From archie@whistle.com  Tue Apr 14 01:46:50 1998
Received: from whistle.com (s205m131.whistle.com [207.76.205.131])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id BAA15311
          for <FreeBSD-gnats-submit@freebsd.org>; Tue, 14 Apr 1998 01:46:50 GMT
          (envelope-from archie@whistle.com)
Received: (from smap@localhost) by whistle.com (8.7.5/8.6.12) id SAA08590 for <FreeBSD-gnats-submit@freebsd.org>; Mon, 13 Apr 1998 18:46:19 -0700 (PDT)
Received: from bubba.whistle.com(207.76.205.7) by whistle.com via smap (V1.3)
	id sma008588; Mon Apr 13 18:46:05 1998
Received: (from archie@localhost) by bubba.whistle.com (8.8.7/8.6.12) id SAA06474; Mon, 13 Apr 1998 18:46:05 -0700 (PDT)
Message-Id: <199804140146.SAA06474@bubba.whistle.com>
Date: Mon, 13 Apr 1998 18:46:05 -0700 (PDT)
From: Archie Cobbs <archie@whistle.com>
Reply-To: archie@whistle.com
To: FreeBSD-gnats-submit@freebsd.org
Subject: syslogd cannot put kernel loggings into separate files
X-Send-Pr-Version: 3.2

>Number:         6292
>Category:       bin
>Synopsis:       [PATCH] syslogd cannot put kernel loggings into separate files
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Mon Apr 13 18:50:01 PDT 1998
>Closed-Date:    Wed Jun 10 10:15:37 PDT 1998
>Last-Modified:  Wed Jun 10 10:16:36 PDT 1998
>Originator:     Archie Cobbs
>Release:        FreeBSD 2.2.6-RELEASE i386
>Organization:
Whistle Communications, Inc.
>Environment:

	FreeBSD 2.2.6-RELEASE

>Description:

	Using syslogd, all messages logged by the kernel must go
	into a single file, whereas with user programs, you can
	"fork" output from different programs into different files,
	by using this construct in /etc/syslogd.conf:

	  !ftpd
	  *.*             /var/log/ftp
	  !ppp
	  *.*             /var/log/ppp.log

	My proposal is to allow this to work on messages from the
	kernel that have a "program" prefix, ie, the message begins
	with alphanumerics followed by a colon character.

	Then you can do this:

	  !ipfw
	  *.*             /var/log/ipfw

	Since all ipfw rule matches are logged with the prefix "ipfw:"
	then they will all get sent to /var/log/ipfw instead of
	/var/log/messages.

	Admittedly, this is something of a hack.. but until someone
	comes up with a better system, this would be nice to have..

>How-To-Repeat:

	Match a logging ipfw rule. Watch the result go to
	/var/log/messages and get lost in the chaos.

>Fix:

Apply patch below to syslogd.c:

>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->suspended 
State-Changed-By: phk 
State-Changed-When: Tue May 19 23:03:15 PDT 1998 
State-Changed-Why:  
awaiting committer 

From: Archie Cobbs <archie@whistle.com>
To: freebsd-gnats-submit@freebsd.org
Cc:  Subject: Re: bin/6292: [PATCH] syslogd cannot put kernel loggings into separate files
Date: Tue, 9 Jun 1998 17:58:01 -0700 (PDT)

 Here is a better patch that works for both log() and printf() from
 within the kernel, as well as a man page update.
 
 -Archie
 
 ___________________________________________________________________________
 Archie Cobbs   *   Whistle Communications, Inc.  *   http://www.whistle.com
 
 Index: syslog.conf.5
 ===================================================================
 RCS file: /cvs/freebsd/src/usr.sbin/syslogd/syslog.conf.5,v
 retrieving revision 1.9
 diff -c -r1.9 syslog.conf.5
 *** syslog.conf.5	1997/10/20 12:55:47	1.9
 --- syslog.conf.5	1998/06/10 00:57:28
 ***************
 *** 114,120 ****
   (the former is for compatibility with the previous syslogd, if one is sharing
   syslog.conf files, for example)
   and each block will be associated with calls to syslog from that specific
 ! program.
   .Pp
   See
   .Xr syslog 3
 --- 114,121 ----
   (the former is for compatibility with the previous syslogd, if one is sharing
   syslog.conf files, for example)
   and each block will be associated with calls to syslog from that specific
 ! program. A tag for ``foo'' will also match any message logged by the kernel
 ! with the prefix ``foo: ''.
   .Pp
   See
   .Xr syslog 3
 ***************
 *** 294,299 ****
 --- 295,304 ----
   # Save ftpd transactions along with mail and news
   !ftpd
   *.*							/var/log/spoolerr
 + 
 + # Log kernel firewall reports to a separate file
 + !ipfw
 + *.*							/var/log/ipfw
   .Ed
   .Sh FILES
   .Bl -tag -width /etc/syslog.conf -compact
 Index: syslogd.c
 ===================================================================
 RCS file: /cvs/freebsd/src/usr.sbin/syslogd/syslogd.c,v
 retrieving revision 1.32
 diff -c -r1.32 syslogd.c
 *** syslogd.c	1998/05/19 12:02:41	1.32
 --- syslogd.c	1998/06/10 00:57:29
 ***************
 *** 543,552 ****
   	int c, pri, flags;
   	char *lp, *p, *q, line[MAXLINE + 1];
   
