commandline (with
the -a option). By default syslogd only accepts packets coming from
the sysog port on the remote host. Cisco uses a dynamicly allocated
port for sending the logging.
end snip

So your rc.conf has to look like (my router is 10.0.0.1/255.255.255.240)
syslogd_flags="-a 10.0.0.1/28:*"
That solved the problem

"Didier" <> wrote in message news:<40048807$>...
> Found it!
> Thx a lot guys for the help!!
> For those who want to know:
>
> Here is the answer:
> snip from freebsd mailing list:
> You have to specify a 'service' of * on the syslogd commandline (with
> the -a option). By default syslogd only accepts packets coming from
> the sysog port on the remote host. Cisco uses a dynamicly allocated
> port for sending the logging.
> end snip
>
> So your rc.conf has to look like (my router is 10.0.0.1/255.255.255.240)
> syslogd_flags="-a 10.0.0.1/28:*"
> That solved the problem

This problem might be specific to the freebsd syslogd. The default
syslog port is 514 and daemon running on this port uses udp transport.
It does not make any sense on the freebsd syslog daemon part to accept
data from port 514 only!

Any machine sending a syslog message is bound to use a port other than
514 (usually a 'normal' port > 1023).

If you are using Windows, try the kiwisyslog from www.kiwisyslog.com.

It supports syslog over tcp as well which is currently only supported
by the PIX firewall.

Masud

In article < >
(Masud Reza) writes:
>"Didier" <> wrote in message news:<40048807$>...
>> Found it!
>> Thx a lot guys for the help!!
>> For those who want to know:
>>
>> Here is the answer:
>> snip from freebsd mailing list:
>> You have to specify a 'service' of * on the syslogd commandline (with
>> the -a option). By default syslogd only accepts packets coming from
>> the sysog port on the remote host. Cisco uses a dynamicly allocated
>> port for sending the logging.
>> end snip
>>
>> So your rc.conf has to look like (my router is 10.0.0.1/255.255.255.240)
>> syslogd_flags="-a 10.0.0.1/28:*"
>> That solved the problem
>
>This problem might be specific to the freebsd syslogd.

Probably (or at least *BSD).

> The default
>syslog port is 514 and daemon running on this port uses udp transport.
>It does not make any sense on the freebsd syslog daemon part to accept
>data from port 514 only!

I guess it makes about as much sense as restricting the source address -
makes it a little bit harder (but certainly not much) to flood the
server.

>Any machine sending a syslog message is bound to use a port other than
>514 (usually a 'normal' port > 1023).

Not really - on a machine that has a local syslog daemon (e.g. your
typical *nix), programs syslog to the local daemon, which may be
configured to forward messages to a central log server or somesuch.
Such forwarded messages will have source port 514 on all syslogd
implementations I've seen - the daemon sends these on the same socket
that it uses to listen for incoming messages (assuming it does listen -
otherwise it will typically have an open socket bound to that port
anyway, at least if it's expected to forward any messages).

Machines that don't have a syslog daemon can certainly send syslog
messages with source port 514 too - and according to RFC 3164 they
should.

--Per Hedeland

(Per Hedeland) wrote in message news:<bu4ib2$pc0$>...

> Not really - on a machine that has a local syslog daemon (e.g. your
> typical *nix), programs syslog to the local daemon, which may be
> configured to forward messages to a central log server or somesuch.
> Such forwarded messages will have source port 514 on all syslogd

Yes, in this particular case it is possible for the messages to be
reaching the 'master' syslog server FROM port 514 because they are
being forwarded.

> Machines that don't have a syslog daemon can certainly send syslog
> messages with source port 514 too - and according to RFC 3164 they
> should.

This is correct.

Also important is the fact that using udp spoofing, it is easy to send
fake logs to a syslog server if the syslog server is accepting
messages from all devices. Alternatives are using an IPSec tunnel
between the device and the syslog server or using tcp as the syslog
transport (which is of course less secure).

Masud

In article < >
(Masud Reza) writes:
> (Per Hedeland) wrote in message
>news:<bu4ib2$pc0$>...
>
>> Not really - on a machine that has a local syslog daemon (e.g. your
>> typical *nix), programs syslog to the local daemon, which may be
>> configured to forward messages to a central log server or somesuch.
>> Such forwarded messages will have source port 514 on all syslogd
>
>Yes, in this particular case it is possible for the messages to be
>reaching the 'master' syslog server FROM port 514 because they are
>being forwarded.
>
>> Machines that don't have a syslog daemon can certainly send syslog
>> messages with source port 514 too - and according to RFC 3164 they
>> should.
>
>This is correct.

So if both cases are correct, what do you mean by "in this particular
case" for the first one?

--Per Hedeland