DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Packages and Ports

OpenBSD Packages and Ports Installation and upgrading of packages and ports on OpenBSD.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 5th February 2010
plexter plexter is offline
Shell Scout
 
Join Date: May 2008
Posts: 124
Thanked 0 Times in 0 Posts
Question Syslog-ng Monitor

Hi all,

I am wondering if anyone can assist with getting syslog-ng working (or verifying that it is) the way I want it to.

Basically I'm running Syslog-ng with hopes of capturing all syslog info sent to the machine and to act as a central syslog monitor.

I'm using the "sample" config for syslog-ng from OpenBSD and running on OpenBSD 4.6 with PF disabled (at least for now).

I'm running "php-syslog-ng" which is supposed to be a web interface for syslog-ng allowing you to see all the logs.

http://code.google.com/p/php-syslog-ng/

Right now it appears that syslog-ng starts up fine but I do not see anything show up on the web interface.

I would first like to start by verifying that Syslog-ng is in fact accepting incoming syslogs and working properly.

If anyone has any thoughts on this or getting my system running properly that would be awesome.
Reply With Quote
  #2   (View Single Post)  
Old 5th February 2010
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 3,148
Thanked 182 Times in 149 Posts
Default

If you use the built-in Apache server of OpenBSD, please remember that it runs chrooted by default and thus has no way to look at any logs in /var/log.

Read the OpenBSD FAQ about the chrooted Apache for more info.
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
  #3   (View Single Post)  
Old 5th February 2010
plexter plexter is offline
Shell Scout
 
Join Date: May 2008
Posts: 124
Thanked 0 Times in 0 Posts
Default

You're right, I had forgot about chroot. I created a symbolic link from /var/log to /var/www/var/log but I still don't see anything show up on the web interface.

If I do tcpdump I see syslogs coming in.
Code:
07:11:43.675476 externalhost.syslog > thelocalhost.syslog: udp 155
07:11:43.677915 externalhost.syslog > thelocalhost.syslog: udp 135
07:11:43.679250 externalhost.syslog > thelocalhost.syslog: udp 131
07:11:43.687156 externalhost.syslog > thelocalhost.syslog: udp 128
I also noticed in /var/log/messages or /var/www/var/log/messages that I do see the following:

