Syslog Server Setup?

[Visseroth]

Anyone have any suggestions on getting a syslog server setup and running.
I'd like to collect logs from my firewall (PfSense w/Snort), FreeNAS, accociated jails and Ubiquti AP.

I've tried this thread...
https://forums.freenas.org/index.php?threads/how-to-install-a-syslog-server-jail.30357/
but some of the packages are obsolete so I tried using updated packages using the same install instructions but hit a block and posted it on that thread on the last page...
https://forums.freenas.org/index.php?threads/how-to-install-a-syslog-server-jail.30357/page-3

I was thinking of pulling a syslog server via docker though I've never done that before.

Any help and/or suggestions appreciated.

 

[Elliot Dierksen]

Whatever your favorite flavor of open source Unix would be your best bet. That assume you are a Unix person. There are also syslog servers you can get for Windows as well if that is your preference. Most unix varieties will default to have syslog only listen on the loopback interface, so it is only available to the local machine. It would have to listen on one of its actual network interfaces to do that. FreeBSD is my preference, and I do that with my FreeBSD host. Here is what the default looks like in "/etc/defaults/rc.conf".

Code:

syslogd_flags="-s"              # Flags to syslogd (if enabled).

I have this in my "/etc/rc.conf" to make it listen to its network interfaces.

Code:

syslogd_flags=""

That is about all there is to it other than making sure all the host that you want to send log entries can reach the log host.

Edit: I did forget to mention that FreeBSD runs syslogd by default as noted by this entry from "/etc/defaults/rc.conf"

Code:

syslogd_enable="YES"            # Run syslog daemon (or NO).

 

[Visseroth]

I don't really like Windowz and don't really want to get into why.
I would like to keep it all in a jail utilizing the available space and resources of the server and since it's running all the time anyhow I believe it to be the best place to put it.

So you're saying FreeBSD accepts syslogs by default but not from the whole network unless configured to do so.
So how do you filter through, look at your logs and setup alerts and alarms?

I was following that how to but got stuck at the analyzer as it didn't even show up as available.

 

[Elliot Dierksen]

So you're saying FreeBSD accepts syslogs by default but not from the whole network unless configured to do so.

It runs syslogd by default. By default it only listens on the loopback interface. The change to syslogd_flags makes it listen on all interfaces. I know that is kind of splitting hairs, but it seems relevant to differentiate it in my nerdly anal retentive view. :)

I run all my VM's on ESXi, so I don't have any relevant comments on doing it in a jail. It needs to be accessible to all the devices to all the devices that want to send it logs. You differentiate them by facility. There are 8 different local facilities that you can use to break things up by category. They are described pretty well here. https://en.wikipedia.org/wiki/Syslog#Facility. I break up my firewall, IDS/IPS, switches, etc among the different facilities which are stored in different files. Here is what my syslog.conf looks like.

Code:

# grep local /etc/syslog.conf
local0.*                                        /var/log/local0.log
local1.*                                        /var/log/local1.log
local2.*                                        /var/log/local2.log
local3.*                                        /var/log/local3.log
local4.*                                        /var/log/local4.log
local5.*                                        /var/log/local5.log
local6.*                                        /var/log/local6.log
local7.*                                        /var/log/local7.log

 

[guermantes]

It runs syslogd by default. By default it only listens on the loopback interface. The change to syslogd_flags makes it listen on all interfaces. I know that is kind of splitting hairs, but it seems relevant to differentiate it in my nerdly anal retentive view. :)

I run all my VM's on ESXi, so I don't have any relevant comments on doing it in a jail. It needs to be accessible to all the devices to all the devices that want to send it logs. You differentiate them by facility. There are 8 different local facilities that you can use to break things up by category. They are described pretty well here. https://en.wikipedia.org/wiki/Syslog#Facility. I break up my firewall, IDS/IPS, switches, etc among the different facilities which are stored in different files. Here is what my syslog.conf looks like.

Code:

# grep local /etc/syslog.conf
local0.*                                        /var/log/local0.log
local1.*                                        /var/log/local1.log
local2.*                                        /var/log/local2.log
local3.*                                        /var/log/local3.log
local4.*                                        /var/log/local4.log
local5.*                                        /var/log/local5.log
local6.*                                        /var/log/local6.log
local7.*                                        /var/log/local7.log

Sorry for necromancing, but do you use any particular software to view the logs? Or do you just cat & grep them?

 

[Elliot Dierksen]

No, no special software. Just standard unix utilities.