[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 3233
  • Last Modified:

syslogd error, unknown facility name

I am trying to get my cisco pix firewall to write its logs to my linux rhes machine.  Of the 7 syslog facility options, I tried LOCAL0(16), LOCAL7(23) and LOCAL4(20).  I enabled trap logging at both informational and debugging levels.  On "show logging" I can see that messages are being logged (313684 and counting), but I don't know where these messages are going.
My latest pix config file shows:
logging on
logging timestamp
logging trap debugging
logging device-id hostname
logging host inside 10.0.1.103

When I select a facility other than LOCAL4(20), the config file also shows
logging facility 16 (or 23)
but this line does not appear in the config file if LOCAL4(20) is selected.  It may not appear due to some system default, more on this below.

My syslogd.conf file had only these lines:
Title = "Syslogd"
LogFile = messages
*OnlyService = syslogd
*RemoveHeaders

So I added:
local4.debug    /var/log/messages
that's the latest - I also tried
local0.info, local7.debug, and with a destination of /var/log/cisco/route,  a path/file I had created with 644 permissions.
I was careful to use no spaces, only tabs in this line of the syslogd.conf file, and restarted syslogd each time, looking for errors.
/var/log/messages shows no errors, but syslogd -d shows this error:
cfline(LOCAL(4)20.*               /var/log/cisco)/var/log/cisco)
symbolic name: * ==> 255
symbolic name: LOCAL(4)20Called logerr, msg: unknown facility name "LOCAL(4)20"
logmsg: syslog.err<43>, flags 4, from alice, msg syslogd: unknown facility name "LOCAL(4)20"

The same error shows up regardless of what's in my syslogd.conf file and regardless of the facility selected on the pix! I have tried to sync changes to the syslogd file with changes to the pix as follows:
change syslogd
reboot syslogd
change pix
apply changes to pix, check running config and/or reboot

Pls explain these errors and how to fix them, thanks

 

0
klukac
Asked:
klukac
  • 4
  • 2
1 Solution
 
jojuCommented:
1. take a backup of /etc/syslog.conf

2. Add following to /etc/syslog.conf remove other newly configured options

*.*     /var/log/test.log

3. add -r to SYSLOGD_OPTIONS in file /etc/sysconfig/syslog

SYSLOGD_OPTIONS="-m 0 -r"

4. restart syslogd

5. check /var/log/test.log for logs from pix
0
 
harbor235Commented:
Your latest pix syslog config does not include which logging facility you using. YOu must also use "logging facility localX"
to complete the config. Then on the syslog server you must make additions to the syslogd.conf file for that logging facility.
"localX.*"  will allow you to log any messages fro that facility.  You then must stop and restart syslogd ( kill -HUP <process id, syslogd>)

harbor235
0
 
klukacAuthor Commented:
Thank you joju!  At some point I had made an error in /etc/syslog.conf and then forgot to check there, thinking the conf file was at
/etc/log.d/conf/services/syslogd.conf.  
My log file for the pix now shows something (that syslogd was restarted) but I would like to see the rest of the files, so I'm ready for the next step here, thanks.
0
Transaction-level recovery for Oracle database

Veeam Explore for Oracle delivers low RTOs and RPOs with agentless transaction log backup and transaction-level recovery of Oracle databases. You can restore the database to a precise point in time, even to a specific transaction.

 
klukacAuthor Commented:
harbor, I changed the syslogd.conf file from local0.debug to local0.* and made sure the cisco reflects the same facility selection - which does show up in the config file.  It wasn't doing that consistently earlier, possibly due to errors which are now fixed.  

However there's no change to the cisco logfile on my linux host, just another entry for a syslogd restart.  syslogd -d shows no errors, but "show logging" continues to track an increasing number of messages, and I don't know where they're going.  Unfortunately, the pix device manager is not very helpful, it times out when I try to view some of the logging options, so I'll have to stick to the text of the config file for logging entries, which are:
logging on
logging timestamp
logging trap debugging
logging facility 16              #this corresponds to local0
logging device-id hostname
logging host inside alice        #alice is my linux hostname
0
 
jojuCommented:
Hi,

Hope you have added -r to SYSLOGD_OPTIONS in file /etc/sysconfig/syslog

SYSLOGD_OPTIONS="-m 0 -r"

Note: -r option is for allowing remote logging in syslog server.


Also try giving syslog-server's IP address in pix rather than host name.

Thanxs,
Joju.
0
 
klukacAuthor Commented:
yep, I did add the -r option to SYSLOGD_OPTIONS
the pix shows the ip address or the host name, it's just a matter of whether you send the "no names" option to view the config file, which maps hostnames to ip addresses
the pix is directly connected to the linux host, not just via ethernet, but also through a serial connection which is my backup for pix configuration.  Of course, to activate that connection I have to launch minicom, which isn't running, so I don't think that this would interfere with syslog output.  
0
 
klukacAuthor Commented:
I rebooted my linux host, and the problem is fixed :)
now I'll proceed to limit the output to that file, or it'll get enormous before long
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 4
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now