Freebsd 7.1-STABLE and dd-wrt v24 syslogd

[da1]

Hell-o guyz.

Let me start off by saing that this little thing is bugging me since forever.
So: we have a FreeBSD 7-1-STABLE box and a Linksys wrt54gl v1.1 with DD-WRT v24 (05/24/08) vpn.

Now.... on the router (services->services) I activated the "System Log" option and assigned my BSD box's IP (192.168.0.2). The router is 192.168.0.1. In Security->Firewall, the firewall is enabled and the "Log Management" also with "Log Level" set to "High" and all three options (Dropped, Rejected, Accepted) set to "High".

On the BSD box
rc.conf has

Code:

syslogd_enable="YES"
syslogd_flags="-d -a 192.168.0.1 -vv"

and /etc/syslogd.conf has

Code:

+192.168.0.1
*.*                                             /var/log/router.log

but, when I restart the syslogd daemon (/etc/rc.d/syslogd restart) having debbug mode enabled I see:

Code:

cvthname(192.168.0.1)
validate: dgram from IP 192.168.0.1, port 2052, name router.ro;
rejected in rule 0 due to port mismatch.

Now, I have pf enabled; so I disable it. Nothing. No lines get echo'd to router.log nor does the error go away. So I try to redirect port 2052 to 514 with no effect. I'm guessing here... so the router is sending the logs to? 2052? Now that would be weird. So I do a tcp dump and I find this

Code:

tcpdump: listening on rl0, link-type EN10MB (Ethernet), capture size 96 bytes
02:34:16.150587 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 283) router.2052 > localhost.syslog: SYSLOG, length: 255
        IP (tos 0x0, ttl 64, id 57754, offset 0, flags [none], proto UDP (17), length 283) router.2052 > localhost.syslog: [|syslog]
02:34:21.324575 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 283) router.2052 > localhost.syslog: SYSLOG, length: 255
02:34:24.086214 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 232) router.2052 > localhost.syslog: SYSLOG, length: 204
02:34:24.512873 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 229) router.2052 > localhost.syslog: SYSLOG, length: 201
02:34:26.511407 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 283) router.2052 > localhost.syslog: SYSLOG, length: 255
        IP (tos 0x0, ttl 64, id 30082, offset 0, flags [none], proto UDP (17), length 283) router.2052 > localhost.syslog: [|syslog]

So, in fact it sends logs from 2052 to my localhost syslogd. ok, fair enough. I also check the routers running processes and i find

Code:

11174     1 root     S     1832 13.8  0.0 /sbin/syslogd -R 192.168.0.2:514

so it appears that the router is configured ok. I'm guessing I misconfigured something on my bsd box, or the router, but I can't figure out exactly what.

Any ideea is welcomed.

[da1]

right;so: been doing some testing with a solaris 10 box and the results are the same.

Code:

cvthname(192.168.0.6)
validate: dgram from IP 192.168.0.6, port 32778, name solaris.ro;
rejected in rule 0 due to port mismatch.

the solaris box is 192.168.0.6. did the "+solaris" to freebsd's syslogd.conf and added "192.168.0.6 solaris" to freebsd's /etc/hosts. all this just to get that error I posted previously. so, i'm kinda sure it's a miscnfiguration of the bsd box. will look into it more.

btw I see syslogd appends a ".ro" to the hostname it prints out. instead of solaris it's solaris.ro; same with router (it's replaced with router.ro). at this point it's strainge, but i admit i know not much of this so maybe i'm wrong.

le: solaris's syslogd has "user.err @loghost" and "loghost" is 192.168.0.2 in solaris's /etc/hosts.

[ddekok]

Reading over syslogd(8), the -a option allows for a service to be specified in addition to the host (using :<service> or :*).

Also, the dotted-quad address you provided may require a net mask length.

So you should have something like

Code:

syslogd_flags="-d -a 192.168.0.1/24:* -vv"

Note that I have tried this under FreeBSD 6.4 without success (I suspect it was my Linksys SPA-1001 not logging anything as nc(1) didn't get anything either)

[J65nko]

Did you create the /var/log/router.log file?
Syslogd only logs to an existing file, it does not create this file unless you use the -C option.