Code:
Feb  5 05:50:12 thelocalhost syslog-ng[5148]: syslog-ng starting up; version='2.1.4'
Feb  5 06:00:12 thelocalhost syslog-ng[5148]: Log statistics; processed='center(queued)=4', processed='center(received)=33183', processed='destination(newsnotice)=0', processed='destination(console)=0', processed='destination(debug)=1', processed='destination(mailinfo)=0', processed='destination(mail)=0', processed='destination(user)=0', processed='destination(newserr)=0', processed='destination(newscrit)=0', processed='destination(uucp)=0', processed='destination(messages)=1', processed='destination(mailwarn)=0', processed='destination(ppp)=0', processed='destination(lpr)=0', processed='destination(cron)=0', processed='destination(syslog)=1', processed='destination(authlog)=0', processed='destination(mailerr)=0', processed='destination(kern)=0', processed='destination(daemon)=0', processed='destination(xconsole)=0', processed='destination(console_all)=1', processed='source(net)=33182', processed='source(src)=1'
Feb  5 06:10:12 thelocalhost syslog-ng[5148]: Log statistics; processed='center(queued)=8', processed='center(received)=69333', processed='destination(newsnotice)=0', processed='destination(console)=0', processed='destination(debug)=2', processed='destination(mailinfo)=0', processed='destination(mail)=0', processed='destination(user)=0', processed='destination(newserr)=0', processed='destination(newscrit)=0', processed='destination(uucp)=0', processed='destination(messages)=2', processed='destination(mailwarn)=0', processed='destination(ppp)=0', processed='destination(lpr)=0', processed='destination(cron)=0', processed='destination(syslog)=2', processed='destination(authlog)=0', processed='destination(mailerr)=0', processed='destination(kern)=0', processed='destination(daemon)=0', processed='destination(xconsole)=0', processed='destination(console_all)=2', processed='source(net)=69331', processed='source(src)=2'
Feb  5 06:20:12 thelocalhost syslog-ng[5148]: Log statistics; processed='center(queued)=12', processed='center(received)=102940', processed='destination(newsnotice)=0', processed='destination(console)=0', processed='destination(debug)=3', processed='destination(mailinfo)=0', processed='destination(mail)=0', processed='destination(user)=0', processed='destination(newserr)=0', processed='destination(newscrit)=0', processed='destination(uucp)=0', processed='destination(messages)=3', processed='destination(mailwarn)=0', processed='destination(ppp)=0', processed='destination(lpr)=0', processed='destination(cron)=0', processed='destination(syslog)=3', processed='destination(authlog)=0', processed='destination(mailerr)=0', processed='destination(kern)=0', processed='destination(daemon)=0', processed='destination(xconsole)=0', processed='destination(console_all)=3', processed='source(net)=102937', processed='source(src)=3'
Feb  5 06:30:12 thelocalhost syslog-ng[5148]: Log statistics; processed='center(queued)=16', processed='center(received)=139291', processed='destination(newsnotice)=0', processed='destination(console)=0', processed='destination(debug)=4', processed='destination(mailinfo)=0', processed='destination(mail)=0', processed='destination(user)=0', processed='destination(newserr)=0', processed='destination(newscrit)=0', processed='destination(uucp)=0', processed='destination(messages)=4', processed='destination(mailwarn)=0', processed='destination(ppp)=0', processed='destination(lpr)=0', processed='destination(cron)=0', processed='destination(syslog)=4', processed='destination(authlog)=0', processed='destination(mailerr)=0', processed='destination(kern)=0', processed='destination(daemon)=0', processed='destination(xconsole)=0', processed='destination(console_all)=4', processed='source(net)=139287', processed='source(src)=4'
Feb  5 06:40:12 thelocalhost syslog-ng[5148]: Log statistics; processed='center(queued)=20', processed='center(received)=178111', processed='destination(newsnotice)=0', processed='destination(console)=0', processed='destination(debug)=5', processed='destination(mailinfo)=0', processed='destination(mail)=0', processed='destination(user)=0', processed='destination(newserr)=0', processed='destination(newscrit)=0', processed='destination(uucp)=0', processed='destination(messages)=5', processed='destination(mailwarn)=0', processed='destination(ppp)=0', processed='destination(lpr)=0', processed='destination(cron)=0', processed='destination(syslog)=5', processed='destination(authlog)=0', processed='destination(mailerr)=0', processed='destination(kern)=0', processed='destination(daemon)=0', processed='destination(xconsole)=0', processed='destination(console_all)=5', processed='source(net)=178106', processed='source(src)=5'
Feb  5 06:50:13 thelocalhost syslog-ng[5148]: Log statistics; processed='center(queued)=24', processed='center(received)=219051', processed='destination(newsnotice)=0', processed='destination(console)=0', processed='destination(debug)=6', processed='destination(mailinfo)=0', processed='destination(mail)=0', processed='destination(user)=0', processed='destination(newserr)=0', processed='destination(newscrit)=0', processed='destination(uucp)=0', processed='destination(messages)=6', processed='destination(mailwarn)=0', processed='destination(ppp)=0', processed='destination(lpr)=0', processed='destination(cron)=0', processed='destination(syslog)=6', processed='destination(authlog)=0', processed='destination(mailerr)=0', processed='destination(kern)=0', processed='destination(daemon)=0', processed='destination(xconsole)=0', processed='destination(console_all)=6', processed='source(net)=219045', processed='source(src)=6'
Feb  5 07:00:13 thelocalhost syslog-ng[5148]: Log statistics; processed='center(queued)=28', processed='center(received)=257055', processed='destination(newsnotice)=0', processed='destination(console)=0', processed='destination(debug)=7', processed='destination(mailinfo)=0', processed='destination(mail)=0', processed='destination(user)=0', processed='destination(newserr)=0', processed='destination(newscrit)=0', processed='destination(uucp)=0', processed='destination(messages)=7', processed='destination(mailwarn)=0', processed='destination(ppp)=0', processed='destination(lpr)=0', processed='destination(cron)=0', processed='destination(syslog)=7', processed='destination(authlog)=0', processed='destination(mailerr)=0', processed='destination(kern)=0', processed='destination(daemon)=0', processed='destination(xconsole)=0', processed='destination(console_all)=7', processed='source(net)=257048', processed='source(src)=7'
Feb  5 07:10:13 thelocalhost syslog-ng[5148]: Log statistics; processed='center(queued)=32', processed='center(received)=299926', processed='destination(newsnotice)=0', processed='destination(console)=0', processed='destination(debug)=8', processed='destination(mailinfo)=0', processed='destination(mail)=0', processed='destination(user)=0', processed='destination(newserr)=0', processed='destination(newscrit)=0', processed='destination(uucp)=0', processed='destination(messages)=8', processed='destination(mailwarn)=0', processed='destination(ppp)=0', processed='destination(lpr)=0', processed='destination(cron)=0', processed='destination(syslog)=8', processed='destination(authlog)=0', processed='destination(mailerr)=0', processed='destination(kern)=0', processed='destination(daemon)=0', processed='destination(xconsole)=0', processed='destination(console_all)=8', processed='source(net)=299918', processed='source(src)=8'

Thoughts?

Thanks for your quick reply.

