Hostname does not appear in remote syslog
I'm trying to set up a pfSense box to protect a different part of my network. But, the remote syslog server will be on another part of the overall network. When sending the logs, the hostname doesn't transfer.
Here's the setup:
pfSense firewall protects a "192." address block on the lan interface and transfers the log to a "10." address machine connected on the wan interface.
I set up a basic temporary server using socat to receive the records until I can set up a real syslog server. And, here's the first part of the record I get back:
<134>Mar 4 16:29:41 pf: 750302
The same record on the server logs is:
Mar 4 16:29:41 intnetfw pf: 750302
Check the config of syslog on your log server. You need to ensure it leaves hostnames alone.
It's a stock syslog.conf generated by pfSense and from what I can tell, has nothing in it to deal with the hostnames. Also, the running of syslogd is handled by the stock commands in the /etc/inc/system.inc.
Is there something specific I should look for which could mess with the hostnames?
I don't know much about syslog but I would think a remote syslog server wouldn't need to get the name of the system logging the event in the event notification because the remote syslog server can get the name from the source IP address.
Your pfsense system sends a syslog event to a remote syslog server. The event doesn't need to include the name of the pfsense system because the syslog server can work out who sent it from the IP address of the system which sent it. (The recvfrom system call includes a a parameter to receive the address of the sender. I don't know if syslogd uses recvfrom, I'm just saying there is a mechanism that would allow syslogd to figure out what system sent the notification.)
wallybob - yup, by default most syslog servers replace the hostname provided by the remote server with what they think is the hostname (or their own). I know that some servers (in particular syslog-ng, which is where most of my syslog experience lies) have options that allow you to change how it treats provided hostnames.
So, in general, it won't send the hostname by default. I was wondering if that might be the case. I might have to look into syslog-ng or another way to transfer the system logs.
Thanks for the information. Much appreciated.
It might (I'd need to check), but the default will be for the remote server to over-write it.
Does anyone happen to have a syslog-ng config file that duplicates the output from pfSense's syslog.conf file?
I think I found a start here: http://forum.pfsense.org/index.php/topic,7793.0.html
*referenced here for anyone that might be interested.