From owner-freebsd-questions@FreeBSD.ORG Fri Jan 11 15:51:36 2008 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id EE87316A421 for ; Fri, 11 Jan 2008 15:51:35 +0000 (UTC) (envelope-from greenwood.andy@gmail.com) Received: from mtai05.charter.net (mtai05.charter.net [209.225.8.185]) by mx1.freebsd.org (Postfix) with ESMTP id 9B5EE13C457 for ; Fri, 11 Jan 2008 15:51:35 +0000 (UTC) (envelope-from greenwood.andy@gmail.com) Received: from aarprv06.charter.net ([10.20.200.76]) by mtai05.charter.net (InterMail vM.7.08.02.00 201-2186-121-20061213) with ESMTP id <20080111155134.VXKL28056.mtai05.charter.net@aarprv06.charter.net> for ; Fri, 11 Jan 2008 10:51:34 -0500 Received: from agreenftp.no-ip.com ([75.137.109.217]) by aarprv06.charter.net with ESMTP id <20080111155134.OGBS14098.aarprv06.charter.net@agreenftp.no-ip.com> for ; Fri, 11 Jan 2008 10:51:34 -0500 Received: from localhost (localhost [127.0.0.1]) by agreenftp.no-ip.com (Postfix) with ESMTP id 81367BD2B for ; Fri, 11 Jan 2008 10:51:31 -0500 (EST) Received: from agreenftp.no-ip.com ([127.0.0.1]) by localhost (zeus.agreenftp.no-ip.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OhT9m5gE2qQW for ; Fri, 11 Jan 2008 10:51:28 -0500 (EST) Received: from hercules.nuvox.net (216.215.202.5.nw.nuvox.net [216.215.202.5]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: andy) by agreenftp.no-ip.com (Postfix) with ESMTPSA id 97862BD26 for ; Fri, 11 Jan 2008 10:51:28 -0500 (EST) X-Virus-Scanned: amavisd-new at agreenftp.no-ip.com Message-ID: <47879080.6040208@gmail.com> Date: Fri, 11 Jan 2008 10:51:28 -0500 From: Andy Greenwood User-Agent: Thunderbird 2.0.0.6 (X11/20071101) MIME-Version: 1.0 To: FreeBSD Questions Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Chzlrs: 0 Subject: syslogd not reading messages from a remote machine X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 11 Jan 2008 15:51:36 -0000 I have recently set up a Fortigate-60 to run as a firewall/vpn on my home network. I have a FreeBSD 7.0-prerelease machine sitting behind it in the DMZ which is running ssh/web/etc. I'm trying to get the FG to log to the BSD box's syslog. I have set up the necessary stuff on the FG, and can send test logs from there to the bsd box. Running tcpdump on the bsd box gives me this when sending those test logs: [root@zeus ports]$ tcpdump -n -e -ttt -vv -i dc0 port 514 tcpdump: listening on dc0, link-type EN10MB (Ethernet), capture size 96 bytes 000000 00:09:0f:12:11:41 > 00:00:e8:13:b3:5c, ethertype IPv4 (0x0800), length 468: (tos 0x0, ttl 64, id 53661, offset 0, flags [none], proto UDP (17), length 454) 10.10.10.1.3023 > 10.10.10.2.514: SYSLOG, length: 426 Facility local7 (23), Severity warning (4) Msg: date=2008-01-11 time=18:37:10 devname=Fortigate-6[|syslog] 000196 00:09:0f:12:11:41 > 00:00:e8:13:b3:5c, ethertype IPv4 (0x0800), length 337: (tos 0x0, ttl 64, id 53662, offset 0, flags [none], proto UDP (17), length 323) 10.10.10.1.3023 > 10.10.10.2.514: SYSLOG, length: 295 Facility local7 (23), Severity warning (4) Msg: date=2008-01-11 