Last edited by plexter; 5th February 2010 at 05:01 PM. Reason: added log messages
Reply With Quote
  #4   (View Single Post)  
Old 5th February 2010
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 3,148
Thanked 182 Times in 149 Posts
Default

Quote:
I created a symbolic link from /var/log to /var/www/var/log
This means that you did something like this, isn't it ?
  1. copied/moved the complete original "/var/log" directory to "/var/www/var/log".
  2. stopped all logging daemons
  3. rm /var/log/*
  4. rmdir /var/log
  5. ln -s /var/www/var/log /var/log
  6. restarted all logging daemons

Do you see the logs being updated in /var/www/var/log ?

How about permissions? The permissions on some logs are strict
Code:
-rw-r-----  1 root  wheel      375 Feb  5 16:51 authlog
-rw-r-----  1 root  wheel    21514 Feb  5 18:01 daemon
-rw-------  1 root  wheel   313248 Jan 30 12:40 failedlogin
-rw-------  1 root  wheel      151 Feb  5 15:49 maillog
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
  #5   (View Single Post)  
Old 5th February 2010
plexter plexter is offline
Shell Scout
 
Join Date: May 2008
Posts: 124
Thanked 0 Times in 0 Posts
Default

Well I did that more or less. However I now tried just doing httpd -u and still no luck.

I'm not clear if the issue is with syslog-ng not logging the data, or if the web interface is failing to capture the data.

I don't mind running out of a chroot for now at least to get this working.

However I suspect the problem is with the php web interface. When I run this script that came with it which is supposed to "send test syslogs" I get errors which are beyond me.

Code:
Can't locate Net/MySQL.pm in @INC (@INC contains: /usr/libdata/perl5/i386-openbsd/5.10.0 /usr/local/libdata/perl5/i386-openbsd/5.10.0 /usr/libdata/perl5 /usr/local/libdata/perl5 /usr/local/libdata/perl5/site_perl/i386-openbsd /usr/libdata/perl5/site_perl/i386-openbsd /usr/local/libdata/perl5/site_perl /usr/libdata/perl5/site_perl .) at scripts/dbgen.pl line 22.
BEGIN failed--compilation aborted at scripts/dbgen.pl line 22.
Note: "MySQL.pm" is also located in the same folder which came with the script

Line 22: use Net::MySQL;



To confirm I am running MySQL
Code:
pkg_info | grep mysql
mysql-client-5.0.83 multithreaded SQL database (client)
mysql-server-5.0.83 multithreaded SQL database (server)
p5-DBD-mysql-4.010  MySQL drivers for the Perl DBI
php5-mysql-5.2.10   mysql database access extensions for php5

Any help would be appreciated.
Thanks
Reply With Quote
  #6   (View Single Post)  
Old 5th February 2010
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 3,148
Thanked 182 Times in 149 Posts
Default

Maybe you are taking to many steps in one time

First get syslog-ng working and logging to normal files. Then coach it into logging to MySQL. And as last, get that PHP monitoring app working with Apache not chrooted.

BTW the Perl p5-DBD modules also need the client side p5-DBI module. Do you have that one?
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
  #7   (View Single Post)  
Old 5th February 2010
plexter plexter is offline
Shell Scout
 
Join Date: May 2008
Posts: 124
Thanked 0 Times in 0 Posts
Default

Quote:
First get syslog-ng working and logging to normal files.
I'm still confused as to how I can verify this. :P

I believe I have the perl module:

Code:
p5-DBI-1.607        unified perl interface for database access
Thanks!
Reply With Quote
  #8   (View Single Post)  
Old 5th February 2010
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 3,148
Thanked 182 Times in 149 Posts
Default

IMHO you should be willing to spend some considerable time with the syslog-ng docs. I never have used syslog-ng myself. I just saw their FAQ and it contains a lot of pointers.

BTW Your idea of using tcpdump to wiretap the incoming logs is a very good one. If you first refrain from using encrypted logs, you can even see what is been sent/arriving.

I am afraid this is all the help I can give you this moment
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
  #9   (View Single Post)  
Old 5th February 2010
plexter plexter is offline
Shell Scout
 
Join Date: May 2008
Posts: 124
Thanked 0 Times in 0 Posts
Default

Okay well thank you for your help. I will play around with it some more and see what happens.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
gdm/ new monitor issue jimbus FreeBSD General 3 4th August 2009 07:39 PM
Cisco Secure ACS 4.1 syslog OpenBSD 3.9 cyberpaisalegionair OpenBSD General 1 24th July 2008 06:42 PM
good old syslog-ng issue amiga505 OpenBSD Packages and Ports 7 4th July 2008 06:01 PM
SYSLOG disappearance jaymax FreeBSD General 6 26th June 2008 02:53 AM


All times are GMT. The time now is 10:01 PM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick