From nobody Tue Sep 17 14:36:41 2024 X-Original-To: freebsd-stable@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4X7PW574jqz59XfJ for ; Tue, 17 Sep 2024 14:37:05 +0000 (UTC) (envelope-from rb@gid.co.uk) Received: from gid2.gid.co.uk (ns0.gid.co.uk [IPv6:2001:470:94de::240]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "gid2.gid.co.uk", Issuer "gid2.gid.co.uk" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4X7PW53dczz4lTF for ; Tue, 17 Sep 2024 14:37:05 +0000 (UTC) (envelope-from rb@gid.co.uk) Authentication-Results: mx1.freebsd.org; none Received: from mx0.gid.co.uk (mx0.gid.co.uk [194.32.164.250]) by gid2.gid.co.uk (8.15.2/8.15.2) with ESMTP id 48HEavSx061967; Tue, 17 Sep 2024 15:36:57 +0100 (BST) (envelope-from rb@gid.co.uk) Received: from smtpclient.apple ([89.248.30.154]) by mx0.gid.co.uk (8.14.2/8.14.2) with ESMTP id 48HEapJo047295; Tue, 17 Sep 2024 15:36:51 +0100 (BST) (envelope-from rb@gid.co.uk) Content-Type: text/plain; charset=utf-8 List-Id: Production branch of FreeBSD source code List-Archive: https://lists.freebsd.org/archives/freebsd-stable List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-stable@freebsd.org Sender: owner-freebsd-stable@FreeBSD.org Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3776.700.51\)) Subject: Re: issues with syslogd include redirecting wg0 output to custom location From: Bob Bishop In-Reply-To: Date: Tue, 17 Sep 2024 15:36:41 +0100 Cc: "freebsd-stable@freebsd.org" Content-Transfer-Encoding: quoted-printable Message-Id: <82DA970E-36C5-4151-937B-F119D43484AB@gid.co.uk> References: To: fuxjez X-Mailer: Apple Mail (2.3776.700.51) X-Spamd-Bar: ---- X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[]; ASN(0.00)[asn:6939, ipnet:2001:470::/32, country:US] X-Rspamd-Queue-Id: 4X7PW53dczz4lTF Hi, > On 17 Sep 2024, at 12:06, fuxjez wrote: >=20 > Hi, >=20 > I'm experimenting with FreeBSD's 14.1's wireguard implementation. >=20 > So far i've been quite satisfied with using it locally (over an = unsecured network). I would like to set up a PoC using wg as a VPN = provider (replacing openvpn) next. >=20 > Before opening wireguard endpoints up for global connectivity I would = like wireguard logs to be parsed by something like Fail2ban (so I can = have pf ward off baddies). I've managed to get wireguards' logs into = /var/log/messages by issueing: >=20 > /sbin/ifconfig wg0 debug >=20 > Since they are quite verbose and are polluting /var/log/messages, I'd = like for them to land in /var/ramdisk_log/wireguard.log instead. I've = instructing newsyslog to create the logfile : >=20 > [root@system:/]# cat /var/ramdisk_log/wireguard.log > Sep 17 00:27:36 system newsyslog[55203]: logfile first created > [root@system:/]# ls -laht /var/ramdisk_log/wireguard.log > -rw-rw---- 1 root wheel 66B Sep 17 00:27 = /var/ramdisk_log/wireguard.log > [root@system:/]# >=20 > and have since attempted to redirect the "wg0" logs to = /var/ramdisk_log/wireguard.log by using these syslog includes: >=20 > :msg, contains, ".*wg0: .*" > *.* /var/ramdisk_log/wireguard.log I think the value for =E2=80=9Ccontains=E2=80=9D has to be a simple = string > and >=20 > :msg, regex, "wg[0-9]{1,2}\:\ " > *.* /var/ramdisk_log/wireguard.log regex uses a basic RE so it would have to be "wg[0-9]\{1,2\}\:\ =E2=80=9C (ie escape the { } ) ; or if you want an extended (modern) RE: :msg, ereregex, "wg[0-9]{1,2}\:\ " >=20 > Unfortunately, the includes are not redirecting the wg0 logs to my = preferred location (the includes are placed in = /etc/syslog.d/wireguard.conf which is parsed by syslogd) and I'm out of = ideas / logs on how to further troubleshoot why the logstream doesn't = get redirected :( >=20 > Im hoping somebody - a little better versed in syslog - could provide = me with some insights / pointers... >=20 > Feedback appreciated! >=20 > ruben >=20 -- Bob Bishop rb@gid.co.uk