DaemonForums  

Go Back   DaemonForums > FreeBSD > FreeBSD General

FreeBSD General Other questions regarding FreeBSD which do not fit in any of the categories below.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 16th March 2009
da1 da1 is offline
Fdisk Soldier
 
Join Date: Feb 2009
Location: Berlin, DE
Posts: 49
Default Freebsd 7.1-STABLE and dd-wrt v24 syslogd

Hell-o guyz.

Let me start off by saing that this little thing is bugging me since forever.
So: we have a FreeBSD 7-1-STABLE box and a Linksys wrt54gl v1.1 with DD-WRT v24 (05/24/08) vpn.

Now.... on the router (services->services) I activated the "System Log" option and assigned my BSD box's IP (192.168.0.2). The router is 192.168.0.1. In Security->Firewall, the firewall is enabled and the "Log Management" also with "Log Level" set to "High" and all three options (Dropped, Rejected, Accepted) set to "High".

On the BSD box
rc.conf has
Code:
syslogd_enable="YES"
syslogd_flags="-d -a 192.168.0.1 -vv"
and /etc/syslogd.conf has
Code:
+192.168.0.1
*.*                                             /var/log/router.log
but, when I restart the syslogd daemon (/etc/rc.d/syslogd restart) having debbug mode enabled I see:
Code:
cvthname(192.168.0.1)
validate: dgram from IP 192.168.0.1, port 2052, name router.ro;
rejected in rule 0 due to port mismatch.
Now, I have pf enabled; so I disable it. Nothing. No lines get echo'd to router.log nor does the error go away. So I try to redirect port 2052 to 514 with no effect. I'm guessing here... so the router is sending the logs to? 2052? Now that would be weird. So I do a tcp dump and I find this
Code:
tcpdump: listening on rl0, link-type EN10MB (Ethernet), capture size 96 bytes
02:34:16.150587 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 283) router.2052 > localhost.syslog: SYSLOG, length: 255
        IP (tos 0x0, ttl 64, id 57754, offset 0, flags [none], proto UDP (17), length 283) router.2052 > localhost.syslog: [|syslog]
02:34:21.324575 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 283) router.2052 > localhost.syslog: SYSLOG, length: 255
02:34:24.086214 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 232) router.2052 > localhost.syslog: SYSLOG, length: 204
02:34:24.512873 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 229) router.2052 > localhost.syslog: SYSLOG, length: 201
02:34:26.511407 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 283) router.2052 > localhost.syslog: SYSLOG, length: 255
        IP (tos 0x0, ttl 64, id 30082, offset 0, flags [none], proto UDP (17), length 283) router.2052 > localhost.syslog: [|syslog]
So, in fact it sends logs from 2052 to my localhost syslogd. ok, fair enough. I also check the routers running processes and i find
Code:
11174     1 root     S     1832 13.8  0.0 /sbin/syslogd -R 192.168.0.2:514
so it appears that the router is configured ok. I'm guessing I misconfigured something on my bsd box, or the router, but I can't figure out exactly what.

Any ideea is welcomed.

Last edited by da1; 16th March 2009 at 12:47 AM.
Reply With Quote
  #2   (View Single Post)  
Old 16th March 2009
da1 da1 is offline
Fdisk Soldier
 
Join Date: Feb 2009
Location: Berlin, DE
Posts: 49
Default

right;so: been doing some testing with a solaris 10 box and the results are the same.
Code:
cvthname(192.168.0.6)
validate: dgram from IP 192.168.0.6, port 32778, name solaris.ro;
rejected in rule 0 due to port mismatch.
the solaris box is 192.168.0.6. did the "+solaris" to freebsd's syslogd.conf and added "192.168.0.6 solaris" to freebsd's /etc/hosts. all this just to get that error I posted previously. so, i'm kinda sure it's a miscnfiguration of the bsd box. will look into it more.

btw I see syslogd appends a ".ro" to the hostname it prints out. instead of solaris it's solaris.ro; same with router (it's replaced with router.ro). at this point it's strainge, but i admit i know not much of this so maybe i'm wrong.

le: solaris's syslogd has "user.err @loghost" and "loghost" is 192.168.0.2 in solaris's /etc/hosts.

