4.3BSD syslogd for Windows

Continuing from my TACACS adventure, I also thought it would be nice to capture syslogs, and save them. Oddly enough this is a big business, with even low end products like Kiwi Syslog server costing some $295 USD!

Well that’s too much for me, so I figured that the most wide spread at the time must have been the 4.3BSD syslogd, so I’ll start with that.

Just as before this was a pretty straight forward port, I had to remove all the /dev/kmem and UNIX socket stuff, as they obviously don’t exist on Windows.  Just as the same, you can’t “write to users” to send messages, so by default output is a file.  I suppose I could use the net send functionality to pop up a message, but I find it just as annoying today as it was then.

At any rate in no time I was able to setup a simple config file, and then get my router to turn on full logging & enable full debugging to get a continuous stream of messages.  The only ‘gotcha’ is that this sylogd wants to be able to do reverse lookups, so you really ought to have a DNS with reverse entries, or a good hosts file.

syslogd_win32 -d
off & running....
init
cfline(*.emerg;*.alert;*.crit;*.err;*.warning;*.notice;*.info;*.debug   log.txt)
7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 X FILE: log.txt
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 UNUSED:
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 UNUSED:
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 UNUSED:
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 UNUSED:
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 UNUSED:
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 UNUSED:
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 UNUSED:
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 UNUSED:
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 UNUSED:
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 UNUSED:
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 UNUSED:
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 UNUSED:
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 UNUSED:
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 UNUSED:
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 UNUSED:
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 UNUSED:
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 UNUSED:
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 UNUSED:
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 UNUSED:
logmsg: pri 56, flags 8, from jaderabbit, msg syslogd: restart
Logging to FILE log.txt
syslogd: restarted
cvthname(192.168.254.10)
logmsg: pri 277, flags 0, from testcisco, msg 2458: 00:24:19: SNMP: HC Timer 619E3D1C fired
Logging to FILE log.txt
cvthname(192.168.254.10)
logmsg: pri 277, flags 0, from testcisco, msg 2459: 00:24:19: SNMP: HC Timer 619E3D1C rearmed, delay = 5000
Logging to FILE log.txt
cvthname(192.168.254.10)
logmsg: pri 277, flags 0, from testcisco, msg 2460: 00:24:21: IP: s=192.168.254.1 (FastEthernet0/0), d=239.255.255.250, len 202, dispose ip.hopcount
Logging to FILE log.txt
cvthname(192.168.254.10)
logmsg: pri 277, flags 0, from testcisco, msg 2461: 00:24:21: IP: s=192.168.254.1 (FastEthernet0/0), d=239.255.255.250, len 202, dispose ip.hopcount
Logging to FILE log.txt
cvthname(192.168.254.10)
logmsg: pri 277, flags 0, from testcisco, msg 2462: 00:24:21: IP: s=192.168.254.1 (FastEthernet0/0), d=239.255.255.250, len 202, dispose ip.hopcount
Logging to FILE log.txt
cvthname(192.168.254.10)
logmsg: pri 277, flags 0, from testcisco, msg 2463: 00:24:21: IP: s=192.168.254.1 (FastEthernet0/0), d=239.255.255.250, len 202, dispose ip.hopcount
Logging to FILE log.txt
cvthname(192.168.254.10)
logmsg: pri 277, flags 0, from testcisco, msg 2464: 00:24:22: SNMP: HC Timer 61875370 fired
Logging to FILE log.txt
cvthname(192.168.254.10)
logmsg: pri 277, flags 0, from testcisco, msg 2465: 00:24:22: SNMP: HC Timer 61875370 rearmed, delay = 20000
Logging to FILE log.txt
cvthname(192.168.254.10)
logmsg: pri 277, flags 0, from testcisco, msg 2466: 00:24:22: IP: s=192.168.254.1 (FastEthernet0/0), d=192.168.254.255 (FastEthernet0/0), len 159, rcvd 3
Logging to FILE log.txt
cvthname(192.168.254.10)
logmsg: pri 277, flags 0, from testcisco, msg 2467: 00:24:22: UDP: rcvd src=192.168.254.1(17500), dst=192.168.254.255(17500), length=139
Logging to FILE log.txt
cvthname(192.168.254.10)
logmsg: pri 277, flags 0, from testcisco, msg 2468: 00:24:22: IP: s=192.168.254.1 (FastEthernet0/0), d=192.168.254.255, len 159, dispose udp.noport
Logging to FILE log.txt

As you can see, running it in debug mode tells me what is going on.  And the log.txt file contains a nicely formatted log file, just the way that it was done on BSD:

Apr 13 13:11:04 jaderabbit syslogd: restart
Apr 13 13:11:17 testcisco 2458: 00:24:19: SNMP: HC Timer 619E3D1C fired
Apr 13 13:11:17 testcisco 2459: 00:24:19: SNMP: HC Timer 619E3D1C rearmed, delay = 5000
Apr 13 13:11:27 testcisco 2460: 00:24:21: IP: s=192.168.254.1 (FastEthernet0/0), d=239.255.255.250, len 202, dispose ip.hopcount
Apr 13 13:11:27 testcisco 2461: 00:24:21: IP: s=192.168.254.1 (FastEthernet0/0), d=239.255.255.250, len 202, dispose ip.hopcount
Apr 13 13:11:27 testcisco 2462: 00:24:21: IP: s=192.168.254.1 (FastEthernet0/0), d=239.255.255.250, len 202, dispose ip.hopcount
Apr 13 13:11:27 testcisco 2463: 00:24:21: IP: s=192.168.254.1 (FastEthernet0/0), d=239.255.255.250, len 202, dispose ip.hopcount
Apr 13 13:11:27 testcisco 2464: 00:24:22: SNMP: HC Timer 61875370 fired
Apr 13 13:11:27 testcisco 2465: 00:24:22: SNMP: HC Timer 61875370 rearmed, delay = 20000
Apr 13 13:11:34 testcisco 2466: 00:24:22: IP: s=192.168.254.1 (FastEthernet0/0), d=192.168.254.255 (FastEthernet0/0), len 159, rcvd 3
Apr 13 13:11:34 testcisco 2467: 00:24:22: UDP: rcvd src=192.168.254.1(17500), dst=192.168.254.255(17500), length=139
Apr 13 13:11:34 testcisco 2468: 00:24:22: IP: s=192.168.254.1 (FastEthernet0/0), d=192.168.254.255, len 159, dispose udp.noport

 

I’m sure it’s full of other bugs, but all I tested was that I could log to a file, and it’s doing that much just fine.  If you feel so inclined you can download & compile it, the source is: syslogd_win32.c

4 thoughts on “4.3BSD syslogd for Windows

    • I found that one on my search, but I was oddly enough more interested in running 4.3BSD’s syslog if it were possible… What do you think of it?

      I have a customer using Kiwi, and it’s painful. Although they do get between 5-20GB worth of syslogs a day… It’s crazy.

  1. Well there’s also Cygwin, which I used in the 90s to run syslogd on Windows 95, and which could probably compile tacacsd just fine and would also provide an /etc/passwd file for account details, but that would all be too easy 🙂

    • I used to use it as well, and the issues are that it’s another layer, and as Microsoft tried to correct the wide open game of memory protection the ‘hacks’ to get a Win32 fork became a nightmare… And of course the performance of going through a layer to do something. I’d always thought I had to use something like that, but it’s only because I never actually had access to 4.3 back then, nor did I ever try to see if I could just get it to work….

      It’s more of a wow it really could have worked.

Leave a Reply