|
OpenBSD Packages and Ports Installation and upgrading of packages and ports on OpenBSD. |
|
Thread Tools | Display Modes |
|
|||
Syslog-ng Monitor
Hi all,
I am wondering if anyone can assist with getting syslog-ng working (or verifying that it is) the way I want it to. Basically I'm running Syslog-ng with hopes of capturing all syslog info sent to the machine and to act as a central syslog monitor. I'm using the "sample" config for syslog-ng from OpenBSD and running on OpenBSD 4.6 with PF disabled (at least for now). I'm running "php-syslog-ng" which is supposed to be a web interface for syslog-ng allowing you to see all the logs. http://code.google.com/p/php-syslog-ng/ Right now it appears that syslog-ng starts up fine but I do not see anything show up on the web interface. I would first like to start by verifying that Syslog-ng is in fact accepting incoming syslogs and working properly. If anyone has any thoughts on this or getting my system running properly that would be awesome. |
|
|||
If you use the built-in Apache server of OpenBSD, please remember that it runs chrooted by default and thus has no way to look at any logs in /var/log.
Read the OpenBSD FAQ about the chrooted Apache for more info.
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump |
|
|||
You're right, I had forgot about chroot. I created a symbolic link from /var/log to /var/www/var/log but I still don't see anything show up on the web interface.
If I do tcpdump I see syslogs coming in. Code:
07:11:43.675476 externalhost.syslog > thelocalhost.syslog: udp 155 07:11:43.677915 externalhost.syslog > thelocalhost.syslog: udp 135 07:11:43.679250 externalhost.syslog > thelocalhost.syslog: udp 131 07:11:43.687156 externalhost.syslog > thelocalhost.syslog: udp 128 Code:
Feb 5 05:50:12 thelocalhost syslog-ng[5148]: syslog-ng starting up; version='2.1.4' Feb 5 06:00:12 thelocalhost syslog-ng[5148]: Log statistics; processed='center(queued)=4', processed='center(received)=33183', processed='destination(newsnotice)=0', processed='destination(console)=0', processed='destination(debug)=1', processed='destination(mailinfo)=0', processed='destination(mail)=0', processed='destination(user)=0', processed='destination(newserr)=0', processed='destination(newscrit)=0', processed='destination(uucp)=0', processed='destination(messages)=1', processed='destination(mailwarn)=0', processed='destination(ppp)=0', processed='destination(lpr)=0', processed='destination(cron)=0', processed='destination(syslog)=1', processed='destination(authlog)=0', processed='destination(mailerr)=0', processed='destination(kern)=0', processed='destination(daemon)=0', processed='destination(xconsole)=0', processed='destination(console_all)=1', processed='source(net)=33182', processed='source(src)=1' Feb 5 06:10:12 thelocalhost syslog-ng[5148]: Log statistics; processed='center(queued)=8', processed='center(received)=69333', processed='destination(newsnotice)=0', processed='destination(console)=0', processed='destination(debug)=2', processed='destination(mailinfo)=0', processed='destination(mail)=0', processed='destination(user)=0', processed='destination(newserr)=0', processed='destination(newscrit)=0', processed='destination(uucp)=0', processed='destination(messages)=2', processed='destination(mailwarn)=0', processed='destination(ppp)=0', processed='destination(lpr)=0', processed='destination(cron)=0', processed='destination(syslog)=2', processed='destination(authlog)=0', processed='destination(mailerr)=0', processed='destination(kern)=0', processed='destination(daemon)=0', processed='destination(xconsole)=0', processed='destination(console_all)=2', processed='source(net)=69331', processed='source(src)=2' Feb 5 06:20:12 thelocalhost syslog-ng[5148]: Log