Bug #355
closed
syslog should not bind on *
100%
Description
list post from Paul Mansfield:
I tweak /etc/inc/system.inc so that syslogd is bound ONLY to localhost,
and then I can set pfsense to also log to another local IP, then install
syslog-ng on that IP so that I can do interesting things to the logs and
also push them remotely.
Please can you change the default configuration by tweaking
/etc/inc/system.inc as follows, I can't see any downside in pfsense and
not having syslogd listening on all addresses would actually make things
more secure. thanks!
note there's missing EOL in the standard file too
- diff system.inc.old system.inc
451c451
< $retval = mwexec("/usr/sbin/syslogd -c -s -f {$g['varetc_path']}/syslog.conf");
---
$retval = mwexec("/usr/sbin/syslogd -b 127.0.0.1
-c -s -f {$g['varetc_path']}/syslog.conf");
453c453
< $retval = mwexec("/usr/sbin/syslogd -c -ss -f
{$g['varetc_path']}/syslog.conf");
---
$retval = mwexec("/usr/sbin/syslogd -b 127.0.0.1
c -ss -f {$g['varetc_path']}/syslog.conf");
456c456
< $retval = mwexec("/usr/sbin/syslogd -c -ss");
--
$retval = mwexec("/usr/sbin/syslogd -b 127.0.0.1 -c -ss");
1285c1285
Updated by Jim Pingle over 14 years ago
When I add this change, I am then unable to then redirect the logs to a remote host from the GUI as normal, the same setup works fine without the localhost binding.
Should we do this conditionally, perhaps only bind to localhost if there are no remote syslog servers defined?
Updated by Chris Buechler over 14 years ago
I thought there was a catch along those lines here. Though it's interesting that Paul can log to syslog-ng running locally by IP, maybe because it's logging from 127.0.0.1 to another local IP in that case. Implementing it to only do that when not logging to a remote host would defeat the purpose that Paul is looking for, but it may not be possible to accommodate that scenario.
Updated by Dan Swartzendruber over 14 years ago
Jim P wrote:
When I add this change, I am then unable to then redirect the logs to a remote host from the GUI as normal, the same setup works fine without the localhost binding.
Should we do this conditionally, perhaps only bind to localhost if there are no remote syslog servers defined?
this is really odd. i don't understand why the address pfsense syslogd binds to would prevent sending datagrams to a remote syslog host. hmmmm....
Updated by Dan Swartzendruber over 14 years ago
Only thing I can think of is that it somehow was invoking syslogd with the '-ss' flag to prevent any network usage. Was that it maybe, Jim?
Updated by Paul Mansfield over 14 years ago
I was the original proposer..
I have syslogd bound only to localhost and I successfully get it to repeat the syslog message to a different IP (usually the sync IP) on which syslog-ng is listening, so I am not sure why you think this breaks syslog forwarding off host, unless of course (thinking aloud) that binding syslogd to localhost means it can't send UDP off-host?
Updated by Paul Mansfield over 14 years ago
Paul Mansfield wrote:
I was the original proposer..
I have syslogd bound only to localhost and I successfully get it to repeat the syslog message to a different IP (usually the sync IP) on the same firewall, on which syslog-ng is listening, so I am not sure why you think this breaks syslog forwarding off host, unless of course (thinking aloud) that binding syslogd to localhost means it can't send UDP off-host?
Updated by Chris Buechler over 14 years ago
- Target version changed from 2.0 to Future
- Affected Version changed from 2.0 to All
This does break off-host syslogging, moving to Future.
Updated by Michele Di Maria almost 12 years ago
Another issue related to this task is logging to a remote syslog server, where remote I mean to the other side of a Point-To-Point VPN.
If seems like that if syslogd is not binded to a specific interface/IP address (the local side of the VPN), the packets will never arrive to the other side of the VPN.
Or am I wrong?
Thanks,
Michele
Updated by Jim Pingle almost 12 years ago
It depends on the type of VPN. With OpenVPN it works fine, it just sources the syslog traffic from the tunnel interface IP.
With IPsec it's a bit different, it does require you to add a static route to work around the binding.
Updated by Michele Di Maria almost 12 years ago
Wow, yes. I just created a fake gateway using the local interface IP address (which is a bridge interface), and a static route for my remote syslog server that uses that gateway, and it does work!
It looks like a workaround, but it does the job. Thanks Jim!
Updated by Jim Pingle almost 12 years ago
That has been documented for quite some time on the doc wiki:
http://doc.pfsense.org/index.php/Why_can%27t_I_query_SNMP,_use_syslog,_NTP,_or_other_services_initiated_by_the_firewall_itself_over_IPsec_VPN%3F
Updated by Michele Di Maria almost 12 years ago
Mh, I was googling for the wrong keywords (focusing on binding syslogd to a specific interface/address)...
Thanks for giving me the hint, but I swear, I didn't read the solution, your hint was sufficient! :P
Updated by Jim Pingle about 11 years ago
- Status changed from New to Feedback
- % Done changed from 0 to 100
Applied in changeset cbe12b8de3fa374e535d4478ab84a4a2c5f6e725.
Updated by Jim Pingle about 11 years ago
Applied in changeset 53c5407e646028a003b2765a87dd3316b21a9497.
Updated by Chris Buechler almost 9 years ago
- Status changed from Feedback to Resolved
- Target version deleted (
Future)