Last edited by da1; 16th March 2009 at 01:53 AM.
Reply With Quote
  #3   (View Single Post)  
Old 16th March 2009
ddekok ddekok is offline
Port Guard
 
Join Date: May 2008
Posts: 38
Default

Reading over syslogd(8), the -a option allows for a service to be specified in addition to the host (using :<service> or :*).

Also, the dotted-quad address you provided may require a net mask length.

So you should have something like
Code:
syslogd_flags="-d -a 192.168.0.1/24:* -vv"
Note that I have tried this under FreeBSD 6.4 without success (I suspect it was my Linksys SPA-1001 not logging anything as nc(1) didn't get anything either)

Last edited by ddekok; 16th March 2009 at 02:16 AM.
Reply With Quote
  #4   (View Single Post)  
Old 16th March 2009
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 4,125
Default

Did you create the /var/log/router.log file?
Syslogd only logs to an existing file, it does not create this file unless you use the -C option.

According to syslogd(8) your -a 192.168.0.1 option actually is -a 192.168.0.1/16:514. Is that /16 netmask correct for your setup?

RE: tcpdump
You can use the -n flag to disable name lookups, and the -s0 to see the complete data. -vv also helps
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
  #5   (View Single Post)  
Old 16th March 2009
da1 da1 is offline
Fdisk Soldier
 
Join Date: Feb 2009
Location: Berlin, DE
Posts: 49
Default

Quote:
Originally Posted by ddekok View Post
So you should have something like
Code:
syslogd_flags="-d -a 192.168.0.1/24:* -vv"
yup, that works but logs everything into /var/log/messages

Quote:
Originally Posted by J65nko View Post
Did you create the /var/log/router.log file?
Syslogd only logs to an existing file, it does not create this file unless you use the -C option.
yup, file was created way before changes were made. lucky man command

Quote:
According to syslogd(8) your -a 192.168.0.1 option actually is -a 192.168.0.1/16:514. Is that /16 netmask correct for your setup?
actually /24 (255.255.255.0) is corect for my netmask but this doesn't works. I see that no matter what /16, /24 or /32 I use the results are the same; logging does not works, and I keep getting that "port mismatch" error. this only applies if i use :514. if i use :* all is ok no matter of the netmask


Quote:
RE: tcpdump
You can use the -n flag to disable name lookups, and the -s0 to see the complete data. -vv also helps
I like poking my eyes at everithing and then eliminating the bad and using the good; but thx for the head's up


So..recap:

if i use in rc.conf of my bsd box -d -a 192.168.0.1/whatever:* -vv (tried /16 /24 /32 result are the same) logging works but logges to /var/log/messages and "port mismach error" is replaced by a very nice looking, I might add, output of
Code:
cvthname(192.168.0.1)
validate: dgram from IP 192.168.0.1, port 2052, name router.ro;
accepted in rule 0. <----

le: one of my mistakes was that i read the wrong manual for syslogd. dunno why i used google to search for the manual and ended up with a faulty one that did not have the /:* mentioned at all. I mean, I dunno why I didn't used freebsd's manual (command line or web)

Last edited by da1; 16th March 2009 at 03:03 AM.
Reply With Quote
  #6   (View Single Post)  
Old 16th March 2009
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 4,125
Default

I actually meant the tcpdump -vv option Use tcpdump with the options I recommended to view the actual syslog messages.

