You are here: Home > Set up a network loghost over udp

No Hair Github Pages

Set up a network loghost with OpenBSD: 1. UDP

Setting up a loghost for OpenBSD using syslogd over UDP.

This set of HowTo's will describe configuring a local loghost and clients using standard syslogd on OpenBSD. This works adequately but, since OpenBSD 7.0, packages of newer versions of syslog-ng are available and you may wish to use that. However, if you're dealing with a host which only has syslog, then it's still usable.

For troubleshooting, we will first enable insecure mode (unencrypted logging to the loghost). Then, we will change to secure mode with TLS. Also, we show how multiple hosts and specific logs can be captured by the loghost.

A. Set up DNS:

Ensure that forward and reverse DNS for both log host and log client work, either using /etc/hosts or a local DNS server.

In its simplest form, add an /etc/hosts to each loghost and client:

#/etc/hosts

10.1.1.1  dns1.example.local dns1
10.1.1.2  dns2.example.local dns2
10.1.1.3  primo.example.local primo
10.1.1.4  secundum.example.local secundum
10.1.1.254  fw.example.local fw

B. Simple insecure mode for basic setup and testing:

1.Client machine (network host, in this example primo.example.local):

a. Edit syslog.conf:

For testing, you will initially send all logs to see if the forwarding set up is working.

Add to the top of syslog.conf:

...
# Send all logs to loghost
*.*			@secundum.example.local
#
...

b. Restart syslogd on client (we will be using the -4 flag as we only run IPv4 on the internal network): 

doas rcctl set syslogd flags "-4"
doas rcctl restart syslogd

c. Editing pf.conf to pass and log outgoing packets:

...
pass out log ( all, to pflog0 ) on $ext_if inet proto udp from $ext_if to $ip.addr.of.loghost port 514
...

Reload new pf.conf.

doas pfctl -nf -/etc/pf.conf
doas pfctl -f /etc/pf.conf

d. Testing

Check pflog to see if there are packets outbound:

doas tcpdump -n -e -ttt -r /var/log/pflog

If you see packets going out, move on to the loghost.

2. Loghost (log server)

a. Create destination directory and logfiles for incoming logs:

doas mkdir /var/log/primo
touch /var/log/primo/example.log
touch /var/log/primo/example.log.0.gz

Check that they are owned by root:wheel abd have permissions 0640.

b. Edit newsyslog.conf:

This is a bit different (and simpler) than on the client remembering the process generating the logs is not running on the loghost.

...
# Added remote logs
/var/log/primo/example.log 		640  2  300 *  Z 
...

c. Edit syslog.conf:

Add to syslog.conf:

...
# Write logs coming from host primo to a separate file.
++primo.example.local
*.*                                /var/log/primo/example.log
+*
#
...

d. Restart syslogd on loghost with appropriate flags: -u (set insecure mode) and -4 (use IPv4 only). So:

doas rcctl set syslogd flags "-4 -u"
doas rcctl restart syslogd

e. Edit /etc/pf.conf to allow log messages in:

...
pass in log (all) on $ext_if inet proto udp from $ip.addr.of.client to $ext_if port 514
...

Reload new pf.conf.

doas pfctl -nf -/etc/pf.conf
doas pfctl -f /etc/pf.conf

f. Testing

doas tcpdump -n -e -ttt -r /var/log/pflog

If you see packets coming in, move on to checking the log.

doas tail -f /var/log/primo/example.log

C. Simple insecure mode for basic setup and testing using IP addresses:

1.Client machine (network host):

a. Edit syslog.conf:

For testing, you will initially send all logs to see if the forwarding set up is working.

Add to the top of syslog.conf:

...
# Send all logs to loghost
*.*			@ip.addr.of.loghost
#
...

b. Restart syslogd on client (we will be using the -4 flag as we only run IPv4 on the internal network): 

doas rcctl set syslogd flags "-4"
doas rcctl restart syslogd

c. Editing pf.conf to pass and log outgoing packets: no changes here.

d. Testing

Check pflog to see if there are packets outbound:

doas tcpdump -n -e -ttt -r /var/log/pflog

If you see packets going out, move on to the loghost.

2. Loghost (log server)

a. Log files: Refer to B. 2. a. above: no changes

b. Edit newsyslog.conf: refer to B. 2. b. above: no changes.

c. Edit syslog.conf:

No changes from previous configuration:

...
# Write logs coming from host primo to a separate file.
++primo.example.local
*.*                                /var/log/primo/example.log
+*
#
...

Note that the hostname of the sending client is still used, not the ip address. For OpenBSD, this is whatever is in /etc/myname on the client.

d. Restart syslogd on loghost with appropriate flags:

-U (-U bind_address: Create a UDP socket for receiving messages and bind it to the specified address. This can be used, for example, with a pf divert-to rule to receive packets when syslogd is bound to localhost. A port number may be specified using the host:port syntax.)

and -4 (use IPv4 only). -u is not needed. So:

doas rcctl set syslogd flags "-4 -U ip.addr.of.loghost"
doas rcctl restart syslogd

Here, it will work as written. We do not have to specify the port nor create a socket because we are using the defaults of syslogd. To explicitly specify the connection you would write:

doas rcctl set syslogd flags "-4 -a ip.addr.of.client:514 -U ip.addr.of.loghost:514"

But you can get by with:

doas rcctl set syslogd flags "-4 -a ip.addr.of.client -U ip.addr.of.loghost:514"

or

doas rcctl set syslogd flags "-4 -a ip.addr.of.client -U ip.addr.of.loghost"

or even less as in the initial example above, again implicitly using the defaults for the socket specified in "-a" and "-U".

e. Edit /etc/pf.conf: no changes here.

f. Testing

doas tcpdump -n -e -ttt -r /var/log/pflog

If you see packets coming in, move on to checking the log.

doas tail -f /var/log/primo/example.log


D. Using separate log files on loghost for different processes running on client.

Now, the basic set up funnels all the logs into one big file which is not very useful. You can set up separate logs for unbound, relayd, httpd, etc. on the loghost.

1. First, create the new log files:

touch /var/log/primo/unbound.log
touch /var/log/primo/unbound.log.0.gz
touch /var/log/primo/relayd.log touch /var/log/primo/relayd.log.0.gz

Again, check if they are owned by root:wheel and permissions are 0640 or 0644.

2. Edit newsyslog.conf:

Similar to above:

...
# Added remote logs
/var/log/primo/example.log 		640  2  300 *  Z 
/var/log/primo/unbound.log 		640  2  300 *  Z 
/var/log/primo/relayd.log 		640  2  300 *  Z 
...

3. Edit syslog.conf:

In the block between "++" and "+*" you can add blocks just like in the main syslog.conf.

Change syslog.conf:

...
# Write logs coming from host primo to a separate file.
++primo.example.local
*.*                                /var/log/primo/example.log
+*
#
...

to:

c. Edit syslog.conf:

Here, we will break out log entries from unbound and relayd to to seoarate files while all the rest will still go to one catch-all file. Add to syslog.conf:

...
# Write logs coming from host primo to a separate file.
++primo.example.local
!!unbound
*.*                                /var/log/primo/unbound.log
!*
!!relayd
*.*                                /var/log/primo/relayd.log
!*
*.*                                /var/log/primo/example.log
+*
#
...

and so on. Look at the default syslog.conf and the examples in the syslog.conf man page to add in blocks, send some logs to /dev/null, or even relay to another loghost.

Next, setting up remote logging over tcp.


Posted by Gordon, No Hair Github Pages, March 10, 2022

©the author

For comments, corrections, and addenda, email: sudogeek[AT]gmail.com

Back to Github Pages index