Saturday, 26 September 2009

HOWTO: Send SYSLOG messages to FreeBSD

When you try to send SYSLOG messages for storage on a FreeBSD 7 server, the odds are that your messages won't appear in your log file on the first attempt.  You need to get several things right...


1. Syslogd needs to be started with the '-n' flag to suppress reverse DNS lookups every time a message comes in. Apart from being a stupid waste of time, these checks fail unless the RDNS lookup succeeds, and exactly matches a hostname in syslog.conf.

2. Syslogd needs to be started with '-a 192.168.1.42/32' (to accept messages from a single sender) or '-a 192.168.1.0/24' (to accept from a whole subnet). Or you can give the -a flag several times. The easiest way to set up the flags is to give them in /etc/rc.conf , for example:

syslogd_flags="-n -a 192.168.99.7/32:* -a 1.2.3.4/28:*" # Log from Firewall and DMZ


3. Your /etc/syslog.conf file needs to include this magic syntax, right up the top before all your normal rules:-


+192.168.99.7
*.* /var/log/firewall.log
+*


+@


4. The log file needs to exist before syslogd is restarted, and it needs to have the right permissions. So you'll need something like:-


touch /var/log/firewall.log
chown root /var/log/firewall.log
chmod 0600 /var/log/firewall.log

Hope this helps someone...

No comments:

Post a comment

Spammers: please stop wasting my time. All comments are moderated before publication.