After my latest installment, M0n0wall, I wanted its logs sent to a centralized syslog server, since it keeps it logs in RAM which are cleared whenever it’s restarted. Since I am already running FreeBSD 7.2 as a server on my network, I went ahead and started to set up syslogging on it. FreeBSD comes with syslogd enabled, so usually it’s just a matter of configuring it correctly. There are two files that must be in order for syslogging to work, /etc/rc.conf and /etc/syslog.conf. First of all, make sure rc.conf contains these lines:
syslogd_flags="-a 192.168.0.1/24:* -vv"
The ‘-a’ option tells syslogd to accept incoming syslog messages from host 220.127.116.11 which belongs to a /24 subnet (255.255.255.0). ‘:*’ means that it accepts syslog message from any port from that host. Omitting ‘:*’ means that it only accepts messages from UDP port 514 (standard syslog port). Depending on the syslog implentation of the client, it may be necessary to include ‘:*’. ‘-vv’ only indicates verbose logging, which is completely optional. Another option which might be handy during debugging syslog, is ‘-d’ and it logs everything to console and does not daemonise syslogd. The next file to configure is syslog.conf and I added the following statements at the end of it:
‘+fafner’ is the hostname of the client (if in doubt, start syslogd with the ‘-d’ option and see what name sends the syslog message to the server). The following line logs everything, all facilities such as auth, daemon, mail etc and all levels (ranging from debug to emerg) to /var/log/fafner.log. One of the snags I hit when trying to enable syslogging correctly, was that everything from my firewall (fafner) was logged both in /var/log/fafner.log as well as in /var/log/message which is the standard log file for the notice level. The fix was to add ‘+grendel’ to the beginning, which is the server’s host name. Beacuse, in the standard syslog.conf it is implicitely assumed that syslogd only has to process its own logs (not specifying a ‘+<host>’ line means that all processed syslog messages matching the facility and level are sent to that logfile). By explicitely adding the hostnames, every message from my server is logged below the ‘+grendel’ line and everything from my firewall is logged below the ‘+fafner’ line. Here’s my syslog.conf in full:
Finally, to restart syslogd just type ‘/etc/rc.d/syslogd restart’. ‘man syslogd’ and ‘man syslog.conf’ have much more in-depth descriptions of how syslog works, so make sure to check them out as well!