From owner-freebsd-current@freebsd.org Wed Jul 13 08:09:23 2016 Return-Path: Delivered-To: freebsd-current@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 7DDADB9312D for ; Wed, 13 Jul 2016 08:09:23 +0000 (UTC) (envelope-from ohartman@zedat.fu-berlin.de) Received: from outpost1.zedat.fu-berlin.de (outpost1.zedat.fu-berlin.de [130.133.4.66]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 434ED11B7 for ; Wed, 13 Jul 2016 08:09:23 +0000 (UTC) (envelope-from ohartman@zedat.fu-berlin.de) Received: from inpost2.zedat.fu-berlin.de ([130.133.4.69]) by outpost.zedat.fu-berlin.de (Exim 4.85) for freebsd-current@freebsd.org with esmtps (TLSv1.2:DHE-RSA-AES256-GCM-SHA384:256) (envelope-from ) id <1bNFEP-0024tv-Cg>; Wed, 13 Jul 2016 10:09:21 +0200 Received: from p578a69f9.dip0.t-ipconnect.de ([87.138.105.249] helo=freyja.zeit4.iv.bundesimmobilien.de) by inpost2.zedat.fu-berlin.de (Exim 4.85) for freebsd-current@freebsd.org with esmtpsa (TLSv1.2:AES256-GCM-SHA384:256) (envelope-from ) id <1bNFEP-001pFv-31>; Wed, 13 Jul 2016 10:09:21 +0200 Date: Wed, 13 Jul 2016 10:09:20 +0200 From: "O. Hartmann" To: freebsd-current Subject: Re: syslog: not logging for remote host Message-ID: <20160713100920.66e3da8c@freyja.zeit4.iv.bundesimmobilien.de> In-Reply-To: <20160713095343.4c41ff9a@freyja.zeit4.iv.bundesimmobilien.de> References: <20160713095343.4c41ff9a@freyja.zeit4.iv.bundesimmobilien.de> Organization: FU Berlin X-Mailer: Claws Mail 3.13.2 (GTK+ 2.24.29; amd64-portbld-freebsd11.0) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-Originating-IP: 87.138.105.249 X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 13 Jul 2016 08:09:23 -0000 On Wed, 13 Jul 2016 09:53:43 +0200 "O. Hartmann" wrote: > I have some serious trouble logging for remote hosts via syslog on a sepcific > central server. > > Following manpages syslogd(8) and syslog.conf(5), the syslogd is allowed to > listen on a specific address (-b option) and receiving syslog messages from > remote client hosts on a specific network (-a option). Our configuration of > syslogd looks like (rc.conf): > > syslogd_flags="-8 -n -v -4 -C -b 192.168.0.2:514 -a 192.168.0.1/24:*" > > and sockstat show a proper listening port: > > [...] > root syslogd 75823 6 udp4 192.168.0.2:514 *:* > > Now the strange or weird part (in my opinion). > > We have several firewalls, gateways, APs and printers which are configured to > send syslog messages to a remote host, designated by the IP shown above. This > works, I can see syslogd receiving messages from several systems > via /var/log/messages (at the moment everything is also dumped into that file > as well as onto console, on which the messages from the remote devices also > appear as expected. > > In /etc/syslog.conf I try to use the fowllowing line, for instance for one > device as pars pro totum, to log to a dedicated file: > > [...] > +192.168.0.100 > *.* /var/log/printer-01.log > +192.168.0.101 > *.* /var/log/printer-02.log > !* > (EOF) > > All log definitions for remote host logging are put to the end of file > syslog.conf to avoid problems with the block boundaries. So the above shown > config should separate each different host in a defined way as the manpage > syslog.conf(5) states. > > Using IPs only seems not to work (and I can not understand, according to > syslogd(8) and option -a ipaddr/msklen:port). I never get a delegation of > log messages into the specified file. > > So, syslog.conf(5) states that I have to use "names". So I also > setup /etc/hosts to have each remote host's IP assigned with a hostname (we > have no domain/DNS in this specific network, IP only!). So I tried then > > [...] > +printer-01 > *.* /var/log/printer-01.log > +printer02 > *.* /var/log/printer-02.log > !* > (EOF) > > This doesn't work either! > > Something is very fishy with FreeBSD's syslogd and please let me know what I'm > doing wrong here. > > I also read the section in the handbook about remote syslog and the > requirement of a forward and reverse DNS resolution - which is NOT(!) > mentioned in the manpages (and I follow the opinion that in doubt, the > manpage is right!). > > Can someone shed a bit light on that (no, I do not want to use a ports > package/alternative syslog, I'd like to use FreeBSD's tools already abord). > > Thank you very much in advance and apologizes to those who feel bothered by a > possible stupid question! > > regards, > > O. Hartmann > > _______________________________________________ > freebsd-current@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-current > To unsubscribe, send any mail to "freebsd-current-unsubscribe@freebsd.org" I found this message left five years ago, coinciding with my experience, that when I used this loggin method last time, that was FreeBSD 8.X and early 9.X, it worked for IPs as shown; https://lists.freebsd.org/pipermail/freebsd-questions/2011-November/235565.html