Have you seen http://bsd.dischaos.com/2009/02/25/l...reebsd-syslog/ ?
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
  #7   (View Single Post)  
Old 16th March 2009
da1 da1 is offline
Fdisk Soldier
 
Join Date: Feb 2009
Location: Berlin, DE
Posts: 49
Default

Quote:
Originally Posted by J65nko View Post
No, I haven't. Thx for the link.

Now, after reading the link I added an extra "-n" option to my rc.conf (allthow it is not required). Still, no changes, Logging works but it logs to /var/log/messages. Will look harder into into it.

Here is the last output (after I added the "-n" option)
Code:
7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 X FILE: /var/log/router.log (ppp)
logmsg: pri 56, flags 4, from da1, msg syslogd: restart
syslogd: restarted
logmsg: pri 6, flags 4, from da1, msg syslogd: kernel boot file is /boot/kernel/kernel
Logging to FILE /var/log/messages
syslogd: kernel boot file is /boot/kernel/kernel
logmsg: pri 166, flags 17, from da1, msg Mar 16 05:32:40 <syslog.err> da1 syslogd: exiting on signal 2
cvthname(192.168.0.1)
validate: dgram from IP 192.168.0.1, port 2052, name 192.168.0.1;
accepted in rule 0.
logmsg: pri 14, flags 0, from 192.168.0.1, msg Mar 16 04:39:14 kernel: DROP IN=ppp0 OUT= MAC= SRC=222.58.96.73 DST=79.113.14.176 LEN=126 TOS=0x04 PREC=0x00 TTL=44 ID=18776 PROTO=UDP SPT=32610 DPT=52037 LEN=106
Logging to FILE /var/log/messages
cvthname(192.168.0.1)
validate: dgram from IP 192.168.0.1, port 2052, name 192.168.0.1;
accepted in rule 0.
logmsg: pri 14, flags 0, from 192.168.0.1, msg Mar 16 04:39:15 kernel: DROP IN=ppp0 OUT= MAC= SRC=79.173.193.164 DST=79.113.14.176 LEN=44 TOS=0x04 PREC=0x00 TTL=109 ID=64153 PROTO=UDP SPT=58158 DPT=1513 LEN=24
Logging to FILE /var/log/messages
cvthname(192.168.0.1)
validate: dgram from IP 192.168.0.1, port 2052, name 192.168.0.1;
accepted in rule 0.
logmsg: pri 14, flags 0, from 192.168.0.1, msg Mar 16 04:39:16 kernel: DROP IN=ppp0 OUT= MAC= SRC=60.15.177.166 DST=79.113.14.176 LEN=622 TOS=0x04 PREC=0x00 TTL=50 ID=0 DF PROTO=UDP SPT=34796 DPT=1026 LEN=602
Logging to FILE /var/log/messages
^Csyslogd: exiting on signal 2
syslogd: exiting on signal 2
logmsg: pri 53, flags 4, from da1, msg syslogd: exiting on signal 2
Logging to CONSOLE /dev/console
Logging to FILE /var/log/messages


le: Here's my syslogd.conf file. I can't spot any mistakes, can you ?
Code:
# $FreeBSD: src/etc/syslog.conf,v 1.28.18.1 2008/11/25 02:59:29 kensmith Exp $
#
#       Spaces ARE valid field separators in this file. However,
#       other *nix-like systems still insist on using tabs as field
#       separators. If you are sharing this file between systems, you
#       may want to use only tabs as field separators here.
#       Consult the syslog.conf(5) manpage.
*.err;kern.warning;auth.notice;mail.crit                /dev/console
*.notice;authpriv.none;kern.debug;lpr.info;mail.crit;news.err   /var/log/messages
security.*                                      /var/log/security
auth.info;authpriv.info                         /var/log/auth.log
mail.info                                       /var/log/maillog
lpr.info                                        /var/log/lpd-errs
ftp.info                                        /var/log/xferlog
cron.*                                          /var/log/cron
*.=debug                                        /var/log/debug.log
*.emerg                                         *
# uncomment this to log all writes to /dev/console to /var/log/console.log
#console.info                                   /var/log/console.log
# uncomment this to enable logging of all log messages to /var/log/all.log
# touch /var/log/all.log and chmod it to mode 600 before it will work
#*.*                                            /var/log/all.log
# uncomment this to enable logging to a remote loghost named loghost
#*.*                                            @loghost
# uncomment these if you're running inn
# news.crit                                     /var/log/news/news.crit
# news.err                                      /var/log/news/news.err
# news.notice                                   /var/log/news/news.notice
!startslip
*.*                                             /var/log/slip.log
!ppp
*.*                                             /var/log/ppp.log
+192.168.0.1
*.*                                             /var/log/router.log
+*
le2: hmm, here's a thing I noticed. The line in syslogd.conf that tells the daemon what to log into messages has a "kern.debug" option to it. Makes sense now why it logs to messages; the bsd box considers the actual line logs comming from the kernel of the router. Darn I wish I could specify a "quick" option

