[prev in list] [next in list] [prev in thread] [next in thread] 

List:       openbsd-misc
Subject:    Re: Socklog on OpenBSD -current
From:       Stuart Henderson <stu () spacehopper ! org>
Date:       2016-03-31 20:20:46
Message-ID: slrnnfr1ku.rm6.stu () naiad ! spacehopper ! org
[Download RAW message or body]

On 2016-03-30, Predrag Punosevac <punosevac72@gmail.com> wrote:
> On 3/29/16 5:42 PM, Stuart Henderson wrote:
>> On 2016-03-29, Jeff Ross <jross@openvistas.net> wrote:
>>> Greetings all!
>>>
>>> I've been away from OpenBSD for a while and for sure I've missed more
>>> than a few things.  Just updated a firewall in anticipation of
> upgrading
>>> my server but there are things that have changed.
>>>
>>> What has me puzzled now is the change to syslogd.  For literally
> years
>>> I've run socklog from ports to replace the stock syslog with no
> problems
>>> but now it simply doesn't work on 5.9 -current.
>>>
>>> My former installations of socklog all listen to /dev/log but when I
>>> couldn't get anything to work listening there I switched to listening
> to
>>> 0.0.0.0:514 but still no joy.
>>>
>>> If anyone out there is using socklog, or possibly any alternative to
>>> syslog, I'd sure appreciate a clue by four to get socklog running
> again.
>> OpenBSD's syslog functions now use sendsyslog(2) which doesn't use
>> /dev/log sockets any more.
>>
>> Here is where syslogd was modified to do things this way:
>>
> http://anoncvs.spacehopper.org/openbsd-src/commit/?id=c40e16771993e74275857863c928d7f9cffe3699
>> - it's probably not all that complex to convert other logging daemons,
>> but afaik nobody has yet felt the need to do this for any of the
>> alternative log daemons in ports.
>>
>> If you don't want to write code and want to stick with socklog,
>> the easiest way is probably a minimal syslogd(8) setup that
>> forwards everything via UDP.
>>
> Hi Stuart,
>
> Could you please clarify something to me? I am running a centralized
> logging server using syslog-ng from the ports. The way I read your
> e-mail is that I will no longer be able to log messages using syslog-ng
> from the local host but the port will continue to work as expected.

Yes, this isn't particularly new though, it changed in 5.6.

> Would I be able to run syslogd for the local host and syslog-ng for
> remote hosts simultaneously? IIRC I saw people posting on misc who were
> doing that in the past but I think when I played with it syslog-ng
> didn't want to start until I turned off syslogd.

You can run two simultaneously but you'll need to get one of them to
bind to a specific IP address.

>                                                  How suitable is syslogd
> from the base as a centralized logging server. I know that it supports
> TCP and TLS now but does it play well with rsyslog or syslog-ng? I have
> bunch of Linux servers to log.

If you can get them to feed it syslog messages using either the usual
UDP-based syslog protocol or using a TCP/TLS protocol then that should
work fine (IIRC the TLS code was developed against one of these,
possibly rsyslog?). syslogd(8) / syslog.conf(5) gained +host/++host
matching that allows you to separate logs between different hosts
into different files which can be useful on a centralised log host.
There are lots of options of how to set this all up.

[prev in list] [next in list] [prev in thread] [next in thread]