Remote logging

B

balanga

I'm trying to get remote logging configured using this guide but can't get it to work...

Is there a minimal /etc/syslog.conf I can use for remote logging, ie to send everything to to the remote loghost so that I can see that I have the client configured properly?
 
unitrunker said:
Section 11.7.3
www.freebsd.org

Chapter 14. Configuration, Services, Logging and Power Management

This chapter explains much of the FreeBSD configuration files, how to enable or disable a service, how to configure the logging system and the power management area.
www.freebsd.org www.freebsd.org
Click to expand...

I have already read that among other docs but can't make it work...

I have included the following line in the local /etc/syslog.conf:

*.*<---><------><------><------><------><------>@192.168.1.32

The following is in /etc/rc.conf:

syslogd_enable="YES" syslogd_flags="-d -s -v -v"

One problem I have is that I'm unable to start syslogd.
 
How did you configure the log server, and if present, local DNS server, if not present, /etc/hosts on each system? Is there a firewall?

balanga said:
syslogd_enable="YES"
Click to expand...
balanga said:
One problem I have is that I'm unable to start syslogd.
Click to expand...
No need to, the handbook is not up to date, syslogd(8) is enabled by default in /etc/defaults/rc.conf, running in the background. You can see in /var/log what is all logged.

[EDIT] After making changes to /etc/syslog.conf syslogd needs to be restarted.
 
I think I had problems starting the server because of my syslogd flags. Using '-d' created streams of output which I was unable to capture and could only stop by using C-A-D.

I wasn't aware of /etc/defaults/rc.conf starting syslogd - thanks for pointing that out.

I don't use any hostnames, I'm assuming I can just use IP adresses...

It seems simple enough in theory. As I understand it, I only need so specify the appropriate syslogd_flags on client and server, as well as adjusting /etc/syslog.conf on both to enable client-server logging.

Am I correct in: ?

Client:
syslogd_flags="-s -vv"
Server:
syslogd_flags="-a 192.168.1.61 -vv"
 
Are you sure that the client doesn't send out syslog messages?
Isn't it possible that the server drops messages sent by the client?
Running something like 'tcpdump -vln -i em0 udp and port 514' on both client/server would help confirm this.

According to the syslogd(8) man page, "-a 192.168.1.61" means "-a 192.168.1.0/24:514".
As my hosts use both IPv4 and IPv6, I setup my log server like:
syslogd_flags="-a 192.168.1.1/32:* -a [2001:db8:1:1::1]/128:*"
 
balanga said:
I don't use any hostnames, I'm assuming I can just use IP adresses...
Click to expand...

The handbook clearly states:
Rich (BB code): 
11.7.3.1. Log Server Configuration

A log server is a system that has been configured to accept logging
information from other hosts. Before configuring a log server, check the following:

If there is a firewall between the logging server and any logging clients, ensure
that the firewall ruleset allows UDP port 514 for both the clients and the server.

The logging server and all client machines must have forward and
reverse entries in the local DNS. If the network does not have a DNS
server, create entries in each system's /etc/hosts. Proper name
resolution is required so that log entries are not rejected by the logging server.
 
Many thanks. I had read that, but misunderstood for some reason. I finally got DNS working properly on my pfSense box by reading this article. I didn't fancy maintaining /etc/hosts everywhere :).

A few things still need to be resolved. I'm still not sure about the required syslogd_flags. Also, if I have numerous clients, is there an alternative to having every client concatenated into a long syslogd_flags line containing dozens of '-a client1 -a client2 ..... -a clientx' entries?

Also should I expect all the log msgs to be output to the system console (ttyv0) on the loghost?
 
balanga said:
Also, if I have numerous clients, is there an alternative to having every client concatenated into a long syslogd_flags line containing dozens of '-a client1 -a client2 ..... -a clientx' entries?
Click to expand...
You can use netblock addresses instead of individual IP addresses.
ex:
syslogd_flags=" -a 192.168.1.0", (or 192.168.1.0/24)

balanga said:
Also should I expect all the log msgs to be output to the system console (ttyv0) on the loghost?
Click to expand...
Not unless you have it configured to do so.
 
Thanks for the tips, I have it working now. I did need to comment out this default line in /etc/syslogd.conf to stop output to the loghost's console:-
*.err;kern.warning;auth.notice;mail.crit<------><------>/dev/console

This does work normally, but when the loghost is in a FreeNAS jail it doesn't. Looks like the jail needs its networking configuration changing to work....
 
You must log in or register to reply here.
Back
Top