Syslog (syslog-ng) server

  • hello i've installed syslog-ng on this machine and I am having some trouble getting pfsense to send its logs to it. I have setup syslog-ng.conf with this:

    options { long_hostnames(off); sync(0); };
    source info_src { 
    #	udp(ip( port(514));
    destination info_dst { file(”/var/log/hosts/$HOST.log”); };
    filter info_filter { level(info); };
    log { source(info_src); filter(info_filter); destination(info_dst); };

    this is in addition to all the default entries in the syslog-ng.conf when it is installed. I'm not sure if I need to use the IP for the udp source (as the line that is commented out shows), but when I uncomment that and comment the udp that just supplies the port 514, i get this error when trying to start syslog-ng:

    Starting system logging: syslog-ngError binding socket; error='Cannot assign requested address (99)', addr='AF_INET('

    If someone could possibly post their working syslog.conf that allows pfsense logging, or otherwise point me in the right direction, that would be cool.. thanks

  • copying from various sources, i finally figured out how to do it. I'm pretty sure most of these are not necessary for logging pfsense, but i put them there anyways. the only pfsense log i am not getting is the "system events" which i assume logs the boot messages and everything. Does anyone know which filter line I need to do this? thanks.

    #pfsense logging#
    options { sync (0);
              time_reopen (10);
              log_fifo_size (1000);
              long_hostnames (on);
              use_dns (no);
              use_fqdn (no);
              create_dirs (yes);
              keep_hostname (yes);
    source pf-s { udp(port(514)); };
    destination pf-d_kern { file("/var/log/pfsense/$YEAR-$MONTH-$DAY/kernel"); };
    destination pf-d_mesg { file("/var/log/pfsense/$YEAR-$MONTH-$DAY/messages"); };
    destination pf-d_auth { file("/var/log/pfsense/$YEAR-$MONTH-$DAY/secure"); };
    destination pf-d_mail { file("/var/log/pfsense/$YEAR-$MONTH-$DAY/maillog"); };
    destination pf-d_uucp { file("/var/log/pfsense/$YEAR-$MONTH-$DAY/spooler"); };
    destination pf-d_boot { file("/var/log/pfsense/$YEAR-$MONTH-$DAY/boot.log"); };
    destination pf-d_emerg { file("/var/log/pfsense/$YEAR-$MONTH-$DAY/emerg.log"); };
    destination pf-d_sshd { file("/var/log/pfsense/$YEAR-$MONTH-$DAY/sshd.log"); };
    destination pf-d_pptpd { file("/var/log/pfsense/$YEAR-$MONTH-$DAY/pptpd.log"); };
    destination pf-d_daemon { file("/var/log/pfsense/$YEAR-$MONTH-$DAY/daemon.log"); };
    destination pf-d_firewall { file("/var/log/pfsense/$YEAR-$MONTH-$DAY/firewall.log"); };
    filter pf-f_kern	{ facility(kern); };
    filter pf-f_mesg 	{ level(info) and not facility(mail,authpriv,kern,local7); };
    filter pf-f_auth	{ facility(authpriv); };
    filter pf-f_mail 	{ facility(mail); };
    filter pf-f_uucp 	{ facility(uucp); };
    filter pf-f_boot        { facility(local7); };
    filter pf-f_emerg     	{ level(emerg); };
    filter pf-f_sshd 	{ program("sshd"); };
    filter pf-f_pptpd       { match("pptpd"); };
    filter pf-f_daemon 	{ facility(daemon); };
    filter pf-f_firewall 	{ level(debug); };
    log { source(pf-s); filter(pf-f_kern); destination(pf-d_kern); };
    log { source(pf-s); filter(pf-f_mesg); destination(pf-d_mesg); };
    log { source(pf-s); filter(pf-f_auth); destination(pf-d_auth); };
    log { source(pf-s); filter(pf-f_mail); destination(pf-d_mail); };
    log { source(pf-s); filter(pf-f_uucp); destination(pf-d_uucp); };
    log { source(pf-s); filter(pf-f_boot); destination(pf-d_boot); };
    log { source(pf-s); filter(pf-f_emerg); destination(pf-d_emerg); };
    log { source(pf-s); filter(pf-f_sshd); destination(pf-d_sshd); };
    log { source(pf-s); filter(pf-f_pptpd); destination(pf-d_pptpd); };
    log { source(pf-s); filter(pf-f_daemon); destination(pf-d_daemon); };
    log { source(pf-s); filter(pf-f_firewall); destination(pf-d_firewall); };

  • thanks for this info. very helpful.

    Going to try and use php-syslog-ng upon it :)
    or maybe (not porn :p syslog web interface)

Log in to reply