OPNsense Forum

Archive => 20.1 Legacy Series => Topic started by: PotatoCarl on April 17, 2020, 03:18:25 pm

Title: syslog and syslog-ng
Post by: PotatoCarl on April 17, 2020, 03:18:25 pm: HI
I have remote-syslogged OPNSense for a considerable time. Some time ago, that server died. I did not checkup on OPNSense and now ended up with the current 20.1 branch. I found in the protocols, that the old (dead and gone) server could not be reached (suprisingly, yes).
Now I wanted to setup a new recipient server for syslog, but
- I am not sure where to set it up (System-Logging-Target?) [and this section is empty at this time]
- I do not know how to delete the old settings
- I have to remove the package syslogd manually, as I have now installed both, syslogd and syslogd-ng

The manual did not enlighten me, so could any one do here?
Thank you.
Title: Re: syslog and syslog-ng
Post by: PotatoCarl on April 17, 2020, 03:20:42 pm: And... I do not have syslogd on any potential receiving server, but only systemd-journald. Can I use that also?
Thank you.
Title: Re: syslog and syslog-ng
Post by: shadesh on April 17, 2020, 03:32:40 pm: Should be listed there, look at the screenshot.
Btw. syslog-ng is for remote-logging and syslog for local logging.
Title: Re: syslog and syslog-ng
Post by: shadesh on April 17, 2020, 03:40:19 pm: Quote from: PotatoCarl on April 17, 2020, 03:20:42 pm
And... I do not have syslogd on any potential receiving server, but only systemd-journald. Can I use that also?
Thank you.

Don't think so... you need at least rsyslogd or syslogd installed and configured to receive logs from remote devices.
Title: Re: syslog and syslog-ng
Post by: adiz0r on April 18, 2020, 11:33:39 am: Quote from: PotatoCarl on April 17, 2020, 03:20:42 pm
And... I do not have syslogd on any potential receiving server, but only systemd-journald. Can I use that also?
Thank you.

http://man7.org/linux/man-pages/man8/systemd-journald.service.8.html

It cannot receive remote logs, but can forward its own journal to syslog.

Just install syslog-ng on a *nix OS of your choice and forward everything to it on port 514. Here's a quick example snippet you can use on the receiving side:

source s_network { network(port(514)); network(port(514) transport("udp")); }; template t_remote { template("${ISODATE} ${HOST} ${FACILITY}.${LEVEL} ${MSGHDR}${MSG}\n"); }; destination d_networkhost { file("/var/log/host-${SOURCEIP}_${YEAR}${MONTH}.log" template(t_remote)); }; log { source(s_network); destination(d_networkhost); };

It'll create a listener on both UDP/TCP port 514 and store the incoming logs at /var/log/host-A.B.C.D_YYYYMM.log for each host. I use ZFS with compression on my loghost, so I do not rotate+compress any logs from a cron job.