thanks to all who responded:
Franz.Fischer_at_lpr.e-technik.tu-muenchen.de
neil.luff_at_capgemini.co.uk
pw_at_EBC.VBE.Dec.com
georg.tasman_at_db.com
kfdc_at_gerulf.acsu.unsw.edu.au
most answers pointed to exactly the right point:
by applying jumbo patch #7 a more secure version of the syslogd is installed, which requires a file /etc/syslog.auth. this is explicitly mentioned in the installation instructions of JP#7 !!!!:
-------------<8------------------
Special Instructions for Patch 425.00 - syslogd Correction
The following release note provides information for installing a new version
of the syslogd command. If your system is configured to forward syslog messages
from one host to another, become superuser (for example, root) and manually
create a /etc/syslog.auth file.
The /etc/syslog.auth file specifies which remote hosts are allowed to forward
syslog messages to the local host. Each remote host name should appear in a
separate line in the /etc/syslog.auth file. A line that starts with the '#'
character is considered as a comment and is ignored. A host name must be a
complete domain name for example, trout.nyc.com. If a domain host name is
given, it must either appear in the local /etc/hosts file or be able to be
resolved by the name server (for example, BIND) that is running on the system.
Note that a host name can have at most as many characters as defined by the
MAXHOSTNAMELEN constant in <sys/param.h>. However, each line in the
/etc/syslog.auth file can have up to 512 characters.
The /etc/syslog.auth file must be owned by root and have permissions set to
0600.
Unless the domain host name of a remote host is given in the local
file, the local host will not log any syslog messages from that remote host.
If the /etc/syslog.auth file does not exist or it exists but is empty or has
no valid remote host names in it, the system will assume no remote host is
allowed to forward syslog messages to the local host.
-------------<8------------------
one guess though was that syslogd does not accept mutliple entries for the same (facility/priority)-pair
the writer claimed that a second definition will override the first one. this is definitely not true for our versions here (DU4.0B,JP#7) - so if one is interested in having a local copy of some important logs - which would definitely improve security a bit - here's a reason to install this patch ....
thanks again.
torsten
ORIGINAL MESSAGE:
Date: Fri, 30 Oct 1998 09:54:11 +0100 (MET)
From: Torsten Mohrbach <mohrbach_at_canetoad.mpib-berlin.mpg.de>
Subject: syslog configuration
To: alpha-osf-managers_at_ornl.gov (osf-man)
Reply-To: mohrbach_at_mpib-berlin.mpg.de
Message-Id: <9810300854.AA21777_at_canetoad.mpib-berlin.mpg.de>
Mime-Version: 1.0
X-Mailer: ELM [version 2.4ME+ PL19 (25)]
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Status: RO
dear managers,
i'm trying to set up a sysloghost on our local network (small: 6 stations),
but i'm having problems that our sysloghost doesn't collect the informatio
n coming from the clients:
sysloghost:/etc/syslog.conf:
------
# syslogd config file
# master logging host
#
local6.info /var/adm/tcpd.log
daemon.debug /var/adm/ftp.log
syslogclient:/etc/syslog.conf:
------
# syslogd config file
# log-client
#
local6.info _at_sysloghost
daemon.debug _at_sysloghost
local6.info /var/adm/tcpd.log
daemon.debug /var/adm/ftp.log
the ip-name 'sysloghost' is known by the client (/etc/hosts)
a 'logger -p daemon.debug daemon_event_on_client' on the client has the cor
rect entry in the clients log-file as a result, but none on the host
the host only records it's own events .... (so it's not a problem with tabs
or missing files)
what am i missing?????
torsten
--
* torsten mohrbach
* mpi for human development ~ center for adaptive behavior and cognition
* lentzealle 94 ~ 14195 berlin ~ germany
* phone: (+49) 30 82406-351 ~ fax: (+49) 30 82406-394
* net: mohrbach_at_mpib-berlin.mpg.de ~ http://www.mpib-berlin.mpg.de/abc
Received on Fri Oct 30 1998 - 12:44:18 NZDT