Last edited by da1; 16th March 2009 at 03:49 AM.
Reply With Quote
  #8   (View Single Post)  
Old 16th March 2009
da1 da1 is offline
Fdisk Soldier
 
Join Date: Feb 2009
Location: Berlin, DE
Posts: 49
Default

ok, sorted the problem....well, half of it anyway. So in fact syslog acts something like pf but in reverse. The first rule wins (but unfortunatelly so does the second I see). I moved the
Code:
+192.168.0.1
*.*                                             /var/log/router.log
+*
lines at the very top of the file and now it logs to the router.log file. Unfortunatelly it also logs to messages. A workaround would be to remove the "kernel.debug" option from the /var/log/messages line in syslogd.conf, but afterwards it would come back at me and bite me in the ......excuse me....... as no more kernel errors would be logged.
Reply With Quote
  #9   (View Single Post)  
Old 16th March 2009
BSDfan666 BSDfan666 is offline
Real Name: N/A, this is the interweb.
Banned
 
Join Date: Apr 2008
Location: Ontario, Canada
Posts: 2,223
Default

I think I found the solution to your problem..

http://unix.derkeiler.com/Mailing-Li.../msg00384.html
Reply With Quote
Old 16th March 2009
da1 da1 is offline
Fdisk Soldier
 
Join Date: Feb 2009
Location: Berlin, DE
Posts: 49
Default

Quote:
Originally Posted by BSDfan666 View Post
I think I found the solution to your problem..

http://unix.derkeiler.com/Mailing-Li.../msg00384.html
Thx for the link, but unfortunatelly that didn't solve my problem.
Something else in fact did. Syslogd.conf file states
Code:
*.notice;authpriv.none;kern.debug;lpr.info;mail.crit;news.err   /var/log/messages
Now, removing the first option "*.notice" from the file on my bsd box and restarting the syslogd daemon actually helps a lot (system stops double-logging), but also comes with a problem. Whille in fact removing that option makes syslogd log to "router.log" file, it does not log any notices of the system to "messages" file. Now, to be honnest, I can't really tell wich option logs what, from where, and other stuff, because I simply do not know, so until now, removing that option seems to fix the problem, but will need some time to read some things in order to get my head straight and see in fact what is it that I have actually removed.

Until then, thx to all for your support
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Directadmin on FreeBSD 7 Stable i386 issue Celestemmcknight FreeBSD Ports and Packages 1 7th June 2009 11:35 PM
Silencing gconfd spam in syslogd... BSDfan666 Guides 0 12th December 2008 10:01 PM
Problem with installing FreeBSD 7.0 Stable likemandrake FreeBSD General 2 5th October 2008 08:16 AM
-Release vs. -Stable guitarscn OpenBSD Installation and Upgrading 3 2nd October 2008 02:32 PM
-stable question jwhal OpenBSD General 9 15th May 2008 12:29 AM


All times are GMT. The time now is 09:29 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick