From Nathan Keeter on Sat, 19 Feb 2000
Is there any way to specify that syslog log all events from a particular host to a particular file?
First I'd have to understand what you mean by "events" (and what you mean by "from" actually).
There are several sorts of "events" that can logged "from" a host. For example the TCP Wrappers (tcpd) that is pre-installed and configured for use by all major Linux distributions will log each access attempt to each wrapper protected service.
You can figure out most of the "wrappered" services by reading the /etc/inetd.conf and looking for references to tcpd on each of the active lines therein. Also note that the portmapper, rcp.mountd and some other "standalone" services might also be "wrappered." They would generally be compiled with and linked to "libwrap" (the TCP Wrappers libraries).
(Anyone interested in this should read the hosts_allow(5) and tcpd(8) man pages).
Another source of log messages "from" a host might be your kernel packet filtering tables. There are options to ipfwadm and ipchains to allow you to output/log messages about packets that match certain packet filtering rules.
(Anyone interested in more details on this should read the ipfwadm(8) and/or ipchains(8) man pages, looking for the -o and -l option respectively).
[ For those of you keeping up with the newer kernel
series, Rusty is trying to encourage people to use
and debug the new netfiler code. See the homepage
for the latest scoreboard.
Yet another source of syslog messages "from" a given host might be that you've configured your syslogd to accept remote (UDP) messages (by adding the appropriate command option to its rc* script), and you've configured the hosts in question to forward their messages to that loghost (using appropriate "@" directives in the /etc/syslog.conf files of the loghost clients).
(Anyone interested in these topics should read the syslogd(8) and syslog.conf(5) man pages).
Obviously any other services my have their own logging features in addition to these.
(Thus you see what I mean by "it depends on what you mean by 'from.'" Do you mean: "log messages from localhost services that involve (stem from interactions with) a host" or do you mean "log messages received by my syslog daemon that were purportely issued from the hosts in question").
Anyway, it is not possible to configure the normal syslog daemon to separate the messsages into separate files based on the hosts from which they were received. The normal configuration directives allow separation and filtering based on the "facility" and "severity" (read that syslog.conf man page for an explanation and lists of these).
One way to do what you want would be to feed the messages into a processing script (awk, or PERL). It's even possible to do this "in real time" by configuring your loghost to feed messages into one or more FIFOs (named pipes) and running your processing script(s) to read from that (or them). Again, the details should be in your syslog.conf man page but the short form would be something like this:
Add a line to /etc/syslog.conf like:
Create "myloggingnode" (conventionally in the /dev/ directory, though a /var/run or other suitable place might be better). Use a command like:
mknod -m 0600 p /dev/myloggingnode
(You'll need to make this writable by your syslog daemon, of course).
Then you just run your PERL or awk script on that.
Another option is to check out one of the alternative syslog systems. I've read a bit about syslog-ng (next generation), and I think it can be configured for what you want. Have a look at:
... or at:
For more on that.
For those interested in other aspects of network system logging and event monitoring across Linux and UNIX systems, I suggest looking at the "secure syslog" (which uses cryptographic techniques to authenticate that messages came from the host that purports to have sent them, etc) and I also recommend "colortail" as a great tool for those who like monitor their systems with 'tail -f' logging.
You can find those at:
- ... and