RB wrote:
> I've had a request to increase logging duration on systems that have
> no access to an external syslog server, so am making the necessary
> changes to maintain much larger ring-log files.  Incredibly larger -

what we've done is to make a few tweaks and install syslog-ng....

1/ change the system include file so that it starts syslog with "-b" so that it doesn't bind to an external IP.

2/ add some lines to /etc/rc.conf.local to make a restart of syslog also
bind only to localhost:
syslogd_flags=" -s -f /var/etc/syslog.conf -b"

3/ install syslog-ng and write config so that it does full logging to
local file system as well as copying to a main log server

3a/ pkg_add -r syslog-ng
3b/ config file is /usr/local/etc/syslog-ng/syslog-ng.conf
(if interested, I can provide ours after sanitisation)
3c/ make syslog-ng listen on, say, the sync interface or lan.

4/ add some lines to /etc/rc.conf.local to make sure that syslog-ng
starts up

5/ use the pfsense gui to tell it to log to the syslog-ng IP address

this "works for us", and the key thing is that apart from having to fix
the /etc/inc/system.inc file when upgrading pfsense (I offered the
diffs/patch, I think it might have been accepted), you don't have to
bend the system too far as you don't have to hack any other part of pfsense.


Reply via email to