old OpenBSD: unable to send to remote syslog server

[plepps]

Hello,

It is not possible for me to send system messages to a remote syslog
server from my old OpenBSD 5.7. I know the system is old and outdated,
but there are certain reasons not to update it. Apart from that, the
system is in an isolated environment.
The same configuration works without any problems on a newer system
6.8 and higher. Syslogd starts without any problems. Local logging
works fine. Nothing is blocked by pf. It affects multiple 5.7 systems.

Are there any additional steps on the older systems other than
configuring in /etc/syslog.conf + pf.conf to make it work?

Code:

uname -an
OpenBSD bln-int-fw2.bfv.local 5.7 GENERIC.MP#881 amd64

/etc/syslog.conf:

*.notice;auth,authpriv,cron,ftp,kern,lpr,mail,user.none /var/log/messages
kern.debug;syslog,user.info                             /var/log/messages
auth.info                                               /var/log/authlog
authpriv.debug                                          /var/log/secure
cron.info                                               /var/cron/log
daemon.info                                             /var/log/daemon
ftp.info                                                /var/log/xferlog
lpr.debug                                               /var/log/lpd-errs
mail.info                                               /var/log/maillog
*.emerg                                                 *

*.notice;auth,authpriv,cron,ftp,kern,lpr,mail,user.none        @192.168.233.1
auth,daemon,syslog,user.info;authpriv,kern.debug               @192.168.233.1

Any advice is very welcome.

regards
Tim

[jggimi]

Welcome back! The syslog facility has had numerous changes since 5.7. And in almost every release since 5.8, they've been significant enough to be included in release announcements. I'll assume one of those many changes impacts your environment.


I recommend tcpdump(8). See if the correct syslog UDP packets are being issued by your 5.7 systems, and follow them through your network to see if they are being correctly received at the destination syslogd(8) server.

[plepps]

Quote:

Originally Posted by jggimi

I recommend tcpdump(8). See if the correct syslog UDP packets are being issued by your 5.7 systems, and follow them through your network to see if they are being correctly received at the destination syslogd(8) server.

I've already tried tcpdump, there's absolutely nothing to see on the 514. neither on the loopback nor on the LAN interface.
It seems as if the syslogd is not sending anything out.

It's not a new feature, it's been around for a long time. I also disabled pf, unfortunately without success.

[jggimi]

I've just tested a 5.7-release system, and can duplicate the problem. It does not log to the @loghost. Unfortunately, I cannot tell you why.

[plepps]

Quote:

Originally Posted by jggimi

I've just tested a 5.7-release system, and can duplicate the problem. It does not log to the @loghost. Unfortunately, I cannot tell you why.

Great, that you could confirm this issue - so I'm not the "problem". It's a strange thing. I coulnt find any further informations about the issue in the errata or something else.

[jggimi]

You could pull down the 5.7 source from CVS and scatter printf(3) calls to debug the problem, or perhaps traverse the various /usr/src/usr.sbin/syslogd commits that have been logged since May 2015.

Unfortunately, the Project doesn't support anything older than the most recent two releases. I had to reach a server in Oslo just find a copy of 5.7 to replicate the problem.

[J65nko]

Code:

*.notice;auth,authpriv,cron,ftp,kern,lpr,mail,user.none        @192.168.233.1

Is there an ARP entry for that address?

Code:

$  doas arp -an
Host                                 Ethernet Address    Netif Expire    Flags
192.168.222.33                       00:0d:b9:2a:bf:e1    bge0 12m38s    
192.168.222.241                      a0:1d:48:97:5b:74    bge0 permanent l

I wonder whether the 5.7 system does a reverse DNS lookup of the 192.168.233.1 address, that fails. You can check that with tcpdump on port 53:

Code:

$ doas tcpdump -vv -eni  bge0 'port 53'

Does those log lines actually do something? You can test with

Code:

# *.notice;auth,authpriv,cron,ftp,kern,lpr,mail,user.none        @192.168.233.1
*.notice;auth,authpriv,cron,ftp,kern,lpr,mail,user.none        /var/log/external1

# auth,daemon,syslog,user.info;authpriv,kern.debug               @192.168.233.1
auth,daemon,syslog,user.info;authpriv,kern.debug               /var/log/external2

Before restarting syslogd create those files:

Code:

$ doas touch /var/log/external1
$ doas touch /var/log/external2

Actually I would do this test first, but I am not gonna reorder my post
The reason is that I had some problems with syslog.conf too, See https://daemonforums.org/showthread.php?t=11762

BTW a long standing bug in crontab files caused the last line not be parsed when it was not terminated with a newline. Yes, I see that you have two lines in syslog.conf, but in weird situations like this, I always add an extra line ......

[plepps]

I've got it - the logserver entry must be separated by one or more tabs.

[J65nko]

Sorry, I forgot to mention that in some config files tabs are required. Glad you managed to figure it out.