time=18:37:10 devname=Fortigate-6[|syslog] 000227 00:09:0f:12:11:41 > 00:00:e8:13:b3:5c, ethertype IPv4 (0x0800), length 337: (tos 0x0, ttl 64, id 53663, offset 0, flags [none], proto UDP (17), length 323) 10.10.10.1.3023 > 10.10.10.2.514: SYSLOG, length: 295 Facility local7 (23), Severity warning (4) Msg: date=2008-01-11 time=18:37:10 devname=Fortigate-6[|syslog] 000292 00:09:0f:12:11:41 > 00:00:e8:13:b3:5c, ethertype IPv4 (0x0800), length 447: (tos 0x0, ttl 64, id 53664, offset 0, flags [none], proto UDP (17), length 433) 10.10.10.1.3023 > 10.10.10.2.514: SYSLOG, length: 405 Facility local7 (23), Severity warning (4) Msg: date=2008-01-11 time=18:37:10 devname=Fortigate-6[|syslog] 000230 00:09:0f:12:11:41 > 00:00:e8:13:b3:5c, ethertype IPv4 (0x0800), length 324: (tos 0x0, ttl 64, id 53665, offset 0, flags [none], proto UDP (17), length 310) 10.10.10.1.3023 > 10.10.10.2.514: SYSLOG, length: 282 Facility local7 (23), Severity warning (4) Msg: date=2008-01-11 time=18:37:10 devname=Fortigate-6[|syslog] 000143 00:09:0f:12:11:41 > 00:00:e8:13:b3:5c, ethertype IPv4 (0x0800), length 247: (tos 0x0, ttl 64, id 53666, offset 0, flags [none], proto UDP (17), length 233) 10.10.10.1.3023 > 10.10.10.2.514: SYSLOG, length: 205 Facility local7 (23), Severity warning (4) Msg: date=2008-01-11 time=18:37:10 devname=Fortigate-6[|syslog] 000152 00:09:0f:12:11:41 > 00:00:e8:13:b3:5c, ethertype IPv4 (0x0800), length 279: (tos 0x0, ttl 64, id 53667, offset 0, flags [none], proto UDP (17), length 265) 10.10.10.1.3023 > 10.10.10.2.514: SYSLOG, length: 237 Facility local7 (23), Severity warning (4) Msg: date=2008-01-11 time=18:37:10 devname=Fortigate-6[|syslog] 000152 00:09:0f:12:11:41 > 00:00:e8:13:b3:5c, ethertype IPv4 (0x0800), length 299: (tos 0x0, ttl 64, id 53668, offset 0, flags [none], proto UDP (17), length 285) 10.10.10.1.3023 > 10.10.10.2.514: SYSLOG, length: 257 Facility local7 (23), Severity warning (4) Msg: date=2008-01-11 time=18:37:10 devname=Fortigate-6[|syslog] ^C So I know that the packets are getting to the machine. I've set up syslogd to accept packets from 10.10.10.1/32 in rc.conf, and confirmed that the FG's IP should be accepted by syslogd [root@zeus ports]$ grep syslogd /etc/rc.conf syslogd_flags="-a 10.10.10.1/32" [root@zeus ports]$ ps auxww | grep syslogd root 8538 0.0 0.1 3156 1088 ?? Ss 10:44AM 0:00.02 /usr/sbin/syslogd -l /var/run/log -l /var/named/var/run/log -a 10.10.10.1/32 the FG is set to log via local7, and I've set that up too. [root@zeus ports]$ grep local7 /etc/syslog.conf local7.* /var/log/fortigate and the log file exists also. [root@zeus ports]$ ls -l /var/log/fortigate -rw-r----- 1 root wheel 0 Jan 11 07:22 /var/log/fortigate In desperation I even added this to my /etc/syslog.conf, trying to get the messages to appear anywhere, but they aren't showing up in all.log either. *.* /var/log/all.log I've restarted syslogd after every change I've made, but no dice. Can anyone shed some light on why these messages aren't logging and what I need to do to fix it? Thanks so much!