How can I get remote logging to work with a syslog server?
-
Hi,
I’m having problems with logging from pfSense to a syslog server. I use an old Mac mini (running OS X Leopard) as syslog server. This works partly: I only seem to get some of the log entries from pfSense into the Mac. There are some log messages from the sender „filterdns“ of level „Notice“ in the log files, also some entries of level „Error“ from syslog on pfSense itself („exiting on signal 15“). The source host of the entries is shown just fine. However other log entries from the pfSense system log or the firewall log do not appear to arrive on the Mac syslog.
The system log on the pfSense does not show any entries indicating a concrete problem. (The „exiting on signal 15“ message has been there occasionally before).
Is pfSense expected to be compatible with older syslog implementations at all? Getting a current syslog-ng onto this old Mac is probably a major hassle …
If this setup should work, what can be the problem here?
-flo-
-
I assume you have the log settings set to send all logs top the syslog server?
Run a packet capture on the on the interface the macmini is attached to, filter by it's address and port 514 (unless you're using a different port). You should see the syslog traffic there. If you open it in Wireshark you can read the messages being sent.
Steve
-
I have indeed activated all topics. I checked the result of this in the pfSense /etc/syslog.conf file. Looks ok to me.
Packet Capture: I will try that.
-
I'm not aware of any issue with using external logging. I have seen one instance where some log entries were truncated but they all still made it to the server.
Steve
-
Are there any additional messages on the Console.app?
-
Are there any additional messages on the Console.app?
Messages which the Mac receives are logged in system.log, however Console.app shows these plus some more received via syslog from the pfSense. Where these are logged and why they are not logged in the system log also I do not understand.
I checked a package dump and there seem to be log messages which do just not show on the Mac.
So this most probably is a Mac issue. I wanted to avoid to get a new device for logging to save money and time and used my old mini. But at least regarding the time this seems a bad investment for this purpose. I better get something else for that.
So slightly off topic question: Is there a recommendation for a cheap and simple syslog target? I thought of a Pi, does anyone use one of those for logging and if so which operating system?
-flo-
-
Raspberry pi running just plain old https://www.raspbian.org/ with syslog-ng is more than capable of being a syslog server.
Can't you just run esxi on your mac mini, and then whatever linux/bsd/other distro you want to be your syslog?
Pretty sure esxi 6 works out of the box for mac mini, before you had to do a bit of tweaking and hacking to get it all working.. But with 6 pretty sure its OOTB ready..
-
There is a paid version of ESXi for the Mac under the name VMware Fusion. You can run one or multiple VMs on it while the MacOS is running. I use it and it works like a charm. I think it retails for $70, and it's on sale 25% off right now.
-
Well you can get esxi for FREE - so why would you run fusion? Fusion is more the workstation version for mac, well not even that to be honest - its designed to run windows on your mac. This is is mini that I take it he uses as server, so just put esxi on it for free and run whatever vms you want.
Fusion is great if you want to run that windows game on your mac, or you really like some windows app like note++ or something that only comes for windows and don't want to boot into windows like bootcamp and want to use that windows app like its a mac app. But if what your running is going to be on 24/7/365 as a server type server - like a syslog server.. Then that would be better suited as vm under esxi if you ask me.
Fusion is not what he would want to run a linux distro to be a syslog server.
-
Works either way. One way it's a dedicated ESXi host with the hypervisor is the primary OS. The other way the Mac is the primary OS with a hypervisor running on top of it. Both work just fine, but if you're primarily a Mac person, running Fusion is easier than installing and setting up ESXi. Additionally, you need Windows to support ESXi because there is no Mac client (well, you can sort-of with Fusion, but it's not the same).
IMHO, both work reasonably well for this kind of application, and each has it's pros and cons from a support perspective.
-
well if he is going to buy fusion, I would use it on his desktop.. And install esxi on his mini - fusion can be used to manage esxi host.
-
Could do that, but then he'd have to buy a Windows license. :)
-
Says who?? Fusion can manage esxi – you don't need to run windows to run the vclient.
You can even create your vms in fusion, and then upload them to the esxi host. Once they are on the esxi host you can edit their settings, start and stop them, etc.
https://derflounder.wordpress.com/2014/11/23/managing-esxi-hosted-virtual-machines-using-vmware-fusion-professional/
-
Very, very different experience than the ESXi client for Windows. You have to create the VM on the Mac first and then move it to ESXi. The vast majority of features aren't available on the Mac client.
And the irony is that most EMC/VMware guys I know all use Macs but run Windows in Fusion to access their products. I run a 100% Mac shop with the exception of my ESXi node and pfSense. I personally prefer using the Windows VMware client, but, yes, you are correct, you get get by with using the Mac client.
-
-
Ha! ;D
Somewhat off topic but amusing anyway.
