# Remote logging



## balanga (Nov 15, 2019)

I'm trying to get remote logging configured using this guide but can't get it to work...

Is there a minimal /etc/syslog.conf I can use for remote logging, ie to send everything to to the remote loghost so that I can see that I have the client configured properly?


----------



## unitrunker (Nov 15, 2019)

Section 11.7.3








						Chapter 13. Configuration and Tuning
					

This chapter explains much of the FreeBSD configuration process, including some of the parameters which can be set to tune a FreeBSD system.




					www.freebsd.org


----------



## balanga (Nov 15, 2019)

unitrunker said:


> Section 11.7.3
> 
> 
> 
> ...



I have already read that among other docs but can't make it work...

I have included the following line in the local /etc/syslog.conf:

`*.*<---><------><------><------><------><------>@192.168.1.32`

The following is in /etc/rc.conf:

`syslogd_enable="YES"
syslogd_flags="-d -s -v -v"`

One problem I have is that I'm unable to start syslogd.


----------



## T-Daemon (Nov 15, 2019)

How did you configure the log server, and if present, local DNS server, if not present, /etc/hosts on each system? Is there a firewall?



balanga said:


> syslogd_enable="YES"





balanga said:


> One problem I have is that I'm unable to start syslogd.


No need to, the handbook is not up to date, syslogd(8) is enabled by default in /etc/defaults/rc.conf, running in the background. You can see in /var/log what is all logged.

[EDIT] After making changes to /etc/syslog.conf syslogd needs to be restarted.


----------



## balanga (Nov 15, 2019)

I think I had problems starting the server because of my syslogd flags. Using '-d' created streams of output which I was unable to capture and could only stop by using C-A-D.

I wasn't aware of /etc/defaults/rc.conf starting syslogd - thanks for pointing that out.

I don't use any hostnames, I'm assuming I can just use IP adresses...

It seems simple enough in theory. As I understand it, I only need so specify the appropriate syslogd_flags on client and server, as well as adjusting /etc/syslog.conf on both to enable client-server logging.

Am I correct in: ? 

Client:
syslogd_flags="-s -vv"
Server:
syslogd_flags="-a  192.168.1.61 -vv"


----------



## genneko (Nov 15, 2019)

Are you sure that the client doesn't send out syslog messages?
Isn't it possible that the server drops messages sent by the client?
Running something like 'tcpdump -vln -i em0 udp and port 514' on both client/server would help confirm this.

According to the syslogd(8) man page, "-a 192.168.1.61" means "-a 192.168.1.0/24:514".
As my hosts use both IPv4 and IPv6, I setup my log server like:
syslogd_flags="-a 192.168.1.1/32:* -a [2001:db8:1:1::1]/128:*"


----------



## T-Daemon (Nov 15, 2019)

balanga said:


> I don't use any hostnames, I'm assuming I can just use IP adresses...



The handbook clearly states:

```
11.7.3.1. Log Server Configuration

A log server is a system that has been configured to accept logging
information from other hosts. Before configuring a log server, check the following:

If there is a firewall between the logging server and any logging clients, ensure
that the firewall ruleset allows UDP port 514 for both the clients and the server.

*The logging server and all client machines must have forward and
reverse entries in the local DNS. If the network does not have a DNS
server, create entries in each system's /etc/hosts. Proper name
resolution is required so that log entries are not rejected by the logging server.*
```


----------



## balanga (Nov 16, 2019)

Many thanks. I had read that, but misunderstood for some reason. I finally got DNS working properly on my pfSense box by reading this article. I didn't fancy maintaining /etc/hosts everywhere .

A few things still need to be resolved. I'm still not sure about the required syslogd_flags. Also, if I have numerous clients, is there an alternative to having every client concatenated into a long syslogd_flags line containing dozens of '-a client1 -a client2 ..... -a clientx' entries? 

Also should I expect all the log msgs to be output to the system console (ttyv0) on the loghost?


----------



## T-Daemon (Nov 17, 2019)

balanga said:


> Also, if I have numerous clients, is there an alternative to having every client concatenated into a long syslogd_flags line containing dozens of '-a client1 -a client2 ..... -a clientx' entries?


You can use netblock addresses instead of individual IP addresses. 
ex:
`syslogd_flags=" -a  192.168.1.0"`, (or `192.168.1.0/24`)



balanga said:


> Also should I expect all the log msgs to be output to the system console (ttyv0) on the loghost?


Not unless you have it configured to do so.


----------



## balanga (Nov 18, 2019)

Thanks for the tips, I have it working now. I did need to comment out this default line in /etc/syslogd.conf to stop output to the loghost's console:-
`*.err;kern.warning;auth.notice;mail.crit<------><------>/dev/console`

This does work normally, but when the loghost is in a FreeNAS jail it doesn't. Looks like the jail needs its networking configuration changing to work....


----------

