Logs
-
I would like the logs (all logs, system, firewall, etc) to be archived. There are two ways that I can see this being done (besides sending to a syslog server).
1. when the clog gets full, before it starts to remove older entries have it save it to a unc path (preferred) or to the local drive or send an email with said logs.
2. get rid of clog and have normal syslog running on pf.For those that would be performing the work what would you charge?
-
The difference in time/effort/skillset required for either of those options is quite a bit. It would be better to indicate your preference of which approach you want. Mind you, neither approach will cost you less than remote syslogging which is extremely easy to do.
-
Actually getting rid of clog is easy. All you need to do is edit where the syslog.conf is generated and change the syntax to write out normal files.
For example, for clog we use:
!racoon *.* %/var/log/ipsec.log
Just change that to:
!racoon *.* /var/log/ipsec.log
Also be sure the file is empty (e.g. disable all of the clog instances where the log is "cleared" or initialized, and change them to rm/touch)
And I don't think 1 is possible because I don't think clog has any concept of "full" in that way. It would probably take quite a bit of coding, not to mention we don't include any of the libraries you'd need to write to a unc path. ssh, ftp, or mail would be much more likely to happen if anything.
Personally I'm not sure how either of those is better than just redirecting syslog to a remote syslog box that is dedicated to processing these logs. You can get syslog servers for just about any OS.
-
That was the point I was trying to make without coming out and saying it. I, personally, looked at running a full syslogger on pfSense for a project but couldn't come up with a compelling reason to do it that justified the effort when exporting to a remote syslogger was quite easily.
-
I dont have any computers that are on 24/7 that could easily run a syslog server. I was looking into disabling clog but then saw that a user had made a package to do just that and would publish it if any one was interested, so I imed them and posted this bounty, but they have not gotten back to me.
For what would work with the stated restrictions, would be 2, which jimp says is easily done or 1, with emails of logs.
I will give jimps method a try and post back in a few days.
-
Cool, good luck. I'm going to move this out of Bounties and into General if there are no objections, this is clearly not going to turn into a bounty project.
-
thats fine. posted here as I though it would be a lot harder than my available skill set.
-
I did as you said jimp and the ones I made the changes to are not populating with anything except this:
Segmentation fault (core
This entry is only in the webgui log, the actual log file itself is empty, just as it was before I made the edits to syslog.conf -
Ah, yeah, the GUI calls clog to read the logs, that would just need to be changed to cat.
Though that doesn't explain why the files themselves are empty. There's probably some other place that is still trying to use clog on the files.
-
Well it looks like I did something wrong as the syslog.conf is back to defaults and the two logs I edited are still giving that error.
-
Had to reboot the system to get my logs working. What I did stopped the logs generating for everything. Not sure what I messed up.