According to syslogd(8) your -a 192.168.0.1 option actually is -a 192.168.0.1/16:514. Is that /16 netmask correct for your setup?

RE: tcpdump
You can use the -n flag to disable name lookups, and the -s0 to see the complete data. -vv also helps

[da1]

Quote:

Originally Posted by ddekok

So you should have something like

Code:

syslogd_flags="-d -a 192.168.0.1/24:* -vv"

yup, that works but logs everything into /var/log/messages

Quote:

Originally Posted by J65nko

Did you create the /var/log/router.log file?
Syslogd only logs to an existing file, it does not create this file unless you use the -C option.

yup, file was created way before changes were made. lucky man command

Quote:

According to syslogd(8) your -a 192.168.0.1 option actually is -a 192.168.0.1/16:514. Is that /16 netmask correct for your setup?

actually /24 (255.255.255.0) is corect for my netmask but this doesn't works. I see that no matter what /16, /24 or /32 I use the results are the same; logging does not works, and I keep getting that "port mismatch" error. this only applies if i use :514. if i use :* all is ok no matter of the netmask

Quote:

RE: tcpdump
You can use the -n flag to disable name lookups, and the -s0 to see the complete data. -vv also helps

I like poking my eyes at everithing and then eliminating the bad and using the good; but thx for the head's up


So..recap:

if i use in rc.conf of my bsd box -d -a 192.168.0.1/whatever:* -vv (tried /16 /24 /32 result are the same) logging works but logges to /var/log/messages and "port mismach error" is replaced by a very nice looking, I might add, output of

Code:

cvthname(192.168.0.1)
validate: dgram from IP 192.168.0.1, port 2052, name router.ro;
accepted in rule 0. <----

le: one of my mistakes was that i read the wrong manual for syslogd. dunno why i used google to search for the manual and ended up with a faulty one that did not have the /:* mentioned at all. I mean, I dunno why I didn't used freebsd's manual (command line or web)

[J65nko]

I actually meant the tcpdump -vv option Use tcpdump with the options I recommended to view the actual syslog messages.

Have you seen http://bsd.dischaos.com/2009/02/25/l...reebsd-syslog/ ?

[da1]

Quote:

Originally Posted by J65nko

Have you seen http://bsd.dischaos.com/2009/02/25/l...reebsd-syslog/ ?

No, I haven't. Thx for the link.

Now, after reading the link I added an extra "-n" option to my rc.conf (allthow it is not required). Still, no changes, Logging works but it logs to /var/log/messages. Will look harder into into it.

Here is the last output (after I added the "-n" option)

Code:

7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 X FILE: /var/log/router.log (ppp)
logmsg: pri 56, flags 4, from da1, msg syslogd: restart
syslogd: restarted
logmsg: pri 6, flags 4, from da1, msg syslogd: kernel boot file is /boot/kernel/kernel
Logging to FILE /var/log/messages
syslogd: kernel boot file is /boot/kernel/kernel
logmsg: pri 166, flags 17, from da1, msg Mar 16 05:32:40 <syslog.err> da1 syslogd: exiting on signal 2
cvthname(192.168.0.1)
validate: dgram from IP 192.168.0.1, port 2052, name 192.168.0.1;
accepted in rule 0.
logmsg: pri 14, flags 0, from 192.168.0.1, msg Mar 16 04:39:14 kernel: DROP IN=ppp0 OUT= MAC= SRC=222.58.96.73 DST=79.113.14.176 LEN=126 TOS=0x04 PREC=0x00 TTL=44 ID=18776 PROTO=UDP SPT=32610 DPT=52037 LEN=106
Logging to FILE /var/log/messages
cvthname(192.168.0.1)
validate: dgram from IP 192.168.0.1, port 2052, name 192.168.0.1;
accepted in rule 0.
logmsg: pri 14, flags 0, from 192.168.0.1, msg Mar 16 04:39:15 kernel: DROP IN=ppp0 OUT= MAC= SRC=79.173.193.164 DST=79.113.14.176 LEN=44 TOS=0x04 PREC=0x00 TTL=109 ID=64153 PROTO=UDP SPT=58158 DPT=1513 LEN=24
Logging to FILE /var/log/messages
cvthname(192.168.0.1)
validate: dgram from IP 192.168.0.1, port 2052, name 192.168.0.1;
accepted in rule 0.
logmsg: pri 14, flags 0, from 192.168.0.1, msg Mar 16 04:39:16 kernel: DROP IN=ppp0 OUT= MAC= SRC=60.15.177.166 DST=79.113.14.176 LEN=622 TOS=0x04 PREC=0x00 TTL=50 ID=0 DF PROTO=UDP SPT=34796 DPT=1026 LEN=602
Logging to FILE /var/log/messages
^Csyslogd: exiting on signal 2
syslogd: exiting on signal 2
logmsg: pri 53, flags 4, from da1, msg syslogd: exiting on signal 2
Logging to CONSOLE /dev/console
Logging to FILE /var/log/messages

