Bug #355: syslog should not bind on * - pfSense - pfSense bugtracker

Custom queries

2.4.5-p1 - Resolved/Closed
2.5.0 - Resolved/Closed
2.5.1 - Resolved/Closed
2.5.2 - Resolved/Closed
2.6.0 - Resolved/Closed
2.7.0 - Resolved/Closed
2.7.1 - All Open Issues
2.7.1 - Resolved/Closed
2.7.2 - Resolved/Closed
2.8.0 - All Open Bugs
2.8.0 - All Open Features
2.8.0 - All Open Issues
2.8.0 - All Open Regressions
2.8.0 - Feedback
2.8.0 - Needs Attention
2.8.0 - New/Confirmed
2.8.0 - Pull Requests
2.8.0 - Regressions affecting 2.7.0
2.8.0 - Resolved/Closed
21.02.2/2.5.1 - Resolved/Closed
21.05 Plus - All Closed Issues
21.05.1 Plus Target - All Closed Issues
21.05.1 Target - All Closed Issues
22.01 Plus - All Closed Issues
22.01 Target - All Closed Issues
22.05 Plus - All Closed Issues
22.05 Target - All Closed Issues
23.01 Plus - All Closed Issues
23.01 Target - All Closed Issues
23.05 Plus - All Closed Issues
23.05 Target - All Closed Issues
23.05.1 Plus - All Closed Issues
23.05.1 Target - All Closed Issues
23.09 Plus - All Closed Issues
23.09 Target - All Closed Issues
23.09.1 Plus - All Closed Issues
23.09.1 Target - All Closed Issues
24.03 Plus - All Closed Issues
24.03 Target - All Closed Issues
24.11 Plus - All Closed Issues
24.11 Plus - All Open Issues
24.11 Plus - Feedback Issues
24.11 Plus - Needs Attention/Work
24.11 Plus - New/Confirmed/In Progress Issues
24.11 Target - All Closed Issues
24.11 Target - All Open Issues
25.01 Plus - All Closed Issues
25.01 Plus - All Open Issues
25.01 Plus - Feedback Issues
25.01 Plus - Needs Attention/Work
25.01 Plus - New/Confirmed/In Progress Issues
25.01 Plus - Pull Request Review
25.01 Plus - Waiting on Merge
25.01 Target - All Closed Issues
25.01 Target - All Open Issues
All Open Issues assigned to Me
All Open Pull Requests
Any Target - All Open Regressions
Any Target - Feedback Issues
CE-Next - All Closed Issues (Move to specific target)
CE-Next - All Open Issues
CE-Next - Feedback (Likely needs target changed)
New Issues by Category - Future Target
New Issues by Category - No Target
New Issues by Category - No Target+Future
No Target - All Open Issues (Base Only)
No Target - New Issues (Base Only)
No Target - New Issues (Base and Packages)
Release Notes - Plus Target Version (DO NOT EDIT)
Release Notes - Target Version (DO NOT EDIT)

Actions

Copy link

Bug #355

closed

syslog should not bind on *

Added by Chris Buechler almost 15 years ago. Updated almost 9 years ago.

Status:

Resolved

Priority:

Low

Assignee:

Category:

Logging

Target version:

Start date:

02/12/2010

Due date:

% Done:

100%

Estimated time:

Plus Target Version:

Release Notes:

Affected Version:

All

Affected Architecture:

Description

list post from Paul Mansfield:

I tweak /etc/inc/system.inc so that syslogd is bound ONLY to localhost,
and then I can set pfsense to also log to another local IP, then install
syslog-ng on that IP so that I can do interesting things to the logs and
also push them remotely.

Please can you change the default configuration by tweaking
/etc/inc/system.inc as follows, I can't see any downside in pfsense and
not having syslogd listening on all addresses would actually make things
more secure. thanks!

note there's missing EOL in the standard file too

diff system.inc.old system.inc
451c451
< $retval = mwexec("/usr/sbin/syslogd -c -s -f {$g['varetc_path']}/syslog.conf");
---

$retval = mwexec("/usr/sbin/syslogd -b 127.0.0.1

-c -s -f {$g['varetc_path']}/syslog.conf");
453c453
< $retval = mwexec("/usr/sbin/syslogd -c -ss -f {$g['varetc_path']}/syslog.conf");
---

$retval = mwexec("/usr/sbin/syslogd -b 127.0.0.1

c -ss -f {$g['varetc_path']}/syslog.conf");
456c456
< $retval = mwexec("/usr/sbin/syslogd -c -ss");
--

$retval = mwexec("/usr/sbin/syslogd -b 127.0.0.1 -c -ss");

1285c1285

History
Notes
Property changes
Associated revisions

Actions

Copy link

Updated by Jim Pingle over 14 years ago

When I add this change, I am then unable to then redirect the logs to a remote host from the GUI as normal, the same setup works fine without the localhost binding.