statistics; processed='center(queued)=12', processed='center(received)=102940', processed='destination(newsnotice)=0', processed='destination(console)=0', processed='destination(debug)=3', processed='destination(mailinfo)=0', processed='destination(mail)=0', processed='destination(user)=0', processed='destination(newserr)=0', processed='destination(newscrit)=0', processed='destination(uucp)=0', processed='destination(messages)=3', processed='destination(mailwarn)=0', processed='destination(ppp)=0', processed='destination(lpr)=0', processed='destination(cron)=0', processed='destination(syslog)=3', processed='destination(authlog)=0', processed='destination(mailerr)=0', processed='destination(kern)=0', processed='destination(daemon)=0', processed='destination(xconsole)=0', processed='destination(console_all)=3', processed='source(net)=102937', processed='source(src)=3' Feb 5 06:30:12 thelocalhost syslog-ng[5148]: Log statistics; processed='center(queued)=16', processed='center(received)=139291', processed='destination(newsnotice)=0', processed='destination(console)=0', processed='destination(debug)=4', processed='destination(mailinfo)=0', processed='destination(mail)=0', processed='destination(user)=0', processed='destination(newserr)=0', processed='destination(newscrit)=0', processed='destination(uucp)=0', processed='destination(messages)=4', processed='destination(mailwarn)=0', processed='destination(ppp)=0', processed='destination(lpr)=0', processed='destination(cron)=0', processed='destination(syslog)=4', processed='destination(authlog)=0', processed='destination(mailerr)=0', processed='destination(kern)=0', processed='destination(daemon)=0', processed='destination(xconsole)=0', processed='destination(console_all)=4', processed='source(net)=139287', processed='source(src)=4' Feb 5 06:40:12 thelocalhost syslog-ng[5148]: Log statistics; processed='center(queued)=20', processed='center(received)=178111', processed='destination(newsnotice)=0', processed='destination(console)=0', processed='destination(debug)=5', processed='destination(mailinfo)=0', processed='destination(mail)=0', processed='destination(user)=0', processed='destination(newserr)=0', processed='destination(newscrit)=0', processed='destination(uucp)=0', processed='destination(messages)=5', processed='destination(mailwarn)=0', processed='destination(ppp)=0', processed='destination(lpr)=0', processed='destination(cron)=0', processed='destination(syslog)=5', processed='destination(authlog)=0', processed='destination(mailerr)=0', processed='destination(kern)=0', processed='destination(daemon)=0', processed='destination(xconsole)=0', processed='destination(console_all)=5', processed='source(net)=178106', processed='source(src)=5' Feb 5 06:50:13 thelocalhost syslog-ng[5148]: Log statistics; processed='center(queued)=24', processed='center(received)=219051', processed='destination(newsnotice)=0', processed='destination(console)=0', processed='destination(debug)=6', processed='destination(mailinfo)=0', processed='destination(mail)=0', processed='destination(user)=0', processed='destination(newserr)=0', processed='destination(newscrit)=0', processed='destination(uucp)=0', processed='destination(messages)=6', processed='destination(mailwarn)=0', processed='destination(ppp)=0', processed='destination(lpr)=0', processed='destination(cron)=0', processed='destination(syslog)=6', processed='destination(authlog)=0', processed='destination(mailerr)=0', processed='destination(kern)=0', processed='destination(daemon)=0', processed='destination(xconsole)=0', processed='destination(console_all)=6', processed='source(net)=219045', processed='source(src)=6' Feb 5 07:00:13 thelocalhost syslog-ng[5148]: Log statistics; processed='center(queued)=28', processed='center(received)=257055', processed='destination(newsnotice)=0', processed='destination(console)=0', processed='destination(debug)=7', processed='destination(mailinfo)=0', processed='destination(mail)=0', processed='destination(user)=0', processed='destination(newserr)=0', processed='destination(newscrit)=0', processed='destination(uucp)=0', processed='destination(messages)=7', processed='destination(mailwarn)=0', processed='destination(ppp)=0', processed='destination(lpr)=0', processed='destination(cron)=0', processed='destination(syslog)=7', processed='destination(authlog)=0', processed='destination(mailerr)=0', processed='destination(kern)=0', processed='destination(daemon)=0', processed='destination(xconsole)=0', processed='destination(console_all)=7', processed='source(net)=257048', processed='source(src)=7' Feb 5 07:10:13 thelocalhost syslog-ng[5148]: Log statistics; processed='center(queued)=32', processed='center(received)=299926', processed='destination(newsnotice)=0', processed='destination(console)=0', processed='destination(debug)=8', processed='destination(mailinfo)=0', processed='destination(mail)=0', processed='destination(user)=0', processed='destination(newserr)=0', processed='destination(newscrit)=0', processed='destination(uucp)=0', processed='destination(messages)=8', processed='destination(mailwarn)=0', processed='destination(ppp)=0', processed='destination(lpr)=0', processed='destination(cron)=0', processed='destination(syslog)=8', processed='destination(authlog)=0', processed='destination(mailerr)=0', processed='destination(kern)=0', processed='destination(daemon)=0', processed='destination(xconsole)=0', processed='destination(console_all)=8', processed='source(net)=299918', processed='source(src)=8' Thoughts? Thanks for your quick reply. Last edited by plexter; 5th February 2010 at 05:01 PM. Reason: added log messages |
|
|||
Quote:
Do you see the logs being updated in /var/www/var/log ? How about permissions? The permissions on some logs are strict Code:
-rw-r----- 1 root wheel 375 Feb 5 16:51 authlog -rw-r----- 1 root wheel 21514 Feb 5 18:01 daemon -rw------- 1 root wheel 313248 Jan 30 12:40 failedlogin -rw------- 1 root wheel 151 Feb 5 15:49 maillog
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump |
|
|||
Well I did that more or less. However I now tried just doing httpd -u and still no luck.
I'm not clear if the issue is with syslog-ng not logging the data, or if the web interface is failing to capture the data. I don't mind running out of a chroot for now at least to get this working. However I suspect the problem is with the php web interface. When I run this script that came with it which is supposed to "send test syslogs" I get errors which are beyond me. Code:
Can't locate Net/MySQL.pm in @INC (@INC contains: /usr/libdata/perl5/i386-openbsd/5.10.0 /usr/local/libdata/perl5/i386-openbsd/5.10.0 /usr/libdata/perl5 /usr/local/libdata/perl5 /usr/local/libdata/perl5/site_perl/i386-openbsd /usr/libdata/perl5/site_perl/i386-openbsd /usr/local/libdata/perl5/site_perl /usr/libdata/perl5/site_perl .) at scripts/dbgen.pl line 22. BEGIN failed--compilation aborted at scripts/dbgen.pl line 22. Line 22: use Net::MySQL; To confirm I am running MySQL Code:
pkg_info | grep mysql mysql-client-5.0.83 multithreaded SQL database (client) mysql-server-5.0.83 multithreaded SQL database (server) p5-DBD-mysql-4.010 MySQL drivers for the Perl DBI php5-mysql-5.2.10 mysql database access extensions for php5 Any help would be appreciated. Thanks |
|
|||
Maybe you are taking to many steps in one time
First get syslog-ng working and logging to normal files. Then coach it into logging to MySQL. And as last, get that PHP monitoring app working with Apache not chrooted. BTW the Perl p5-DBD modules also need the client side p5-DBI module. Do you have that one?
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump |
|
|||
Quote:
I believe I have the perl module: Code:
p5-DBI-1.607 unified perl interface for database access |
|
|||
IMHO you should be willing to spend some considerable time with the syslog-ng docs. I never have used syslog-ng myself. I just saw their FAQ and it contains a lot of pointers.
BTW Your idea of using tcpdump to wiretap the incoming logs is a very good one. If you first refrain from using encrypted logs, you can even see what is been sent/arriving. I am afraid this is all the help I can give you this moment
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump |
|
|||
Okay well thank you for your help. I will play around with it some more and see what happens.
|
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
gdm/ new monitor issue | jimbus | FreeBSD General | 3 | 4th August 2009 07:39 PM |
Cisco Secure ACS 4.1 syslog OpenBSD 3.9 | cyberpaisalegionair | OpenBSD General | 1 | 24th July 2008 06:42 PM |
good old syslog-ng issue | amiga505 | OpenBSD Packages and Ports | 7 | 4th July 2008 06:01 PM |
SYSLOG disappearance | jaymax | FreeBSD General | 6 | 26th June 2008 02:53 AM |