From owner-freebsd-questions@freebsd.org Mon Aug 7 10:40:04 2017 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 0CD88DCA41C for ; Mon, 7 Aug 2017 10:40:04 +0000 (UTC) (envelope-from dch@skunkwerks.at) Received: from out1-smtp.messagingengine.com (out1-smtp.messagingengine.com [66.111.4.25]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id D440B64B57 for ; Mon, 7 Aug 2017 10:40:02 +0000 (UTC) (envelope-from dch@skunkwerks.at) Received: from compute7.internal (compute7.nyi.internal [10.202.2.47]) by mailout.nyi.internal (Postfix) with ESMTP id 9DFE620A78 for ; Mon, 7 Aug 2017 06:40:01 -0400 (EDT) Received: from web6 ([10.202.2.216]) by compute7.internal (MEProxy); Mon, 07 Aug 2017 06:40:01 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=skunkwerks.at; h=content-transfer-encoding:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-sender :x-me-sender:x-sasl-enc; s=mesmtp; bh=lyPP9pJbEP2WNuGtlfj2S51PI7 9BslhnI1qqrWxCCos=; b=el+vrvO6OcY5iXTuz66Ts7wQvKeb1nVoWxfo3Ah3x1 r09SCWBdVeNG/eoaCNMmlAej9SwT5nARxxwJNZ4CY1sEzC3yKGXXhhF7RjnD8ifM 1i2NHB3OsVAqBCipJEPL3TOZehjJuQwx+PwzHCyWxGQzB9R3xgDBuoRQrUn3cYhA g= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-me-sender:x-me-sender:x-sasl-enc; s=fm1; bh=lyPP9p JbEP2WNuGtlfj2S51PI79BslhnI1qqrWxCCos=; b=rXstGG9DshX9wSx8qoO5da sow/LG8AclpW3UleTq4h2z8tZkkak0cDYfdAH5vxh53lC5ukB0sBBEJBfTVvJYDs 3JFQxPCSf+f0MNjo/aXiK6u6gaPvInGGP4L+SDO5xADrPyQkUvB5vDFFAVggg3Mc lOq3GjQCy1D6cYkwrSpLZ66vWOshI+SB1JN+v7af1MnnbKzCJVjxi5VG9jzw8N+i +UI4lonVXLlEud+IvLf3UDU/k/EQX7iF9wFdvK5yL11P4pcw+J1/Ym2qG+XtWqXw DJOq28s7L+6Zb42mVF0SjEWyaFiOMUISbRKdspGOe1DugbF1cgsZTOVCe5nkWMQg == X-ME-Sender: Received: by mailuser.nyi.internal (Postfix, from userid 99) id 7347248003; Mon, 7 Aug 2017 06:40:01 -0400 (EDT) Message-Id: <1502102401.630259.1065410328.1B1106A7@webmail.messagingengine.com> From: Dave Cottlehuber To: freebsd-questions@freebsd.org MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset="utf-8" X-Mailer: MessagingEngine.com Webmail Interface - ajax-7b2cde4a In-Reply-To: Subject: Re: log centralizer? Date: Mon, 07 Aug 2017 12:40:01 +0200 References: X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 07 Aug 2017 10:40:04 -0000 On Mon, 7 Aug 2017, at 07:39, Aleksandr Miroslav wrote: > I'm looking for a mechanism to collect and store all logs into a > centralized location. I'm not looking for a fancy graphical interface > (a la Splunk) to search those logs just yet, just collecting them on a > centralized server is fine for the moment. > > Is there something available in ports/base that I can use for this > purpose? I took a quick look at ELK, it seems overly complicated, but > iIve never used it. While you *could* do this with base syslogd, it's not safe - you'd need to accept inbound UDP packets on your central servers, and there's no encryption support either. https://www.freebsd.org/cgi/man.cgi?query=syslogd has a nice quote: > The ability to log messages received in UDP packets is equivalent to an unauthenticated remote disk-filling service, and should probably be dis- abled by default. Some sort of inter-syslogd authentication mechanism ought to be worked out. To prevent the worst abuse, use of the -a option is therefore highly recommended. Here's what I use: - disable syslogd by default in /etc/rc.conf - use sysutils/rsyslog8 on each server forwarding to a central rsyslogd server - sysutils/spiped as an alternative to TLS certs for securing the rsyslog connections between systems - rsyslog can be configured to buffer forwarding to a disk queue if the remote instance isn't available (e.g. because you're rebooting/updating it). that alone is enough to meet your needs, but adding: - sysutils/graylog - textproc/elasticsearch2 is an easy additional config to get a nice searchable GUI. I'm happy to share some configs if you want to go down this path. A+ Dave