From owner-freebsd-current@freebsd.org  Wed Jul 13 07:57:18 2016
Return-Path: <owner-freebsd-current@freebsd.org>
Delivered-To: freebsd-current@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id D7340B97BE5
 for <freebsd-current@mailman.ysv.freebsd.org>;
 Wed, 13 Jul 2016 07:57:18 +0000 (UTC)
 (envelope-from ohartman@zedat.fu-berlin.de)
Received: from outpost1.zedat.fu-berlin.de (outpost1.zedat.fu-berlin.de
 [130.133.4.66])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 9AF511AA0
 for <freebsd-current@freebsd.org>; Wed, 13 Jul 2016 07:57:18 +0000 (UTC)
 (envelope-from ohartman@zedat.fu-berlin.de)
Received: from inpost2.zedat.fu-berlin.de ([130.133.4.69])
 by outpost.zedat.fu-berlin.de (Exim 4.85)
 for freebsd-current@freebsd.org with esmtps
 (TLSv1.2:DHE-RSA-AES256-GCM-SHA384:256)
 (envelope-from <ohartman@zedat.fu-berlin.de>)
 id <1bNEzQ-001xwZ-Co>; Wed, 13 Jul 2016 09:53:52 +0200
Received: from p578a69f9.dip0.t-ipconnect.de ([87.138.105.249]
 helo=freyja.zeit4.iv.bundesimmobilien.de)
 by inpost2.zedat.fu-berlin.de (Exim 4.85)
 for freebsd-current@freebsd.org with esmtpsa (TLSv1.2:AES256-GCM-SHA384:256)
 (envelope-from <ohartman@zedat.fu-berlin.de>)
 id <1bNEzQ-001ngw-3H>; Wed, 13 Jul 2016 09:53:52 +0200
Date: Wed, 13 Jul 2016 09:53:43 +0200
From: "O. Hartmann" <ohartman@zedat.fu-berlin.de>
To: freebsd-current <freebsd-current@freebsd.org>
Subject: syslog: not logging for remote host
Message-ID: <20160713095343.4c41ff9a@freyja.zeit4.iv.bundesimmobilien.de>
Organization: FU Berlin
X-Mailer: Claws Mail 3.13.2 (GTK+ 2.24.29; amd64-portbld-freebsd11.0)
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
X-Originating-IP: 87.138.105.249
X-BeenThere: freebsd-current@freebsd.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Discussions about the use of FreeBSD-current
 <freebsd-current.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-current>, 
 <mailto:freebsd-current-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-current/>
List-Post: <mailto:freebsd-current@freebsd.org>
List-Help: <mailto:freebsd-current-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-current>, 
 <mailto:freebsd-current-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Jul 2016 07:57:18 -0000

I have some serious trouble logging for remote hosts via syslog on a sepcific
central server.

Following manpages syslogd(8) and syslog.conf(5), the syslogd is allowed to
listen on a specific address (-b option) and receiving syslog messages from
remote client hosts on a specific network (-a option). Our configuration of
syslogd looks like (rc.conf):

syslogd_flags="-8 -n -v -4 -C -b 192.168.0.2:514 -a 192.168.0.1/24:*"

and sockstat show a proper listening port:

[...]
root     syslogd    75823 6  udp4   192.168.0.2:514   *:*

Now the strange or weird part (in my opinion).

We have several firewalls, gateways, APs and printers which are configured to
send syslog messages to a remote host, designated by the IP shown above. This
works, I can see syslogd receiving messages from several systems
via /var/log/messages (at the moment everything is also dumped into that file
as well as onto console, on which the messages from the remote devices also
appear as expected.

In /etc/syslog.conf I try to use the fowllowing line, for instance for one
device as pars pro totum, to log to a dedicated file:

[...]
+192.168.0.100
*.*			/var/log/printer-01.log
+192.168.0.101
*.*			/var/log/printer-02.log
!*
(EOF)

All log definitions for remote host logging are put to the end of file
syslog.conf to avoid problems with the block boundaries. So the above shown
config should separate each different host in a defined way as the manpage
syslog.conf(5) states. 
 
Using IPs only seems not to work (and I can not understand, according to
syslogd(8) and option -a ipaddr/msklen:port). I never get a delegation of
log messages into the specified file.

So, syslog.conf(5) states that I have to use "names". So I also
setup /etc/hosts to have each remote host's IP assigned with a hostname (we
have no domain/DNS in this specific network, IP only!). So I tried then

[...]
+printer-01
*.*			/var/log/printer-01.log
+printer02
*.*			/var/log/printer-02.log
!*
(EOF)

This doesn't work either!

Something is very fishy with FreeBSD's syslogd and please let me know what I'm
doing wrong here.

I also read the section in the handbook about remote syslog and the requirement
of a forward and reverse DNS resolution - which is NOT(!) mentioned in the
manpages (and I follow the opinion that in doubt, the manpage is right!).

Can someone shed a bit light on that (no, I do not want to use a ports
package/alternative syslog, I'd like to use FreeBSD's tools already abord).

Thank you very much in advance and apologizes to those who feel bothered by a
possible stupid question!

regards,

O. Hartmann