syslogd not reading messages from a remote machine

Fri, 11 Jan 2008 07:51:55 -0800

I have recently set up a Fortigate-60 to run as a firewall/vpn on my home network. I have a FreeBSD 7.0-prerelease machine sitting behind it in the DMZ which is running ssh/web/etc. I'm trying to get the FG to log to the BSD box's syslog. I have set up the necessary stuff on the FG, and can send test logs from there to the bsd box. Running tcpdump on the bsd box gives me this when sending those test logs: 

[EMAIL PROTECTED] ports]$ tcpdump -n -e -ttt -vv -i dc0 port 514
tcpdump: listening on dc0, link-type EN10MB (Ethernet), capture size 96 bytes 000000 00:09:0f:12:11:41 > 00:00:e8:13:b3:5c, ethertype IPv4 (0x0800), length 468: (tos 0x0, ttl 64, id 53661, offset 0, flags [none], proto UDP (17), length 454) 10.10.10.1.3023 > 10.10.10.2.514: SYSLOG, length: 426 
       Facility local7 (23), Severity warning (4)
       Msg: date=2008-01-11 time=18:37:10 devname=Fortigate-6[|syslog]
000196 00:09:0f:12:11:41 > 00:00:e8:13:b3:5c, ethertype IPv4 (0x0800), length 337: (tos 0x0, ttl 64, id 53662, offset 0, flags [none], proto UDP (17), length 323) 10.10.10.1.3023 > 10.10.10.2.514: SYSLOG, length: 295 
       Facility local7 (23), Severity warning (4)
       Msg: date=2008-01-11 time=18:37:10 devname=Fortigate-6[|syslog]
000227 00:09:0f:12:11:41 > 00:00:e8:13:b3:5c, ethertype IPv4 (0x0800), length 337: (tos 0x0, ttl 64, id 53663, offset 0, flags [none], proto UDP (17), length 323) 10.10.10.1.3023 > 10.10.10.2.514: SYSLOG, length: 295 
       Facility local7 (23), Severity warning (4)
       Msg: date=2008-01-11 time=18:37:10 devname=Fortigate-6[|syslog]
000292 00:09:0f:12:11:41 > 00:00:e8:13:b3:5c, ethertype IPv4 (0x0800), length 447: (tos 0x0, ttl 64, id 53664, offset 0, flags [none], proto UDP (17), length 433) 10.10.10.1.3023 > 10.10.10.2.514: SYSLOG, length: 405 
       Facility local7 (23), Severity warning (4)
       Msg: date=2008-01-11 time=18:37:10 devname=Fortigate-6[|syslog]
000230 00:09:0f:12:11:41 > 00:00:e8:13:b3:5c, ethertype IPv4 (0x0800), length 324: (tos 0x0, ttl 64, id 53665, offset 0, flags [none], proto UDP (17), length 310) 10.10.10.1.3023 > 10.10.10.2.514: SYSLOG, length: 282 
       Facility local7 (23), Severity warning (4)
       Msg: date=2008-01-11 time=18:37:10 devname=Fortigate-6[|syslog]
000143 00:09:0f:12:11:41 > 00:00:e8:13:b3:5c, ethertype IPv4 (0x0800), length 247: (tos 0x0, ttl 64, id 53666, offset 0, flags [none], proto UDP (17), length 233) 10.10.10.1.3023 > 10.10.10.2.514: SYSLOG, length: 205 
       Facility local7 (23), Severity warning (4)
       Msg: date=2008-01-11 time=18:37:10 devname=Fortigate-6[|syslog]
000152 00:09:0f:12:11:41 > 00:00:e8:13:b3:5c, ethertype IPv4 (0x0800), length 279: (tos 0x0, ttl 64, id 53667, offset 0, flags [none], proto UDP (17), length 265) 10.10.10.1.3023 > 10.10.10.2.514: SYSLOG, length: 237 
       Facility local7 (23), Severity warning (4)
       Msg: date=2008-01-11 time=18:37:10 devname=Fortigate-6[|syslog]
000152 00:09:0f:12:11:41 > 00:00:e8:13:b3:5c, ethertype IPv4 (0x0800), length 299: (tos 0x0, ttl 64, id 53668, offset 0, flags [none], proto UDP (17), length 285) 10.10.10.1.3023 > 10.10.10.2.514: SYSLOG, length: 257 
       Facility local7 (23), Severity warning (4)
       Msg: date=2008-01-11 time=18:37:10 devname=Fortigate-6[|syslog]
^C
So I know that the packets are getting to the machine. I've set up syslogd to accept packets from 10.10.10.1/32 in rc.conf, and confirmed that the FG's IP should be accepted by syslogd 
[EMAIL PROTECTED] ports]$ grep syslogd /etc/rc.conf
syslogd_flags="-a 10.10.10.1/32"
[EMAIL PROTECTED] ports]$ ps auxww | grep syslogd
root 8538 0.0 0.1 3156 1088 ?? Ss 10:44AM 0:00.02 /usr/sbin/syslogd -l /var/run/log -l /var/named/var/run/log -a 10.10.10.1/32 

the FG is set to log via local7, and I've set that up too.
[EMAIL PROTECTED] ports]$ grep local7 /etc/syslog.conf
local7.*                                        /var/log/fortigate

and the log file exists also.
[EMAIL PROTECTED] ports]$ ls -l /var/log/fortigate
-rw-r-----  1 root  wheel  0 Jan 11 07:22 /var/log/fortigate
In desperation I even added this to my /etc/syslog.conf, trying to get the messages to appear anywhere, but they aren't showing up in all.log either. 
*.*                                           /var/log/all.log
I've restarted syslogd after every change I've made, but no dice. Can anyone shed some light on why these messages aren't logging and what I need to do to fix it? 


Thanks so much!
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Reply via email to