RB wrote: > I've had a request to increase logging duration on systems that have > no access to an external syslog server, so am making the necessary > changes to maintain much larger ring-log files. Incredibly larger -
what we've done is to make a few tweaks and install syslog-ng.... 1/ change the system include file so that it starts syslog with "-b 127.0.0.1" so that it doesn't bind to an external IP. 2/ add some lines to /etc/rc.conf.local to make a restart of syslog also bind only to localhost: syslogd_enable="YES" syslogd_flags=" -s -f /var/etc/syslog.conf -b 127.0.0.1" 3/ install syslog-ng and write config so that it does full logging to local file system as well as copying to a main log server 3a/ pkg_add -r syslog-ng 3b/ config file is /usr/local/etc/syslog-ng/syslog-ng.conf (if interested, I can provide ours after sanitisation) 3c/ make syslog-ng listen on, say, the sync interface or lan. 4/ add some lines to /etc/rc.conf.local to make sure that syslog-ng starts up 5/ use the pfsense gui to tell it to log to the syslog-ng IP address this "works for us", and the key thing is that apart from having to fix the /etc/inc/system.inc file when upgrading pfsense (I offered the diffs/patch, I think it might have been accepted), you don't have to bend the system too far as you don't have to hack any other part of pfsense. HTH Paul