From owner-freebsd-questions@FreeBSD.ORG Sun Jan 13 02:11:04 2008 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E3E3616A418 for ; Sun, 13 Jan 2008 02:11:04 +0000 (UTC) (envelope-from keramida@ceid.upatras.gr) Received: from mx-out.forthnet.gr (mx-out.forthnet.gr [193.92.150.104]) by mx1.freebsd.org (Postfix) with ESMTP id 62BF013C448 for ; Sun, 13 Jan 2008 02:11:04 +0000 (UTC) (envelope-from keramida@ceid.upatras.gr) Received: from mx-av-03.forthnet.gr (mx-av.forthnet.gr [193.92.150.27]) by mx-out-02.forthnet.gr (8.14.0/8.14.0) with ESMTP id m0D2Axmj016376; Sun, 13 Jan 2008 04:10:59 +0200 Received: from MX-IN-01.forthnet.gr (mx-in-01.forthnet.gr [193.92.150.23]) by mx-av-03.forthnet.gr (8.14.1/8.14.1) with ESMTP id m0D2Ax9E014547; Sun, 13 Jan 2008 04:10:59 +0200 Received: from kobe.laptop (ppp43-253.adsl.forthnet.gr [62.1.60.253]) by MX-IN-01.forthnet.gr (8.14.2/8.14.2) with ESMTP id m0D2Av0a016403; Sun, 13 Jan 2008 04:10:57 +0200 Authentication-Results: MX-IN-01.forthnet.gr smtp.mail=keramida@ceid.upatras.gr; spf=neutral Authentication-Results: MX-IN-01.forthnet.gr header.from=keramida@ceid.upatras.gr; sender-id=neutral Received: from kobe.laptop (kobe.laptop [127.0.0.1]) by kobe.laptop (8.14.2/8.14.2) with ESMTP id m0D2Auer001827; Sun, 13 Jan 2008 04:10:56 +0200 (EET) (envelope-from keramida@ceid.upatras.gr) Received: (from keramida@localhost) by kobe.laptop (8.14.2/8.14.2/Submit) id m0D2AuAJ001826; Sun, 13 Jan 2008 04:10:56 +0200 (EET) (envelope-from keramida@ceid.upatras.gr) Date: Sun, 13 Jan 2008 04:10:55 +0200 From: Giorgos Keramidas To: Jeffrey Goldberg Message-ID: <20080113021055.GA1667@kobe.laptop> References: <47879080.6040208@gmail.com> <53AFE19A-173F-43AC-BF68-972FFD12029E@goldmark.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <53AFE19A-173F-43AC-BF68-972FFD12029E@goldmark.org> Cc: Andy Greenwood , freebsd-questions@freebsd.org Subject: Re: syslogd not reading messages from a remote machine X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 13 Jan 2008 02:11:05 -0000 On 2008-01-12 15:50, Jeffrey Goldberg wrote: > On Jan 11, 2008, at 9:51 AM, Andy Greenwood wrote: >> I have recently set up a Fortigate-60 to run as a firewall/vpn on my >> home network. I have a FreeBSD 7.0-prerelease machine sitting behind >> it in the DMZ which is running ssh/web/etc. I'm trying to get the FG >> to log to the BSD box's syslog. I have set up the necessary stuff on >> the FG, and can send test logs from there to the bsd box. Running >> tcpdump on the bsd [...] >> >> So I know that the packets are getting to the machine. I've set up >> syslogd to accept packets from 10.10.10.1/32 in rc.conf, and >> confirmed that the FG's IP should be accepted [...] >> >> I've restarted syslogd after every change I've made, but no dice. Can >> anyone shed some light on why these messages aren't logging and what >> I need to do to fix it? > > I'm sure that there is a simple answer for getting syslogd to work > properly. But after similar experiences to yours (on other systems), I now > use syslog-ng (in ports) for any system that is going to be a remote syslog > server. To the original poster, since I missed the message which started the thread... Andy, the default mode of syslogd in FreeBSD is `secure mode', because the -s option is enabled in `/etc/defaults/rc.conf': % root@kobe:/root# grep '^syslogd_' /etc/defaults/rc.conf % syslogd_enable="YES" # Run syslog daemon (or NO). % syslogd_program="/usr/sbin/syslogd" # path to syslogd, if you want a different one. % syslogd_flags="-s" # Flags to syslogd (if enabled). % root@kobe:/root# The -s flag in the default options means that syslogd will *not* log messages from remote hosts. Quoting the syslogd manpage: -s Operate in secure mode. Do not log messages from remote machines. If specified twice, no network socket will be opened at all, which also disables logging to remote machines. I'm using the following in `/etc/rc.conf': % root@kobe:/root# grep '^syslogd_' /etc/rc.conf % syslogd_enable="YES" % syslogd_flags="" % root@kobe:/root# and the syslogd on the system where this message is typed properly logs messages from my DSL modem: % root@kobe:/root# fgrep ' fire ' /var/log/messages | head -1 % Jan 12 22:04:26 fire kernel: Intrusion -> IN=ppp_8_35_1 OUT= MAC= \ % SRC=62.1.173.240 DST=62.1.60.253 LEN=48 TOS=0x00 PREC=0x00 \ % TTL=126 ID=39175 DF PROTO=TCP SPT=2213 DPT=445 WINDOW=16384 \ % RES=0x00 SYN URGP=0 % root@kobe:/root# NOTE: If you are also using a firewall, you will have to make sure that incoming UDP messages for the `syslog' service are allowed. This is the `pf.conf' snippet from my home network setup: pass in proto udp from 192.169.1.0/24 to any port = syslog HTH, Giorgos