Date: Tue, 17 Sep 2024 15:36:41 +0100 From: Bob Bishop <rb@gid.co.uk> To: fuxjez <mail@osfux.nl> Cc: "freebsd-stable@freebsd.org" <freebsd-stable@FreeBSD.org> Subject: Re: issues with syslogd include redirecting wg0 output to custom location Message-ID: <82DA970E-36C5-4151-937B-F119D43484AB@gid.co.uk> In-Reply-To: <f1eb51eb-6934-4717-bca5-31f24a6988d1@osfux.nl> References: <f1eb51eb-6934-4717-bca5-31f24a6988d1@osfux.nl>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi,
> On 17 Sep 2024, at 12:06, fuxjez <mail@osfux.nl> wrote:
>=20
> Hi,
>=20
> I'm experimenting with FreeBSD's 14.1's wireguard implementation.
>=20
> So far i've been quite satisfied with using it locally (over an =
unsecured network). I would like to set up a PoC using wg as a VPN =
provider (replacing openvpn) next.
>=20
> Before opening wireguard endpoints up for global connectivity I would =
like wireguard logs to be parsed by something like Fail2ban (so I can =
have pf ward off baddies). I've managed to get wireguards' logs into =
/var/log/messages by issueing:
>=20
> /sbin/ifconfig wg0 debug
>=20
> Since they are quite verbose and are polluting /var/log/messages, I'd =
like for them to land in /var/ramdisk_log/wireguard.log instead. I've =
instructing newsyslog to create the logfile :
>=20
> [root@system:/]# cat /var/ramdisk_log/wireguard.log
> Sep 17 00:27:36 system newsyslog[55203]: logfile first created
> [root@system:/]# ls -laht /var/ramdisk_log/wireguard.log
> -rw-rw---- 1 root wheel 66B Sep 17 00:27 =
/var/ramdisk_log/wireguard.log
> [root@system:/]#
>=20
> and have since attempted to redirect the "wg0" logs to =
/var/ramdisk_log/wireguard.log by using these syslog includes:
>=20
> :msg, contains, ".*wg0: .*"
> *.* /var/ramdisk_log/wireguard.log
I think the value for =E2=80=9Ccontains=E2=80=9D has to be a simple =
string
> and
>=20
> :msg, regex, "wg[0-9]{1,2}\:\ "
> *.* /var/ramdisk_log/wireguard.log
regex uses a basic RE so it would have to be "wg[0-9]\{1,2\}\:\ =E2=80=9C
(ie escape the { } ) ; or if you want an extended (modern) RE:
:msg, ereregex, "wg[0-9]{1,2}\:\ "
>=20
> Unfortunately, the includes are not redirecting the wg0 logs to my =
preferred location (the includes are placed in =
/etc/syslog.d/wireguard.conf which is parsed by syslogd) and I'm out of =
ideas / logs on how to further troubleshoot why the logstream doesn't =
get redirected :(
>=20
> Im hoping somebody - a little better versed in syslog - could provide =
me with some insights / pointers...
>=20
> Feedback appreciated!
>=20
> ruben
>=20
--
Bob Bishop
rb@gid.co.uk
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?82DA970E-36C5-4151-937B-F119D43484AB>