logging proftpd question

[David Banning]

Presently all my proftpd logging goes to /var/log/messages but
it is clogging that file because I have an ftp login every couple of
minutes. I want to redirect proftpd logging. I tried putting

proftpd:* /var/log/proftpd.log

in my /etc/syslog.conf

but syslogd complains;
syslogd: unknown facility name "proftpd"

looking at the man page for proftpd is says;

Each successful and failed ftp(1) session is logged using syslog with a
facility of LOG_FTP. Note: LOG_FTP messages are not displayed by sys-
logd(8) by default, and may have to be enabled in syslogd(8)'s configu-
ration file.


So I tried;

LOG_FTP:* /var/log/proftpd.log

still no go.

I am unfamiliar with logging. Can someone help me along here?

--

[James Alexander Cook]

On Tue, Feb 22, 2005 at 01:35:25AM -0500, David Banning wrote:

> Presently all my proftpd logging goes to /var/log/messages but
> it is clogging that file because I have an ftp login every couple of
> minutes. I want to redirect proftpd logging. I tried putting
>
> proftpd:* /var/log/proftpd.log
>
> in my /etc/syslog.conf
>
> but syslogd complains;
> syslogd: unknown facility name "proftpd"
>
> looking at the man page for proftpd is says;
>
> Each successful and failed ftp(1) session is logged using syslog with a
> facility of LOG_FTP. Note: LOG_FTP messages are not displayed by sys-
> logd(8) by default, and may have to be enabled in syslogd(8)'s configu-
> ration file.
>
>
> So I tried;
>
> LOG_FTP:* /var/log/proftpd.log
>
> still no go.
>
> I am unfamiliar with logging. Can someone help me along here?
>
> --

$ man syslog.conf
<snip>
The facility describes the part of the system generating the message, and
is one of the following keywords: auth, authpriv, console, cron, daemon,
ftp, kern, lpr, mail, mark, news, ntp, security, syslog, user, uucp and
local0 through local7. These keywords (with the exception of mark) cor-
respond to similar ``LOG_'' values specified to the openlog(3) and
syslog(3) library routines.
<snip>

I believe the syntax you want is

ftp.* /var/log/proftpd.log

Make sure the logfile exists (and is writable),
otherwise I think syslog will complain.

- James Cook
[email]james.cook@utoronto.ca[/email]

[David Banning]

> I believe the syntax you want is

>
> ftp.* /var/log/proftpd.log
>
> Make sure the logfile exists (and is writable),
> otherwise I think syslog will complain.

Thanks, fellow Torontonian, for your reply.

I tried your suggestion previous to my posting, with no result.

Now, could something in the;


I tried your suggestion previous to my posting, with no result. I
also did a "touch /var/log/proftpd.log" and "chmod 600
/var/log/proftpd.log"

The line;

*.notice;kern.debug;lpr.info;mail.crit;news.err /var/log/messages

is what is grabbing the messages I want to redirect. (I beleive *.notice)

I just wonder if the line I just mention takes the log entry, if another
can still take it. Can a log entry only be logged once? Or can you have
it go to multiply files? (via multiple syslog.conf entries)

It sure would be easier if in the log entry it said "ftp.notice" or
some such thing so you -know- how it is being directed.

I have tried running syslog with -d and -vv and there seems to be no
indication what the facility name that is used.


--

[James Alexander Cook]

On Tue, Feb 22, 2005 at 02:31:03PM -0500, David Banning wrote:

> > I believe the syntax you want is
> >
> > ftp.* /var/log/proftpd.log
> >
> > Make sure the logfile exists (and is writable),
> > otherwise I think syslog will complain.

>
> Thanks, fellow Torontonian, for your reply.
>
> I tried your suggestion previous to my posting, with no result.
>
> Now, could something in the;
>
>
> I tried your suggestion previous to my posting, with no result. I
> also did a "touch /var/log/proftpd.log" and "chmod 600
> /var/log/proftpd.log"
>
> The line;
>
> *.notice;kern.debug;lpr.info;mail.crit;news.err /var/log/messages
>
> is what is grabbing the messages I want to redirect. (I beleive *.notice)
>
> I just wonder if the line I just mention takes the log entry, if another
> can still take it. Can a log entry only be logged once? Or can you have
> it go to multiply files? (via multiple syslog.conf entries)

I'm pretty sure a log entry can go to as many files as you want. For example,
my syslog.conf file currently has

*.err;kern.debug;auth.notice;mail.crit /dev/console
*.notice;authpriv.none;kern.debug;lpr.info;mail.cr it;news.err /var/log/messages
security.* /var/log/security
auth.info;authpriv.info /var/log/auth.log
mail.info /var/log/maillog
lpr.info /var/log/lpd-errs
ftp.info /var/log/xferlog
cron.* /var/log/cron
*.=debug /var/log/debug.log
*.emerg *
*.* /var/log/all.log
!startslip
*.* /var/log/slip.log
!ppp
*.* /var/log/ppp.log

All of my log messages end up in /var/log/all.log, even though they're also put in /var/log/messages.

The only thing I can think of is that you might have a program or hostname
specification that's messing things up (any line starting with !, #!, + or +!).
Anything following such a line will only apply to certain things; for example,
the only things that end up in /var/log/ppp.log in my configuration are
ppp-related messages (even though the ppp.log line starts with *.*).

That's all I can think of, anyway. I never touched my syslog.conf file before
a few days ago, so I'm hardly an authority.

>
> It sure would be easier if in the log entry it said "ftp.notice" or
> some such thing so you -know- how it is being directed.
>
> I have tried running syslog with -d and -vv and there seems to be no
> indication what the facility name that is used.
>

- James Cook
[email]james.cook@utoronto.ca[/email]