No Hair Github Pages
Set up a network loghost with OpenBSD: 2. TCP
D. Insecure logging over TCP:
There's no large advantage to using tcp versus udp for insecure logging. Yes, it does allow for acknowledgement from the loghost that the message was received but does not provide any greater security. It's really only useful to get this set up as an example and to troubleshoot since, in the next stage, we will be usng syslogd-tls which runs (typically) on tcp.
1. Loghost (log server)
Changes are:
a. Edit syslog.conf:
No changes to syslog.conf:
...
# Write logs coming from host primo to a separate file.
++primo.example.local
*.* /var/log/primo/example.log
+*
#
...No changes to syslog.conf. The logs are sorted by hostname which does not change when changing from upd to tcp. As an aside, you can use the short hostname "primo" instead.
b. Restart syslogd on loghost with appropriate flags. Flags required are:
-a ( -a path: Specify a location where syslogd should place an additional log socket) and
-T listen_address (-T listen_address: Create a TCP listen socket for receiving messages and bind it to the specified address. There is no well-known port for syslog over TCP, so a port number must be specified using the host:port syntax).
No "-4" flag is not used as that is only for udp. When messages are sent from the client, the destination address will be ip.addr.of.loghost:6514 but the source address will be varying ports of ip.addr.of.client. So:
doas rcctl set syslogd flags "-a ip.addr.of.client:* -T ip.addr.of.loghost:6514"
doas rcctl restart syslogdNotice the "*" to match any source port.
Or, you can address the targets by hostname if DNS is working:
doas rcctl set syslogd flags "-a primo.example.local:* -T secundum.example.local:6514"
doas rcctl restart syslogdc. Edit /etc/pf.conf to allow log messages in:
...
pass in log (all) on $ext_if inet proto tcp from $ip.addr.of.client to $ext_if port 6514
...Reload new pf.conf.
doas pfctl -nf -/etc/pf.conf
doas pfctl -f /etc/pf.confd. Testing
Check /var/log/messages for errors. Check if a listen port and socket are created:
netstat -a | grep 6514
netstat -a | grep ip.addr.of.client2.Client machine (network host):
a. Edit syslog.conf:
For testing, you will initially send all logs to see if the forwarding set up is working.
Change the stanza at the top of syslog.conf to:
...
# Send all logs to loghost
*.* @tcp4://secundum.example.local:6154
#
...or:
...
# Send all logs to loghost
*.* @tcp4://ip.addr.of.loghost:6154
#
...As above, "tcp" sets the protocol and "4" sets IPv4. There is no default tcp port for syslogd so a port must be specified. In this example, we'll use 6154. You can use either the hostname or IP address of the loghost. Both work, but using the ip address may be a hair faster as it obviates a DNS lookup.
Restart syslogd on client (no flags are needed; "-4" only applies to udp):
doas rcctl set syslogd flags ""
doas rcctl restart syslogdb. Editing pf.conf to pass and log outgoing packets:
...
pass out log (all, to pflog0) on $ext_if inet proto tcp from $ext_if to $ip.addr.of.loghost port 6514
...Reload new pf.conf.
doas pfctl -nf -/etc/pf.conf
doas pfctl -f /etc/pf.confc. Testing
Check pflog to see if there are packets outbound:
doas tcpdump -n -e -ttt -r /var/log/pflogIf you see packets going out, move back to the loghost.
3. Monitoring the loghost:
Check traffic through firewall:
doas tcpdump -n -e -ttt -r /var/log/pflogIf you see packets coming in, move on to checking the log.
doas tail -f /var/log/primo/example.logNext, setting up remote logging over tls.
Posted by Gordon, No Hair Github Pages, March 10, 2022
©the author
For comments, corrections, and addenda, email: sudogeek[AT]gmail.com