Re: rsyslog does not produce log on OpenBSD 6.0
On 2016-12-24, Predrag Punosevac wrote: > Gregory Edigarov wrote: >> On 20.12.16 13:47, Stuart Henderson wrote: >> > >> > Workaround for this without modifying the syslog daemon: >> > - run normal OpenBSD syslogd in addition to the other daemon >> > - have the other syslog daemon bind to a specific IP address >> > - have OpenBSD syslogd feed the other daemon using a network socket >> > >> Or, do not run anything else then syslogd. Seriously, I can't thought >> off any case where that wouldn't be enough. Some people want logging in a different format. Some might want host matching based on subnet rather than hostnames. Some want expression matching and alerting (though I think it's better to do this in a separate program rather than adding complication to the main logging daemon). > I could think of one case. Namely based on reading man pages syslogd > doesn't support MySQL logging. I am looking to play with echofish > > https://echothrust.github.io/echofish/ > > which is developed on OpenBSD in-spite of the fact that it is not in the > ports tree and is real time log monitoring system. Based on this short > notes > > https://github.com/echothrust/echofish/blob/master/INSTALL.md I think I'd just use the pipe feature in syslog.conf. Just feed it to a simple perl script to split the input line and write them out a database, then if there's some kind of problem, it's less likely to have an impact on the main syslog writing. (I'd always want simple files in addition to any database-backed logging). > I inferring that syslog-ng which runs really well on OpenBSD is a good > choice for echofish. This is my question > > @Stuart Could you please clarify if syslogd is automatically going to > open/hold port 514 upd. Namely I would like to keep running syslog > daemon on the loggin server itself and send the log files to syslog-ng > per > > https://www.balabit.com/wiki/syslog-ng-faq-syslogd Yes, syslogd(8) does bind like this (for _sending_ log messages to another host): $ fstat|grep syslogd.*internet _syslogd syslogd343224* internet dgram udp *:514 _syslogd syslogd343225* internet6 dgram udp *:514 This prevents another process from binding to *:514. So if you want to do this via syslog-ng rather than my other suggestion, you have a couple of alternatives: bind syslog-ng to a specific IP address (127.0.0.1?) bind syslog-ng to a different port feed syslog-ng via a named pipe, as suggested on that page - syslogd(8) doesn't feed directly to named pipes, but if you pre-create one with mkfifo you can use "*.* |cat > /path/to/fifo" in syslog.conf.
Re: rsyslog does not produce log on OpenBSD 6.0
Gregory Edigarov wrote: > On 20.12.16 13:47, Stuart Henderson wrote: > > On 2016-12-17, Remi Locherer wrote: > >> On December 17, 2016 12:07:18 PM GMT+01:00, Federico Donati > >> wrote: > >>> Hi all, > >>> > >>> I've a problem with an OpenBSD 6.0 box with rsyslog. > >>> > >>> I need to send every local logs to a remote server and I can't use > >>> syslogd, because it does not send the hostname of the server (the one > >>> indicated in /etc/myname), but on the remote server messages come with > >>> the PTR record of my public ip. > >> have you tried -h for syslogd from base? > > Yep this is the easy way. > > > >>> I've installed rsyslogd, but it doesn't send anything to the remote > >>> server. And more than that, it doesn't write anything local. > > Since 5.6, OpenBSD uses a special sendsyslog(2) system call for > > logging. This avoids the need for a device node and available file > > descriptor, which helps with chrooted programs, or if someone is > > able to cause too many FDs to be opened in an attempt to prevent > > logging from working. > > > > It needs a syslogd that is able to receive these messages. It's a > > fairly simple change (see src/usr.sbin/syslogd/syslogd.c r1.111) > > but afaik none of the third-party log daemons support it yet. > > It's quite likely that diffs to add support for this to other > > daemons would be accepted for ports, maybe upstreams would accept > > them too. > > > > Workaround for this without modifying the syslog daemon: > > - run normal OpenBSD syslogd in addition to the other daemon > > - have the other syslog daemon bind to a specific IP address > > - have OpenBSD syslogd feed the other daemon using a network socket > > > Or, do not run anything else then syslogd. Seriously, I can't thought > off any case where > that wouldn't be enough. I could think of one case. Namely based on reading man pages syslogd doesn't support MySQL logging. I am looking to play with echofish https://echothrust.github.io/echofish/ which is developed on OpenBSD in-spite of the fact that it is not in the ports tree and is real time log monitoring system. Based on this short notes https://github.com/echothrust/echofish/blob/master/INSTALL.md I inferring that syslog-ng which runs really well on OpenBSD is a good choice for echofish. This is my question @Stuart Could you please clarify if syslogd is automatically going to open/hold port 514 upd. Namely I would like to keep running syslog daemon on the loggin server itself and send the log files to syslog-ng per https://www.balabit.com/wiki/syslog-ng-faq-syslogd Thanks, Predrag
Re: rsyslog does not produce log on OpenBSD 6.0
On 20.12.16 13:47, Stuart Henderson wrote: On 2016-12-17, Remi Locherer wrote: On December 17, 2016 12:07:18 PM GMT+01:00, Federico Donati wrote: Hi all, I've a problem with an OpenBSD 6.0 box with rsyslog. I need to send every local logs to a remote server and I can't use syslogd, because it does not send the hostname of the server (the one indicated in /etc/myname), but on the remote server messages come with the PTR record of my public ip. have you tried -h for syslogd from base? Yep this is the easy way. I've installed rsyslogd, but it doesn't send anything to the remote server. And more than that, it doesn't write anything local. Since 5.6, OpenBSD uses a special sendsyslog(2) system call for logging. This avoids the need for a device node and available file descriptor, which helps with chrooted programs, or if someone is able to cause too many FDs to be opened in an attempt to prevent logging from working. It needs a syslogd that is able to receive these messages. It's a fairly simple change (see src/usr.sbin/syslogd/syslogd.c r1.111) but afaik none of the third-party log daemons support it yet. It's quite likely that diffs to add support for this to other daemons would be accepted for ports, maybe upstreams would accept them too. Workaround for this without modifying the syslog daemon: - run normal OpenBSD syslogd in addition to the other daemon - have the other syslog daemon bind to a specific IP address - have OpenBSD syslogd feed the other daemon using a network socket Or, do not run anything else then syslogd. Seriously, I can't thought off any case where that wouldn't be enough.
