Greetings,

I've done quite a bit of searching on this and haven't found anything
that's been helpful for me.

First, the problem:

I have messages appearing in /var/adm/messages that don't have a
"facility.level" indicator to tell me what facility they're being
logged to.  The reason this is a problem is that I have multiple
copies of the same message in at least two files, and I'm looking to
pare down the traffic in the messages file and keep the relevant
messages in their respective logfile (in this case it's firewall error
messages).

Second, what I've done to try to solve this:

I've tried a number of things including:

- commenting lines out in the syslog.conf to prevent _anything_ from
logging to a given facility (process of elimination).  This didn't
work. The messages kept flowing to both logfiles.

- using the exemption syntax that I found in the man page for
syslog.conf, like so:  *.notice;local7.none (supposed to log
everything that's of notice severity except from local7 facility)

- manually set the msgid=1 in /kernel/drv/log.conf (though, I'm
running Sol9 and it would seem to be on by default...I'm grasping at
straws here)

---

Now, I'm just looking for some help.  Here's a sample of the message
that's showing up in my messages file (as well as the other logfile)
that I'm looking to NOT have logged to messages:

Oct 13 17:16:21 firewall.example.com Oct 13 2004 17:16:19:
%PIX-3-106011: Deny inbound (No xlate) tcp src
outside:192.168.1.1/4042 dst outside:10.200.1.1/113

(I changed a few things to anonymize the message)

Note how there's a lack of facility.level. Other messages do have that
included, however:

Oct 13 01:14:53 box.example.com sshd[15487]: [ID 800047 auth.crit]
fatal: Read from socket failed: Connection reset by peer

---

Any help would be greatly appreciated.

Thanks!

patrick

[ Post a follow-up to this message ]

In article <10da28ca.0410131635.9eb27d2@posting.google.com>, Patrick Beckhel
m
wrote:
> Greetings,
>
> I've done quite a bit of searching on this and haven't found anything
> that's been helpful for me.
>
> First, the problem:
>
> I have messages appearing in /var/adm/messages that don't have a
> "facility.level" indicator to tell me what facility they're being
> logged to.  The reason this is a problem is that I have multiple
> copies of the same message in at least two files, and I'm looking to
> pare down the traffic in the messages file and keep the relevant
> messages in their respective logfile (in this case it's firewall error
> messages).
>
> Second, what I've done to try to solve this:
>
> I've tried a number of things including:
>
> - commenting lines out in the syslog.conf to prevent _anything_ from
> logging to a given facility (process of elimination).  This didn't
> work. The messages kept flowing to both logfiles.
>
> - using the exemption syntax that I found in the man page for
> syslog.conf, like so:  *.notice;local7.none (supposed to log
> everything that's of notice severity except from local7 facility)
>
> - manually set the msgid=1 in /kernel/drv/log.conf (though, I'm
> running Sol9 and it would seem to be on by default...I'm grasping at
> straws here)
>
> ---
>
> Now, I'm just looking for some help.  Here's a sample of the message
> that's showing up in my messages file (as well as the other logfile)
> that I'm looking to NOT have logged to messages:
>
> Oct 13 17:16:21 firewall.example.com Oct 13 2004 17:16:19:
> %PIX-3-106011: Deny inbound (No xlate) tcp src
> outside:192.168.1.1/4042 dst outside:10.200.1.1/113
>
> (I changed a few things to anonymize the message)
>
> Note how there's a lack of facility.level. Other messages do have that
> included, however:
>
> Oct 13 01:14:53 box.example.com sshd[15487]: [ID 800047 auth.crit]
> fatal: Read from socket failed: Connection reset by peer

I know very little about Solaris 9, but in general you have to restart (or
reload) the syslog daemon before it recognizes changes to syslog.conf - have
you done that? See 'man syslogd' for more info.

Kevin

[ Post a follow-up to this message ]

spamtotrash@toomuchfiction.com (Kevin Collins) wrote in message news:<slrncmtp6l.b5.spamtotr
ash@doom.unix-guy.com>...
> I know very little about Solaris 9, but in general you have to restart (or
> reload) the syslog daemon before it recognizes changes to syslog.conf - ha
ve
> you done that? See 'man syslogd' for more info.
>
> Kevin

Yes, this is not my first day as an admin   I've HUP'ed syslogd
many-a-time, none of which solved this problem.

I fail to see how the originating machine's type has anything to do
with whether a msgid would be assigned to a syslog message.  I was
under the impression that msgid itself actually was called on the
syslog server and applied to each incoming message.  Is this wrong? If
so, then this explains my problem.  If not, however, then something is
causing these messages to be exempted from the normal syslog
processing that other messages go through.

patrick

[ Post a follow-up to this message ]