Should we do this conditionally, perhaps only bind to localhost if there are no remote syslog servers defined?

Actions

Copy link

Updated by Chris Buechler over 14 years ago

I thought there was a catch along those lines here. Though it's interesting that Paul can log to syslog-ng running locally by IP, maybe because it's logging from 127.0.0.1 to another local IP in that case. Implementing it to only do that when not logging to a remote host would defeat the purpose that Paul is looking for, but it may not be possible to accommodate that scenario.

Actions

Copy link

Updated by Dan Swartzendruber over 14 years ago

Jim P wrote:

When I add this change, I am then unable to then redirect the logs to a remote host from the GUI as normal, the same setup works fine without the localhost binding.

Should we do this conditionally, perhaps only bind to localhost if there are no remote syslog servers defined?

this is really odd. i don't understand why the address pfsense syslogd binds to would prevent sending datagrams to a remote syslog host. hmmmm....

Actions

Copy link

Updated by Dan Swartzendruber over 14 years ago

Only thing I can think of is that it somehow was invoking syslogd with the '-ss' flag to prevent any network usage. Was that it maybe, Jim?

Actions

Copy link

Updated by Paul Mansfield over 14 years ago

I was the original proposer..

I have syslogd bound only to localhost and I successfully get it to repeat the syslog message to a different IP (usually the sync IP) on which syslog-ng is listening, so I am not sure why you think this breaks syslog forwarding off host, unless of course (thinking aloud) that binding syslogd to localhost means it can't send UDP off-host?

Actions

Copy link

Updated by Paul Mansfield over 14 years ago

Paul Mansfield wrote:

I was the original proposer..

I have syslogd bound only to localhost and I successfully get it to repeat the syslog message to a different IP (usually the sync IP) on the same firewall, on which syslog-ng is listening, so I am not sure why you think this breaks syslog forwarding off host, unless of course (thinking aloud) that binding syslogd to localhost means it can't send UDP off-host?

Actions

Copy link

Updated by Chris Buechler over 14 years ago

Target version changed from 2.0 to Future
Affected Version changed from 2.0 to All

This does break off-host syslogging, moving to Future.

Actions

Copy link

Updated by Michele Di Maria almost 12 years ago

Another issue related to this task is logging to a remote syslog server, where remote I mean to the other side of a Point-To-Point VPN.
If seems like that if syslogd is not binded to a specific interface/IP address (the local side of the VPN), the packets will never arrive to the other side of the VPN.

Or am I wrong?

Thanks,
Michele

Actions

Copy link

Updated by Jim Pingle almost 12 years ago

It depends on the type of VPN. With OpenVPN it works fine, it just sources the syslog traffic from the tunnel interface IP.

With IPsec it's a bit different, it does require you to add a static route to work around the binding.

Actions

Copy link

#10

Updated by Michele Di Maria almost 12 years ago

Wow, yes. I just created a fake gateway using the local interface IP address (which is a bridge interface), and a static route for my remote syslog server that uses that gateway, and it does work!
It looks like a workaround, but it does the job. Thanks Jim!

Actions

Copy link

#11

Updated by Jim Pingle almost 12 years ago

That has been documented for quite some time on the doc wiki:
http://doc.pfsense.org/index.php/Why_can%27t_I_query_SNMP,_use_syslog,_NTP,_or_other_services_initiated_by_the_firewall_itself_over_IPsec_VPN%3F

Actions

Copy link

#12

Updated by Michele Di Maria almost 12 years ago

Mh, I was googling for the wrong keywords (focusing on binding syslogd to a specific interface/address)...
Thanks for giving me the hint, but I swear, I didn't read the solution, your hint was sufficient! :P

Actions

Copy link

#13