le: Here's my syslogd.conf file. I can't spot any mistakes, can you ?

Code:

# $FreeBSD: src/etc/syslog.conf,v 1.28.18.1 2008/11/25 02:59:29 kensmith Exp $
#
#       Spaces ARE valid field separators in this file. However,
#       other *nix-like systems still insist on using tabs as field
#       separators. If you are sharing this file between systems, you
#       may want to use only tabs as field separators here.
#       Consult the syslog.conf(5) manpage.
*.err;kern.warning;auth.notice;mail.crit                /dev/console
*.notice;authpriv.none;kern.debug;lpr.info;mail.crit;news.err   /var/log/messages
security.*                                      /var/log/security
auth.info;authpriv.info                         /var/log/auth.log
mail.info                                       /var/log/maillog
lpr.info                                        /var/log/lpd-errs
ftp.info                                        /var/log/xferlog
cron.*                                          /var/log/cron
*.=debug                                        /var/log/debug.log
*.emerg                                         *
# uncomment this to log all writes to /dev/console to /var/log/console.log
#console.info                                   /var/log/console.log
# uncomment this to enable logging of all log messages to /var/log/all.log
# touch /var/log/all.log and chmod it to mode 600 before it will work
#*.*                                            /var/log/all.log
# uncomment this to enable logging to a remote loghost named loghost
#*.*                                            @loghost
# uncomment these if you're running inn
# news.crit                                     /var/log/news/news.crit
# news.err                                      /var/log/news/news.err
# news.notice                                   /var/log/news/news.notice
!startslip
*.*                                             /var/log/slip.log
!ppp
*.*                                             /var/log/ppp.log
+192.168.0.1
*.*                                             /var/log/router.log
+*

le2: hmm, here's a thing I noticed. The line in syslogd.conf that tells the daemon what to log into messages has a "kern.debug" option to it. Makes sense now why it logs to messages; the bsd box considers the actual line logs comming from the kernel of the router. Darn I wish I could specify a "quick" option

[da1]

ok, sorted the problem....well, half of it anyway. So in fact syslog acts something like pf but in reverse. The first rule wins (but unfortunatelly so does the second I see). I moved the

Code:

+192.168.0.1
*.*                                             /var/log/router.log
+*

lines at the very top of the file and now it logs to the router.log file. Unfortunatelly it also logs to messages. A workaround would be to remove the "kernel.debug" option from the /var/log/messages line in syslogd.conf, but afterwards it would come back at me and bite me in the ......excuse me....... as no more kernel errors would be logged.

[BSDfan666]

I think I found the solution to your problem..

http://unix.derkeiler.com/Mailing-Li.../msg00384.html

[da1]

Quote:

Originally Posted by BSDfan666

I think I found the solution to your problem..

http://unix.derkeiler.com/Mailing-Li.../msg00384.html

Thx for the link, but unfortunatelly that didn't solve my problem.
Something else in fact did. Syslogd.conf file states

Code:

*.notice;authpriv.none;kern.debug;lpr.info;mail.crit;news.err   /var/log/messages

Now, removing the first option "*.notice" from the file on my bsd box and restarting the syslogd daemon actually helps a lot (system stops double-logging), but also comes with a problem. Whille in fact removing that option makes syslogd log to "router.log" file, it does not log any notices of the system to "messages" file. Now, to be honnest, I can't really tell wich option logs what, from where, and other stuff, because I simply do not know, so until now, removing that option seems to fix the problem, but will need some time to read some things in order to get my head straight and see in fact what is it that I have actually removed.

Until then, thx to all for your support