Re: rsyslog does not produce log on OpenBSD 6.0
On 2016-12-17, Remi Locherer wrote: > On December 17, 2016 12:07:18 PM GMT+01:00, Federico Donati > wrote: >>Hi all, >> >>I've a problem with an OpenBSD 6.0 box with rsyslog. >> >>I need to send every local logs to a remote server and I can't use >>syslogd, because it does not send the hostname of the server (the one >>indicated in /etc/myname), but on the remote server messages come with >>the PTR record of my public ip. > > have you tried -h for syslogd from base? Yep this is the easy way. >>I've installed rsyslogd, but it doesn't send anything to the remote >>server. And more than that, it doesn't write anything local. Since 5.6, OpenBSD uses a special sendsyslog(2) system call for logging. This avoids the need for a device node and available file descriptor, which helps with chrooted programs, or if someone is able to cause too many FDs to be opened in an attempt to prevent logging from working. It needs a syslogd that is able to receive these messages. It's a fairly simple change (see src/usr.sbin/syslogd/syslogd.c r1.111) but afaik none of the third-party log daemons support it yet. It's quite likely that diffs to add support for this to other daemons would be accepted for ports, maybe upstreams would accept them too. Workaround for this without modifying the syslog daemon: - run normal OpenBSD syslogd in addition to the other daemon - have the other syslog daemon bind to a specific IP address - have OpenBSD syslogd feed the other daemon using a network socket
Re: rsyslog does not produce log on OpenBSD 6.0
On 12/17/2016 04:57 PM, Remi Locherer wrote: On December 17, 2016 12:07:18 PM GMT+01:00, Federico Donati wrote: Hi all, I've a problem with an OpenBSD 6.0 box with rsyslog. I need to send every local logs to a remote server and I can't use syslogd, because it does not send the hostname of the server (the one indicated in /etc/myname), but on the remote server messages come with the PTR record of my public ip. have you tried -h for syslogd from base? Feeling stupid right now :/ Thank you very much.
Re: rsyslog does not produce log on OpenBSD 6.0
On December 17, 2016 12:07:18 PM GMT+01:00, Federico Donati wrote: >Hi all, > >I've a problem with an OpenBSD 6.0 box with rsyslog. > >I need to send every local logs to a remote server and I can't use >syslogd, because it does not send the hostname of the server (the one >indicated in /etc/myname), but on the remote server messages come with >the PTR record of my public ip. have you tried -h for syslogd from base? > >I've installed rsyslogd, but it doesn't send anything to the remote >server. And more than that, it doesn't write anything local. > >I've also tried to run it in conjunction with syslogd, so locally >syslogd writes all the logs, but on the remote server rsyslog doesn't >send anything (verified also with tcpdump). > >This is my configuration rsyslog.conf file: > >~ >module(load="imuxsock") # provides support for local system logging >(e.g. via logger command) >module(load="imklog") # provides kernel logging support (previously >done by rklogd) > >$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat > >*.* @@ip.ip.ip.ip:514 >~ > > > >Output of configuration file parser: > >~ ># rsyslogd -f /etc/rsyslog.conf -N 4 > > >rsyslogd: version 8.16.0, config validation run (level 4), master >config >/etc/rsyslog.conf >rsyslogd: End of config validation run. Bye. >~ > > >My box uname -a: > >OpenBSD xxx.xxx.xx 6.0 GENERIC.MP#0 amd64 > > >Anyone can help?
rsyslog does not produce log on OpenBSD 6.0
Hi all, I've a problem with an OpenBSD 6.0 box with rsyslog. I need to send every local logs to a remote server and I can't use syslogd, because it does not send the hostname of the server (the one indicated in /etc/myname), but on the remote server messages come with the PTR record of my public ip. I've installed rsyslogd, but it doesn't send anything to the remote server. And more than that, it doesn't write anything local. I've also tried to run it in conjunction with syslogd, so locally syslogd writes all the logs, but on the remote server rsyslog doesn't send anything (verified also with tcpdump). This is my configuration rsyslog.conf file: ~ module(load="imuxsock") # provides support for local system logging (e.g. via logger command) module(load="imklog") # provides kernel logging support (previously done by rklogd) $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat *.* @@ip.ip.ip.ip:514 ~ Output of configuration file parser: ~ # rsyslogd -f /etc/rsyslog.conf -N 4 rsyslogd: version 8.16.0, config validation run (level 4), master config /etc/rsyslog.conf rsyslogd: End of config validation run. Bye. ~ My box uname -a: OpenBSD xxx.xxx.xx 6.0 GENERIC.MP#0 amd64 Anyone can help?