DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD General

OpenBSD General Other questions regarding OpenBSD which do not fit in any of the categories below.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 12th January 2024
plepps plepps is offline
New User
 
Join Date: Mar 2020
Posts: 5
Question old OpenBSD: unable to send to remote syslog server

Hello,

It is not possible for me to send system messages to a remote syslog
server from my old OpenBSD 5.7. I know the system is old and outdated,
but there are certain reasons not to update it. Apart from that, the
system is in an isolated environment.
The same configuration works without any problems on a newer system
6.8 and higher. Syslogd starts without any problems. Local logging
works fine. Nothing is blocked by pf. It affects multiple 5.7 systems.

Are there any additional steps on the older systems other than
configuring in /etc/syslog.conf + pf.conf to make it work?

Code:
uname -an
OpenBSD bln-int-fw2.bfv.local 5.7 GENERIC.MP#881 amd64

/etc/syslog.conf:

*.notice;auth,authpriv,cron,ftp,kern,lpr,mail,user.none /var/log/messages
kern.debug;syslog,user.info                             /var/log/messages
auth.info                                               /var/log/authlog
authpriv.debug                                          /var/log/secure
cron.info                                               /var/cron/log
daemon.info                                             /var/log/daemon
ftp.info                                                /var/log/xferlog
lpr.debug                                               /var/log/lpd-errs
mail.info                                               /var/log/maillog
*.emerg                                                 *

*.notice;auth,authpriv,cron,ftp,kern,lpr,mail,user.none        @192.168.233.1
auth,daemon,syslog,user.info;authpriv,kern.debug               @192.168.233.1
Any advice is very welcome.

regards
Tim

Last edited by J65nko; 16th January 2024 at 12:58 AM. Reason: [code] and [/code] tags added
Reply With Quote
  #2   (View Single Post)  
Old 12th January 2024
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,989
Default

Welcome back! The syslog facility has had numerous changes since 5.7. And in almost every release since 5.8, they've been significant enough to be included in release announcements. I'll assume one of those many changes impacts your environment.


I recommend tcpdump(8). See if the correct syslog UDP packets are being issued by your 5.7 systems, and follow them through your network to see if they are being correctly received at the destination syslogd(8) server.
Reply With Quote
  #3   (View Single Post)  
Old 15th January 2024
plepps plepps is offline
New User
 
Join Date: Mar 2020
Posts: 5
Default

Quote:
Originally Posted by jggimi View Post
I recommend tcpdump(8). See if the correct syslog UDP packets are being issued by your 5.7 systems, and follow them through your network to see if they are being correctly received at the destination syslogd(8) server.

I've already tried tcpdump, there's absolutely nothing to see on the 514. neither on the loopback nor on the LAN interface.
It seems as if the syslogd is not sending anything out.

It's not a new feature, it's been around for a long time. I also disabled pf, unfortunately without success.
Reply With Quote
  #4   (View Single Post)  
Old 15th January 2024
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,989
Default

I've just tested a 5.7-release system, and can duplicate the problem. It does not log to the @loghost. Unfortunately, I cannot tell you why.
Reply With Quote
  #5   (View Single Post)  
Old 15th January 2024
plepps plepps is offline
New User
 
Join Date: Mar 2020
Posts: 5
Default

Quote:
Originally Posted by jggimi View Post
I've just tested a 5.7-release system, and can duplicate the problem. It does not log to the @loghost. Unfortunately, I cannot tell you why.
Great, that you could confirm this issue - so I'm not the "problem". It's a strange thing. I coulnt find any further informations about the issue in the errata or something else.

Reply With Quote
  #6   (View Single Post)  
Old 15th January 2024
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,989
Default

You could pull down the 5.7 source from CVS and scatter printf(3) calls to debug the problem, or perhaps traverse the various /usr/src/usr.sbin/syslogd commits that have been logged since May 2015.

Unfortunately, the Project doesn't support anything older than the most recent two releases. I had to reach a server in Oslo just find a copy of 5.7 to replicate the problem.
Reply With Quote
  #7   (View Single Post)  
Old 16th January 2024
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 4,133
Default

Code:
*.notice;auth,authpriv,cron,ftp,kern,lpr,mail,user.none        @192.168.233.1
Is there an ARP entry for that address?
Code:
$  doas arp -an
Host                                 Ethernet Address    Netif Expire    Flags
192.168.222.33                       00:0d:b9:2a:bf:e1    bge0 12m38s    
192.168.222.241                      a0:1d:48:97:5b:74    bge0 permanent l
I wonder whether the 5.7 system does a reverse DNS lookup of the 192.168.233.1 address, that fails. You can check that with tcpdump on port 53:
Code:
$ doas tcpdump -vv -eni  bge0 'port 53'
Does those log lines actually do something? You can test with
Code:
# *.notice;auth,authpriv,cron,ftp,kern,lpr,mail,user.none        @192.168.233.1
*.notice;auth,authpriv,cron,ftp,kern,lpr,mail,user.none        /var/log/external1

# auth,daemon,syslog,user.info;authpriv,kern.debug               @192.168.233.1
auth,daemon,syslog,user.info;authpriv,kern.debug               /var/log/external2
Before restarting syslogd create those files:
Code:
$ doas touch /var/log/external1
$ doas touch /var/log/external2
Actually I would do this test first, but I am not gonna reorder my post
The reason is that I had some problems with syslog.conf too, See https://daemonforums.org/showthread.php?t=11762

BTW a long standing bug in crontab files caused the last line not be parsed when it was not terminated with a newline. Yes, I see that you have two lines in syslog.conf, but in weird situations like this, I always add an extra line ......
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
  #8   (View Single Post)  
Old 16th January 2024
plepps plepps is offline
New User
 
Join Date: Mar 2020
Posts: 5
Default

I've got it - the logserver entry must be separated by one or more tabs.
Reply With Quote
  #9   (View Single Post)  
Old 16th January 2024
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 4,133
Default

Sorry, I forgot to mention that in some config files tabs are required. Glad you managed to figure it out.
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Secure Remote Access to an Internal Web Server Oko General software and network 7 1st April 2015 06:35 PM
pxeboot install from remote server to my LAN chessmaster OpenBSD Installation and Upgrading 16 6th March 2014 02:52 AM
unable to send external mail Zyos OpenBSD General 11 17th November 2011 02:39 PM
Remote FreeBSD server upgrade - Guide! carpman Guides 8 5th April 2009 05:37 PM
Remote Access to File Server Oko OpenBSD Security 7 23rd June 2008 05:17 PM


All times are GMT. The time now is 06:07 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick