Project

General

Profile

Actions

Bug #355

closed

syslog should not bind on *

Added by Chris Buechler over 11 years ago. Updated over 5 years ago.

Status:
Resolved
Priority:
Low
Assignee:
-
Category:
Logging
Target version:
-
Start date:
02/12/2010
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
All
Affected Architecture:

Description

list post from Paul Mansfield:

I tweak /etc/inc/system.inc so that syslogd is bound ONLY to localhost,
and then I can set pfsense to also log to another local IP, then install
syslog-ng on that IP so that I can do interesting things to the logs and
also push them remotely.

Please can you change the default configuration by tweaking
/etc/inc/system.inc as follows, I can't see any downside in pfsense and
not having syslogd listening on all addresses would actually make things
more secure. thanks!

note there's missing EOL in the standard file too

  1. diff system.inc.old system.inc
    451c451
    < $retval = mwexec("/usr/sbin/syslogd -c -s -f {$g['varetc_path']}/syslog.conf");
    ---

$retval = mwexec("/usr/sbin/syslogd -b 127.0.0.1

-c -s -f {$g['varetc_path']}/syslog.conf");
453c453
< $retval = mwexec("/usr/sbin/syslogd -c -ss -f {$g['varetc_path']}/syslog.conf");
---

$retval = mwexec("/usr/sbin/syslogd -b 127.0.0.1

c -ss -f {$g['varetc_path']}/syslog.conf");
456c456
< $retval = mwexec("/usr/sbin/syslogd -c -ss");
--

$retval = mwexec("/usr/sbin/syslogd -b 127.0.0.1 -c -ss");

1285c1285

Actions #1

Updated by Jim Pingle over 11 years ago

When I add this change, I am then unable to then redirect the logs to a remote host from the GUI as normal, the same setup works fine without the localhost binding.

Should we do this conditionally, perhaps only bind to localhost if there are no remote syslog servers defined?

Actions #2

Updated by Chris Buechler over 11 years ago

I thought there was a catch along those lines here. Though it's interesting that Paul can log to syslog-ng running locally by IP, maybe because it's logging from 127.0.0.1 to another local IP in that case. Implementing it to only do that when not logging to a remote host would defeat the purpose that Paul is looking for, but it may not be possible to accommodate that scenario.

Actions #3

Updated by Dan Swartzendruber over 11 years ago

Jim P wrote:

When I add this change, I am then unable to then redirect the logs to a remote host from the GUI as normal, the same setup works fine without the localhost binding.

Should we do this conditionally, perhaps only bind to localhost if there are no remote syslog servers defined?

this is really odd. i don't understand why the address pfsense syslogd binds to would prevent sending datagrams to a remote syslog host. hmmmm....

Actions #4

Updated by Dan Swartzendruber over 11 years ago

Only thing I can think of is that it somehow was invoking syslogd with the '-ss' flag to prevent any network usage. Was that it maybe, Jim?

Actions #5

Updated by Paul Mansfield over 11 years ago

I was the original proposer..

I have syslogd bound only to localhost and I successfully get it to repeat the syslog message to a different IP (usually the sync IP) on which syslog-ng is listening, so I am not sure why you think this breaks syslog forwarding off host, unless of course (thinking aloud) that binding syslogd to localhost means it can't send UDP off-host?

Actions #6

Updated by Paul Mansfield over 11 years ago

Paul Mansfield wrote:

I was the original proposer..

I have syslogd bound only to localhost and I successfully get it to repeat the syslog message to a different IP (usually the sync IP) on the same firewall, on which syslog-ng is listening, so I am not sure why you think this breaks syslog forwarding off host, unless of course (thinking aloud) that binding syslogd to localhost means it can't send UDP off-host?

Actions #7

Updated by Chris Buechler about 11 years ago

  • Target version changed from 2.0 to Future
  • Affected Version changed from 2.0 to All

This does break off-host syslogging, moving to Future.

Actions #8

Updated by Michele Di Maria over 8 years ago

Another issue related to this task is logging to a remote syslog server, where remote I mean to the other side of a Point-To-Point VPN.
If seems like that if syslogd is not binded to a specific interface/IP address (the local side of the VPN), the packets will never arrive to the other side of the VPN.

Or am I wrong?

Thanks,
Michele

Actions #9

Updated by Jim Pingle over 8 years ago

It depends on the type of VPN. With OpenVPN it works fine, it just sources the syslog traffic from the tunnel interface IP.

With IPsec it's a bit different, it does require you to add a static route to work around the binding.

Actions #10

Updated by Michele Di Maria over 8 years ago

Wow, yes. I just created a fake gateway using the local interface IP address (which is a bridge interface), and a static route for my remote syslog server that uses that gateway, and it does work!
It looks like a workaround, but it does the job. Thanks Jim!

Actions #12

Updated by Michele Di Maria over 8 years ago

Mh, I was googling for the wrong keywords (focusing on binding syslogd to a specific interface/address)...
Thanks for giving me the hint, but I swear, I didn't read the solution, your hint was sufficient! :P

Actions #13

Updated by Jim Pingle almost 8 years ago

  • Status changed from New to Feedback
  • % Done changed from 0 to 100
Actions #15

Updated by Chris Buechler over 5 years ago

  • Status changed from Feedback to Resolved
  • Target version deleted (Future)
Actions

Also available in: Atom PDF