RB wrote:
> I've had a request to increase logging duration on systems that have
> no access to an external syslog server, so am making the necessary
> changes to maintain much larger ring-log files.  Incredibly larger -

what we've done is to make a few tweaks and install syslog-ng....

1/ change the system include file so that it starts syslog with "-b
127.0.0.1" so that it doesn't bind to an external IP.

2/ add some lines to /etc/rc.conf.local to make a restart of syslog also
bind only to localhost:
syslogd_enable="YES"
syslogd_flags=" -s -f /var/etc/syslog.conf -b 127.0.0.1"

3/ install syslog-ng and write config so that it does full logging to
local file system as well as copying to a main log server

3a/ pkg_add -r syslog-ng
3b/ config file is /usr/local/etc/syslog-ng/syslog-ng.conf
(if interested, I can provide ours after sanitisation)
3c/ make syslog-ng listen on, say, the sync interface or lan.

4/ add some lines to /etc/rc.conf.local to make sure that syslog-ng
starts up

5/ use the pfsense gui to tell it to log to the syslog-ng IP address

this "works for us", and the key thing is that apart from having to fix
the /etc/inc/system.inc file when upgrading pfsense (I offered the
diffs/patch, I think it might have been accepted), you don't have to
bend the system too far as you don't have to hack any other part of pfsense.


HTH
Paul

Reply via email to