DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD General

OpenBSD General Other questions regarding OpenBSD which do not fit in any of the categories below.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 21st August 2013
Lexus45 Lexus45 is offline
Port Guard
 
Join Date: May 2010
Location: Kurgan, Russia
Posts: 39
Default Collecting logs from remote machine

Hello all.

I'm setting up collecting logs from Asterisk on FreeBSD (10.1.34.30) - to OpenBSD machine (10.145.13.22).
The remote part (Asterisk, FreeBSD) are already configured. tcpdump (run on FreeBSD) shows that logs are sent from FreeBSD machine to OpenBSD:
Code:
10:53:12.752395 IP 10.1.34.30.514 > 10.145.13.22.514: SYSLOG local0.notice, length: 144
10:53:37.288066 IP 10.1.34.30.514 > 10.145.13.22.514: SYSLOG local0.notice, length: 144
10:54:09.596454 IP 10.1.34.30.514 > 10.145.13.22.514: SYSLOG local0.notice, length: 144
syslogd is also listening on OpenBSD machine:
Code:
# netstat -f inet -nla | grep 514
udp          0      0  *.514                  *.*
PF rules are not changed, they remain unmodified:
Code:
# pfctl -sr                       
block drop all
pass all flags S/SA
block drop in on ! lo0 proto tcp from any to any port 6000:6010

The problem: where is the log stored?
There is no /var/log/syslog on OpenBSD. Its creation haven't helped (file remains empty).

'ps aux | grep syslog' shows two destinations, but they are also empty:
Code:
# ps aux | grep syslog
_syslogd 26787  0.0  0.0   428   732 ??  S      4:23PM    0:00.02 /usr/sbin/syslogd -a /var/www/dev/log -a /var/empty/dev/log
root     23392  0.0  0.0   420   756 ??  Is     4:23PM    0:00.00 syslogd: [priv] (syslogd)
root     31053  0.0  0.0   492   724 p0  S+     5:02PM    0:00.00 grep syslog

So, the logs are sent successfully. I just need to catch them. And I wonder, how it could be done.
Reply With Quote
  #2   (View Single Post)  
Old 21st August 2013
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,975
Default

From the man page syslogd(8):
Code:
     -u      Select the historical ``insecure'' mode, in which syslogd will
             accept input from the UDP port.  Some software wants this, but
             you can be subjected to a variety of attacks over the network,
             including attackers remotely filling logs.
And:
Code:
     syslogd opens an Internet domain socket as specified in /etc/services.
     Normally syslogd will only use this socket to send messages outwards, but
     in ``insecure'' mode it will also read messages from this socket....
Reply With Quote
  #3   (View Single Post)  
Old 21st August 2013
Lexus45 Lexus45 is offline
Port Guard
 
Join Date: May 2010
Location: Kurgan, Russia
Posts: 39
Default

Yes, I saw this option, but haven't used it, because syslog was already listening on UDP (as we see from 'netstat -f inet -nla').
On the other hand, 'ps aux | grep sysl' shows that the '-u' option is not used.

Thank you, jggimi! I will try right now.
Reply With Quote
  #4   (View Single Post)  
Old 21st August 2013
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,975
Default

The syslog port is a low numbered port, so privilege separation is used. The checking of program options occurs after privilege separation has already completed. If "-u" is used, the variable SecureMode is set to false and the opened port then is utilized. See /usr/src/usr.sbin/syslogd/*

Last edited by jggimi; 21st August 2013 at 12:33 PM. Reason: typo: removed "not" in the -u statement :)
Reply With Quote
  #5   (View Single Post)  
Old 22nd August 2013
Lexus45 Lexus45 is offline
Port Guard
 
Join Date: May 2010
Location: Kurgan, Russia
Posts: 39
Default

Well, now the remote log is stored in /var/log/messages

Thank you for an advice, friend.
Reply With Quote
Reply

Tags
syslog

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
wierd logs in pf kondziq FreeBSD Security 6 19th June 2010 04:27 PM
Google Street View logs WiFi networks, Mac addresses J65nko News 1 22nd April 2010 09:52 PM
tftp logs syrushcw FreeBSD General 1 25th June 2008 04:06 PM
how extract specific test from Postfix logs with PHP or Perl marco64 Programming 3 21st June 2008 12:46 PM
How do I get network logs? Johnny2Bad FreeBSD General 2 22nd May 2008 05:37 PM


All times are GMT. The time now is 09:27 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick