Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Syslog-ng not binding to multiple interfaces (incorrect config being generated)

    Scheduled Pinned Locked Moved
    2.4 Development Snapshots
    1
    1
    1.7k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • ?
      A Former User
      last edited by

      Tracing through why syslog-ng was not recording log entries from my networks, even though everything, including firewall logs, show packets being received,  I found that syslog-ng is only binding to the last configured interface.  Look at the configuration being generated by pfSense, it is placing all the IP address to bind too in a single syslog() driver statement.  This results in syslog-ng only binding to the last defined IP (interface) in the syslog() driver declaration.  This can be verified by logging into a command shell and check active listening ports using 'netstat -n | grep 5140'

      Looking through the syslog-ng 3.13 documentation, it does not indicate that multiple ip() directives can be used inside a syslog() driver definition, and various configuration examples I could find show using multiple source driver statements in the source definition block.

      Modifying the configuration file to break up the "ip(xx.xx.xx.xx)" bindings to multiple syslog() driver statements and then manually starting syslog-ng, it correctly binds to all defined interfaces.

      Example pfSense generated config (/usr/local/etc/syslog-ng.conf) that will only bind to the last defined interface:

      # This file is automatically generated by pfSense
# Do not edit manually !
@version:3.13
destination _DEFAULT { file("/var/syslog-ng/default.log"); };
log { source(_DEFAULT); destination(_DEFAULT); };
source _DEFAULT { internal(); syslog(transport(udp) port(5140) ip(192.168.1.1) ip(192.168.3.1) ip(192.168.6.1) ip(192.168.9.1) ip(127.0.0.1)); };

      Modified configuration that binds all defined interfaces.

      @version:3.13
destination _DEFAULT { file("/var/syslog-ng/default.log"); };
log { source(_DEFAULT); destination(_DEFAULT); };
source _DEFAULT { internal(); syslog(transport(udp) port(5140) ip(192.168.1.1));
syslog(transport(udp) port(5140) ip(192.168.3.1)); syslog(transport(udp) port(5140) ip(192.168.6.1)); syslog(transport(udp) port(5140) ip(192.168.9.1)); syslog(transport(udp) port(5140) ip(127.0.0.1)); };

      References:

      https://syslog-ng.com/documents/html/syslog-ng-ose-3.13-guides/en/syslog-ng-ose-guide-admin/html/configuring-sources-syslog.html

      https://syslog-ng.com/documents/html/syslog-ng-ose-3.13-guides/en/syslog-ng-ose-guide-admin/html/reference-source-syslog-chapter.html

      Unrelated to the interface bindings, but also noticed errors in the system log about syslog-ng failing daemon stop/start calls:

      /pkg_edit.php: The command '/usr/local/etc/rc.d/syslog-ng.sh stop' returned exit code '1', the output was ''

      Running /usr/local/etc/rc.d/syslog-ng stop from command shell produces the following output:

      Cannot 'stop' syslog_ng.  Set syslog_ng_enable to YES in /etc/rc.conf or use 'onestop' instead of 'stop'.

      Running /usr/local/etc/rc.d/syslog-ng onestop  or onestart, syslog-ng stops and starts without error.

      1 Reply Last reply Reply Quote 0
      • First post
        Last post