Date: Fri, 11 Jan 2008 10:51:28 -0500 From: Andy Greenwood <greenwood.andy@gmail.com> To: FreeBSD Questions <freebsd-questions@freebsd.org> Subject: syslogd not reading messages from a remote machine Message-ID: <47879080.6040208@gmail.com>
next in thread | raw e-mail | index | archive | help
I have recently set up a Fortigate-60 to run as a firewall/vpn on my
home network. I have a FreeBSD 7.0-prerelease machine sitting behind it
in the DMZ which is running ssh/web/etc. I'm trying to get the FG to log
to the BSD box's syslog. I have set up the necessary stuff on the FG,
and can send test logs from there to the bsd box. Running tcpdump on the
bsd box gives me this when sending those test logs:
[root@zeus ports]$ tcpdump -n -e -ttt -vv -i dc0 port 514
tcpdump: listening on dc0, link-type EN10MB (Ethernet), capture size 96
bytes
000000 00:09:0f:12:11:41 > 00:00:e8:13:b3:5c, ethertype IPv4 (0x0800),
length 468: (tos 0x0, ttl 64, id 53661, offset 0, flags [none], proto
UDP (17), length 454) 10.10.10.1.3023 > 10.10.10.2.514: SYSLOG, length: 426
Facility local7 (23), Severity warning (4)
Msg: date=2008-01-11 time=18:37:10 devname=Fortigate-6[|syslog]
000196 00:09:0f:12:11:41 > 00:00:e8:13:b3:5c, ethertype IPv4 (0x0800),
length 337: (tos 0x0, ttl 64, id 53662, offset 0, flags [none], proto
UDP (17), length 323) 10.10.10.1.3023 > 10.10.10.2.514: SYSLOG, length: 295
Facility local7 (23), Severity warning (4)
Msg: date=2008-01-11 time=18:37:10 devname=Fortigate-6[|syslog]
000227 00:09:0f:12:11:41 > 00:00:e8:13:b3:5c, ethertype IPv4 (0x0800),
length 337: (tos 0x0, ttl 64, id 53663, offset 0, flags [none], proto
UDP (17), length 323) 10.10.10.1.3023 > 10.10.10.2.514: SYSLOG, length: 295
Facility local7 (23), Severity warning (4)
Msg: date=2008-01-11 time=18:37:10 devname=Fortigate-6[|syslog]
000292 00:09:0f:12:11:41 > 00:00:e8:13:b3:5c, ethertype IPv4 (0x0800),
length 447: (tos 0x0, ttl 64, id 53664, offset 0, flags [none], proto
UDP (17), length 433) 10.10.10.1.3023 > 10.10.10.2.514: SYSLOG, length: 405
Facility local7 (23), Severity warning (4)
Msg: date=2008-01-11 time=18:37:10 devname=Fortigate-6[|syslog]
000230 00:09:0f:12:11:41 > 00:00:e8:13:b3:5c, ethertype IPv4 (0x0800),
length 324: (tos 0x0, ttl 64, id 53665, offset 0, flags [none], proto
UDP (17), length 310) 10.10.10.1.3023 > 10.10.10.2.514: SYSLOG, length: 282
Facility local7 (23), Severity warning (4)
Msg: date=2008-01-11 time=18:37:10 devname=Fortigate-6[|syslog]
000143 00:09:0f:12:11:41 > 00:00:e8:13:b3:5c, ethertype IPv4 (0x0800),
length 247: (tos 0x0, ttl 64, id 53666, offset 0, flags [none], proto
UDP (17), length 233) 10.10.10.1.3023 > 10.10.10.2.514: SYSLOG, length: 205
Facility local7 (23), Severity warning (4)
Msg: date=2008-01-11 time=18:37:10 devname=Fortigate-6[|syslog]
000152 00:09:0f:12:11:41 > 00:00:e8:13:b3:5c, ethertype IPv4 (0x0800),
length 279: (tos 0x0, ttl 64, id 53667, offset 0, flags [none], proto
UDP (17), length 265) 10.10.10.1.3023 > 10.10.10.2.514: SYSLOG, length: 237
Facility local7 (23), Severity warning (4)
Msg: date=2008-01-11 time=18:37:10 devname=Fortigate-6[|syslog]
000152 00:09:0f:12:11:41 > 00:00:e8:13:b3:5c, ethertype IPv4 (0x0800),
length 299: (tos 0x0, ttl 64, id 53668, offset 0, flags [none], proto
UDP (17), length 285) 10.10.10.1.3023 > 10.10.10.2.514: SYSLOG, length: 257
Facility local7 (23), Severity warning (4)
Msg: date=2008-01-11 time=18:37:10 devname=Fortigate-6[|syslog]
^C
So I know that the packets are getting to the machine. I've set up
syslogd to accept packets from 10.10.10.1/32 in rc.conf, and confirmed
that the FG's IP should be accepted by syslogd
[root@zeus ports]$ grep syslogd /etc/rc.conf
syslogd_flags="-a 10.10.10.1/32"
[root@zeus ports]$ ps auxww | grep syslogd
root 8538 0.0 0.1 3156 1088 ?? Ss 10:44AM 0:00.02
/usr/sbin/syslogd -l /var/run/log -l /var/named/var/run/log -a 10.10.10.1/32
the FG is set to log via local7, and I've set that up too.
[root@zeus ports]$ grep local7 /etc/syslog.conf
local7.* /var/log/fortigate
and the log file exists also.
[root@zeus ports]$ ls -l /var/log/fortigate
-rw-r----- 1 root wheel 0 Jan 11 07:22 /var/log/fortigate
In desperation I even added this to my /etc/syslog.conf, trying to get
the messages to appear anywhere, but they aren't showing up in all.log
either.
*.* /var/log/all.log
I've restarted syslogd after every change I've made, but no dice. Can
anyone shed some light on why these messages aren't logging and what I
need to do to fix it?
Thanks so much!
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?47879080.6040208>