OPNsense Forum
English Forums => Tutorials and FAQs => Topic started by: mbr89 on November 09, 2021, 04:33:24 pm
-
How do I make the syslog-ng reachable in the network ?
/usr/local/etc/syslog-ng.conf.d/loghost.conf:
source s_loghost
{
syslog(
ip("127.0.0.1")
transport("udp")
max-connections(8)
);
};
filter f_all
{
level(debug..emerg) and not (program("devd") and level(debug..info));
};
destination d_host_daily
{
file("/media/log/$HOST.$WEEKDAY.log"
owner(root) group(wheel) perm(0600) dir_perm(0750) create_dirs(yes)
template("$FULLDATE: $HOST ($FACILITY/$LEVEL) [$PROGRAM] $MSGONLY\n")
template_escape(no)
overwrite_if_older(514800) # overwrite if older than 6 days minus 1 hour
);
};
log
{
source(s_loghost);
filter(f_all);
destination(d_host_daily);
};
/media/log -> Kingston 240GB SATA
/ -> Kingston KC600 256 GB mSATA
-
/usr/local/etc/syslog-ng.conf:
@version:3.34
@include "scl.conf"
#
# options
#
options {
keep_hostname(yes);
use_fqdn(yes);
chain_hostnames(off);
flush_lines(0);
threaded(yes);
create_dirs(yes);
};
source s_all {
internal();
unix-dgram("/var/run/log" flags(syslog-protocol));
unix-dgram("/var/run/logpriv" perm(0600) flags(syslog-protocol));
unix-dgram("/var/dhcpd/var/run/log" dir_perm(0755) flags(syslog-protocol));
unix-dgram("/var/unbound/var/run/log" dir_perm(0755) flags(syslog-protocol));
};
@include "/usr/local/etc/syslog-ng.conf.d/*.conf"
-
root@zero:/media/log # netstat | grep syslog
udp4 0 0 localhost.syslog *.*
fffff8000e4c5a00 stream 0 0 fffff800c34421e0 0 0 0 /var/db/syslog-ng.ctl
-
I don't understand anything but very interesting ;)
-
@Frigh: I'm trying to get a loghost with syslog-ng running on my opnsense.
So i created a new configuration (loghost.conf) under /usr/local/etc/syslog-ng.conf.d
-
in theory it should work (I quickly checked it on a test vm - it works).
what doesn't work for you?
ip("127.0.0.1")
not sure about this)
maybe just
syslog( transport("udp") max-connections(8) ); ?
-
Without
ip("127.0.0.1")
It is not showing up in netstat -> udp4 0 0 localhost.syslog *.*
-
What do I have to set in the firewall rules ?
-
udp514 port should be open (via "Default allow LAN to any rule" or other rule suitable for your network configuration)
-
If syslog is bound to 127.0.0.1 only, that port 514 firewall rule still won't get you anywhere. You need syslog listening on the interface you want to send log data to.
Why do you want other hosts to send logging to OPNsense? Regularly people do it the other way round. There is no interface to manage a complex "loghost" on the OPNsense appliance.
-
@pmhausen
What would your recommendation be for a system that only serves 8 devices?
-
What do you mean? Your OPNsense is serving only 8 clients? OK. And why should those clients send logging information to OPNsense?
-
The syslog-ng loghost on the OPNsense would serve 8 syslog clients ...
Do I really need another machine for a syslog loghost? ... for serving 8 Clients
-
If you want a supported configuration, yes. If you insist messing with a firewall appliance in unsupported ways, no ;)
A loghost could be a raspberry pi ....
What sort of systems are your syslog clients? Just curious ...
-
3 WLAN APs
1 APC UPS
2 Switches
2 DECT APs
-
I see. So caveats aside - our conversation started, because I pointed out that with "ip(127.0.0.1)" in your config, the syslog server will not be reachable from the outside. That still stands. You probably need to change that to "ip(0.0.0.0)" if I read the syslog-ng docs correctly.
After restarting the syslog daemon you can check with
netstat -na | grep 514
if it is still listening on "127.0.0.1.514" only or if that changed to "*.514" as necessary to send log data to this host.
HTH,
Patrick
-
@mbr89
Without ip("127.0.0.1")It is not showing up in netstat
hm.
syslog( transport("udp") max-connections(8) );
is tested and working source config line ("UDP source with defaults.")
(https://www.syslog-ng.com/technical-documents/doc/syslog-ng-open-source-edition/3.33/administration-guide/26#TOPIC-1663252)
-
You can enable remote logging on syslog-ng like this:
create a file /usr/local/etc/syslog-ng.conf.d/remote.conf with this:
source s_network {
network(
ip("192.168.1.1")
transport("udp")
);
};
destination d_syslog {
file("/var/log/syslog-ng/messages_${HOST}"); };
log { source(s_network); destination(d_syslog); };
# Create the directory
mkdir /var/log/syslog-ng
Stop syslog-ng
pkill -f /usr/local/sbin/syslog-ng
Start syslog-ng
/usr/local/sbin/syslog-ng -f /usr/local/etc/syslog-ng.conf -p /var/run/syslog-ng.pid
If you have a malicious client it can hammer your drive, and too much activity will bog you down.