syslog-ng loghost

[mbr89]

How do I make the syslog-ng reachable in the network ?

/usr/local/etc/syslog-ng.conf.d/loghost.conf:

Code Select Expand


source s_loghost
{
   syslog(
        ip("127.0.0.1")
        transport("udp")
        max-connections(8)
      );
};

filter f_all
{
      level(debug..emerg) and not (program("devd") and level(debug..info));
};

destination d_host_daily
{
   file("/media/log/$HOST.$WEEKDAY.log"
      owner(root) group(wheel) perm(0600) dir_perm(0750) create_dirs(yes)
      template("$FULLDATE: $HOST ($FACILITY/$LEVEL) [$PROGRAM] $MSGONLY\n")
      template_escape(no)
      overwrite_if_older(514800) # overwrite if older than 6 days minus 1 hour
   );
};

log
{
   source(s_loghost);
   filter(f_all);
   destination(d_host_daily);
};


/media/log -> Kingston 240GB SATA
/               -> Kingston KC600 256 GB mSATA

[mbr89]

/usr/local/etc/syslog-ng.conf:

Code Select Expand


@version:3.34
@include "scl.conf"

#
# options
#
options {
    keep_hostname(yes);
    use_fqdn(yes);
    chain_hostnames(off);
    flush_lines(0);
    threaded(yes);
    create_dirs(yes);
};

source s_all {
    internal();
    unix-dgram("/var/run/log" flags(syslog-protocol));
    unix-dgram("/var/run/logpriv" perm(0600) flags(syslog-protocol));
    unix-dgram("/var/dhcpd/var/run/log" dir_perm(0755) flags(syslog-protocol));
    unix-dgram("/var/unbound/var/run/log" dir_perm(0755) flags(syslog-protocol));
};

@include "/usr/local/etc/syslog-ng.conf.d/*.conf"


[mbr89]

Code Select Expand

root@zero:/media/log # netstat | grep syslog
udp4       0      0 localhost.syslog       *.*
fffff8000e4c5a00 stream      0      0 fffff800c34421e0                0                0                0 /var/db/syslog-ng.ctl


[Fright]

I don't understand anything but very interesting  ;)

[mbr89]

@Frigh: I'm trying to get a loghost with syslog-ng running on my opnsense.

So i created a new configuration (loghost.conf) under /usr/local/etc/syslog-ng.conf.d

[Fright]

in theory it should work (I quickly checked it on a test vm - it works).
what doesn't work for you?

ip("127.0.0.1")

not sure about this)
maybe just

Code Select Expand

   syslog( transport("udp") max-connections(8) ); ?

[mbr89]

Without

ip("127.0.0.1")

It is not showing up in netstat ->  udp4       0      0 localhost.syslog       *.*

[mbr89]

What do I have to set in the firewall rules ?

[Fright]

udp514 port should be open (via "Default allow LAN to any rule" or other rule suitable for your network configuration)

[Patrick M. Hausen]

If syslog is bound to 127.0.0.1 only, that port 514 firewall rule still won't get you anywhere. You need syslog listening on the interface you want to send log data to.

Why do you want other hosts to send logging to OPNsense? Regularly people do it the other way round. There is no interface to manage a complex "loghost" on the OPNsense appliance.

[mbr89]

@pmhausen

What would your recommendation be for a system that only serves 8 devices?

[Patrick M. Hausen]

What do you mean? Your OPNsense is serving only 8 clients? OK. And why should those clients send logging information to OPNsense?

[mbr89]

The syslog-ng loghost on the OPNsense would serve 8 syslog clients ...

Do I really need another machine for a syslog loghost? ... for serving 8 Clients

[Patrick M. Hausen]

If you want a supported configuration, yes. If you insist messing with a firewall appliance in unsupported ways, no ;)
A loghost could be a raspberry pi ....

What sort of systems are your syslog clients? Just curious ...

[mbr89]

3 WLAN APs
1 APC UPS
2 Switches
2 DECT APs