Remote syslog(3) clients

Hello,

I have been using one of my FreeBSD boxes as a logging server using syslog(3).

The server is at 10.10.10.243. Recording log output from the client, a pfSense router at 10.10.10.2, has been has been working and recorded to the designated file by 10.10.10.243.

I would like to capture log output from another pfSense router which is at 10.10.11.1 to the same logging server, 10.10.10.243.

The networks 10.10.10.0/24 and 10.10.11.0/24 are connected via IPsec. I have verified with tcpdump(1) that packets from 10.10.11.1 do arrive to 10.10.10.243, but there are no entries in the designated log file.

It seems that my /etc/syslog.conf is wrong.

In /etc/rc.conf I have:

Code:
syslogd_enable="YES"
syslogd_flags="-a 10.10.10.2 -a 10.10.11.0/24 -vv"

In /etc/syslog.conf I have:

Code:
#    Consult the syslog.conf(5) manpage.
+10.10.11.0/24
*.*                        /var/log/pfsense_gwl.log
-10.10.11.0/24
+10.10.10.2
*.*                        /var/log/pfsense_gww.log
-10.10.10.2
*.err;kern.warning;auth.notice;mail.crit        /dev/console

10.10.10.2
Some messages from 10.10.11.1 are recorded by 10.10.10.243 in /var/log/messages:

Code:
Jun 10 22:15:48 <daemon.err> 10.10.11.1 php-fpm[82706]: /diag_packet_capture.php: Session timed out for user 'admin' from: 71.112.238.245
Jun 10 22:16:01 <auth.emerg> 10.10.11.1 php-fpm[82706]: /diag_packet_capture.php: Successful login for user 'admin' from: 71.112.238.245
Jun 10 23:31:51 <user.notice> 10.10.11.1 admin: gwl-test

However, nothing is recorded in /var/log/pfsense_gwl.log, and no "filterlog" messages in either /var/log/messages or in /var/log/pfsense_gwl.log.

Would you please suggest how to configure /etc/syslog.conf so messages from 10.10.11.1 are recorded in /var/log/pfsense_gwl.log?
 
From the top of my head your problem lies mostly in the -10.10.11.0/24 entries, also see syslog.conf(5). See; those entries are not the opposite (or 'negation') of "+10.10.11.0/24".

Also: I would suggest using # as well to keep things a bit more clear, but that's just optional details.

First: Syslog expects a hostname, not an IP address. What I mean with that is that it literally treats 10.10.11.1 as a name. That's why your subnet mask doesn't work, because there is no such hostname being used. All Syslog will notice is that 10.10.11.0/24 doesn't correspond with any names. As such I suggest to only use the names, aka the literal IP addresses and don't try to set up selection with masks.

Second, as already hinted at above, if you want to reset the filter then use an asterisk (*), don't try to "negate" things because that's not how this works. What you basically did was tell syslog that it should only log entries from one specific host, and after that you tightened the filter by stating that it should now log everything but that host. The only problem was that the only entries being processed at that point were from that one specific host. As such nothing else got logged nor processed from that point on.

So, at the start use this instead:

Code:
#+10.10.10.2
*.*                        /var/log/pfsense_gww.log
#*
#+10.10.11.1
*.*                        /var/log/pfsense_gwl.log
#*
*.err;kern.warning;auth.notice;mail.crit        /dev/console
....followed by the rest of the config file.

That should keep things neatly separated.
 
Back
Top