 - 	(void)strcpy(line, bootfile);
 - 	(void)strcat(line, ": ");
 - 	lp = line + strlen(line);
   	for (p = msg; *p != '\0'; ) {
   		flags = SYNC_FILE | ADDDATE;	/* fsync file after write */
   		pri = DEFSPRI;
   		if (*p == '<') {
 --- 543,551 ----
   	int c, pri, flags;
   	char *lp, *p, *q, line[MAXLINE + 1];
   
   	for (p = msg; *p != '\0'; ) {
 + 
 + 		/* Get message priority, if any */
   		flags = SYNC_FILE | ADDDATE;	/* fsync file after write */
   		pri = DEFSPRI;
   		if (*p == '<') {
 ***************
 *** 561,566 ****
 --- 560,577 ----
   		}
   		if (pri &~ (LOG_FACMASK|LOG_PRIMASK))
   			pri = DEFSPRI;
 + 
 + 		/* See if kernel provided a prefix; if not, use kernel name */
 + 		for (q = p; *q && isalnum(*q); q++);
 + 		if (*q == ':') {
 + 			lp = line;
 + 		} else {
 + 			(void)strcpy(line, bootfile);
 + 			(void)strcat(line, ": ");
 + 			lp = line + strlen(line);
 + 		}
 + 
 + 		/* Append message body to prefix */
   		q = lp;
   		while (*p != '\0' && (c = *p++) != '\n' &&
   		    q < &line[MAXLINE])
State-Changed-From-To: suspended->closed 
State-Changed-By: julian 
State-Changed-When: Wed Jun 10 10:15:37 PDT 1998 
State-Changed-Why:  
patch (or variant of it) applied 
>Unformatted:
 >From owner-freebsd-isp@freebsd.org Wed Mar 25 11:56:44 1998
 From: Archie Cobbs <archie@whistle.com>
 Message-Id: <199803251954.LAA15909@bubba.whistle.com>
 Subject: Re: ipfw logging...
 In-Reply-To: <35195EC2.4506F2DB@san.rr.com> from Studded at "Mar 25, 98 11:45:06 am"
 To: Studded@san.rr.com (Studded)
 Date: Wed, 25 Mar 1998 11:54:57 -0800 (PST)
 Cc: isp@freebsd.org
 X-Mailer: ELM [version 2.4ME+ PL31 (25)]
 Sender: owner-freebsd-isp@freebsd.org
 X-Loop: FreeBSD.org
 
 Studded writes:
 > Archie Cobbs wrote:
 > > Try adding this to /etc/syslog.conf:
 > > 
 > >   !ipfw
 > >   *.*             /var/log/ipfw
 > 
 > 	This doesn't work. IPFW logs to the kernel facility, although I
 > wouldn't mind seeing an option to change that. :)
 
 Yeah.. we do this on the InterJet and I forgot it was a custom hack.
 Try the following patch to syslogd.c and see if that helps. If so,
 I'll file the patch in a send-pr bug.
 
 -Archie
 
 ___________________________________________________________________________
 Archie Cobbs   *   Whistle Communications, Inc.  *   http://www.whistle.com
 
 *** syslogd.c	Mon Mar  9 05:56:07 1998
 --- /usr/prod/ia/whistle/bin/syslogd/syslogd.c	Wed Nov 26 15:37:39 1997
 ***************
 *** 537,544 ****
   	int c, pri, flags;
   	char *lp, *p, *q, line[MAXLINE + 1];
   
 ! 	(void)strcpy(line, bootfile);
 ! 	(void)strcat(line, ": ");
   	lp = line + strlen(line);
   	for (p = msg; *p != '\0'; ) {
   		flags = SYNC_FILE | ADDDATE;	/* fsync file after write */
 --- 464,477 ----
   	int c, pri, flags;
   	char *lp, *p, *q, line[MAXLINE + 1];
   
 ! 	/* See if kernel has provided a "program" prefix already */
 ! 	for (p = msg; *p && isalnum(*p); p++);
 ! 	if (*p == ':' && (p - msg) < MAXLINE) {
 ! 		*line = 0;			/* Use kernel's prefix */
 ! 	} else {
 ! 		(void)strcpy(line, bootfile);	/* Prefix with bootfile name */
 ! 		(void)strcat(line, ": ");
 ! 	}
   	lp = line + strlen(line);
   	for (p = msg; *p != '\0'; ) {
   		flags = SYNC_FILE | ADDDATE;	/* fsync file after write */
 
