Project

General

Profile

Actions

Feature #11577

closed

Syslog should not require binding to interface for remote logging

Added by Ter Ted 11 months ago. Updated 11 months ago.

Status:
Rejected
Priority:
Normal
Assignee:
-
Category:
Logging
Target version:
-
Start date:
02/28/2021
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:

Description

As of now, it is not possible to log to remote server without binding syslog to local interface. This shouldn't be required - for log forwarding syslog acts only as a client, not a server. Now it is not possible to set syslog-ng daemon from package to bind on port 514 and at the same time have log fowarding enabled.

Please do not reject this issue. To reply your previous message

It's to set the source address of the syslog traffic, not to bind the server. It's necessary for things like tunnel mode IPsec where otherwise the syslog traffic will never enter the tunnel.
You can set it to "Default (any)" and it doesn't bind to a specific interface.

No, it actually binds the server port. You can check it on console by "netstat -na | grep 514". If you set to "any" - it binds to all interfaces. You don't have to bind the server in order to send the traffic to remote, even when the tunnel is up - always the routing rules apply.

Actions #1

Updated by Jim Pingle 11 months ago

  • Status changed from New to Rejected

Binding to all interfaces is not binding to a specific interface ("All" is not "specific") and "All" is an option in the GUI so your previous request was correctly rejected.

"Disabling binding completely" is not the same thing as "Not binding to a specific interface".

syslogd does have -N to not bind but it also isn't desirable since it breaks a recommendation of RFC 3164 section 1.2.2 which says that:

2. Transport Layer Protocol

   syslog uses the user datagram protocol (UDP) [1] as its underlying
   transport layer mechanism.  The UDP port that has been assigned to
   syslog is 514.  It is RECOMMENDED that the source port also be 514 to
   indicate that the message is from the syslog process of the sender,
   but there have been cases seen where valid syslog messages have come
   from a sender with a source port other than 514.  If the sender uses
   a source port other than 514 then it is RECOMMENDED and has been
   considered to be good form that subsequent messages are from a single
   consistent port.

Without binding, it can't follow the recommendations of that paragraph: It cannot use port 514 nor can it use a consistent port. As such I don't see us adding a GUI option to do this. But you are welcome to patch the source code yourself to add -N to the syslog flags.

If you want to use syslog-ng, then disable syslogd entirely and setup everything in syslog-ng. Most people using syslog-ng want to use it for forwarding instead so they can use TCP and secure forwarding anyhow.

Actions #2

Updated by Ter Ted 11 months ago

No, you have to bind to the port in order to receive events, not to send them. This is just a very basic concept for all TCP/UDP service. You don't have to bind to port in order to sent events. The way it is implemented is just silly, I don't know why you reject this issue.

You can set it to "Default (any)" and it doesn't bind to a specific interface.

No, as I said, IT DOES BIND to all interfaces. You can't bind other service on any interface on port 514 when this option is set.

Actions #3

Updated by Jim Pingle 11 months ago

Ter Ted wrote:

No, you have to bind to the port in order to receive events, not to send them. This is just a very basic concept for all TCP/UDP service. You don't have to bind to port in order to sent events. The way it is implemented is just silly, I don't know why you reject this issue.

Per the syslogd man page on FreeBSD:

 -N      Disable binding on UDP sockets.  RFC 3164 recommends that
 outgoing syslogd messages should originate from the privileged
 port, this option disables the recommended behavior.  This option
 inherits -s.

You can't disable binding without also losing the ability to source messages from port 514. Hence it not being a viable request.

You can set it to "Default (any)" and it doesn't bind to a specific interface.

No, as I said, IT DOES BIND to all interfaces. You can't bind other service on any interface on port 514 when this option is set.

"All" is not a specific interface -- it's any/all interfaces. "Disable binding" is not the same as "not binding to a specific interface". Your wording was incorrect in both requests for what you really wanted to ask.

If you can demonstrate that syslogd on FreeBSD can disable binding and still source messages from port 514 without involving NAT or other non-syslogd mechanisms, then maybe it might be viable.

Until then, however, it's not a valid request.

Actions

Also available in: Atom PDF