Re: Socklog on OpenBSD -current
On 2016-03-30, Predrag Punosevac wrote: > On 3/29/16 5:42 PM, Stuart Henderson wrote: >> On 2016-03-29, Jeff Ross wrote: >>> Greetings all! >>> >>> I've been away from OpenBSD for a while and for sure I've missed more >>> than a few things. Just updated a firewall in anticipation of > upgrading >>> my server but there are things that have changed. >>> >>> What has me puzzled now is the change to syslogd. For literally > years >>> I've run socklog from ports to replace the stock syslog with no > problems >>> but now it simply doesn't work on 5.9 -current. >>> >>> My former installations of socklog all listen to /dev/log but when I >>> couldn't get anything to work listening there I switched to listening > to >>> 0.0.0.0:514 but still no joy. >>> >>> If anyone out there is using socklog, or possibly any alternative to >>> syslog, I'd sure appreciate a clue by four to get socklog running > again. >> OpenBSD's syslog functions now use sendsyslog(2) which doesn't use >> /dev/log sockets any more. >> >> Here is where syslogd was modified to do things this way: >> > http://anoncvs.spacehopper.org/openbsd-src/commit/?id=c40e16771993e74275857863c928d7f9cffe3699 >> - it's probably not all that complex to convert other logging daemons, >> but afaik nobody has yet felt the need to do this for any of the >> alternative log daemons in ports. >> >> If you don't want to write code and want to stick with socklog, >> the easiest way is probably a minimal syslogd(8) setup that >> forwards everything via UDP. >> > Hi Stuart, > > Could you please clarify something to me? I am running a centralized > logging server using syslog-ng from the ports. The way I read your > e-mail is that I will no longer be able to log messages using syslog-ng > from the local host but the port will continue to work as expected. Yes, this isn't particularly new though, it changed in 5.6. > Would I be able to run syslogd for the local host and syslog-ng for > remote hosts simultaneously? IIRC I saw people posting on misc who were > doing that in the past but I think when I played with it syslog-ng > didn't want to start until I turned off syslogd. You can run two simultaneously but you'll need to get one of them to bind to a specific IP address. > How suitable is syslogd > from the base as a centralized logging server. I know that it supports > TCP and TLS now but does it play well with rsyslog or syslog-ng? I have > bunch of Linux servers to log. If you can get them to feed it syslog messages using either the usual UDP-based syslog protocol or using a TCP/TLS protocol then that should work fine (IIRC the TLS code was developed against one of these, possibly rsyslog?). syslogd(8) / syslog.conf(5) gained +host/++host matching that allows you to separate logs between different hosts into different files which can be useful on a centralised log host. There are lots of options of how to set this all up.
Re: Socklog on OpenBSD -current
On 3/29/16 5:42 PM, Stuart Henderson wrote: > On 2016-03-29, Jeff Ross wrote: >> Greetings all! >> >> I've been away from OpenBSD for a while and for sure I've missed more >> than a few things. Just updated a firewall in anticipation of upgrading >> my server but there are things that have changed. >> >> What has me puzzled now is the change to syslogd. For literally years >> I've run socklog from ports to replace the stock syslog with no problems >> but now it simply doesn't work on 5.9 -current. >> >> My former installations of socklog all listen to /dev/log but when I >> couldn't get anything to work listening there I switched to listening to >> 0.0.0.0:514 but still no joy. >> >> If anyone out there is using socklog, or possibly any alternative to >> syslog, I'd sure appreciate a clue by four to get socklog running again. > OpenBSD's syslog functions now use sendsyslog(2) which doesn't use > /dev/log sockets any more. > > Here is where syslogd was modified to do things this way: > http://anoncvs.spacehopper.org/openbsd-src/commit/?id=c40e16771993e74275857863c928d7f9cffe3699 > - it's probably not all that complex to convert other logging daemons, > but afaik nobody has yet felt the need to do this for any of the > alternative log daemons in ports. > > If you don't want to write code and want to stick with socklog, > the easiest way is probably a minimal syslogd(8) setup that > forwards everything via UDP. > Hi Stuart, Could you please clarify something to me? I am running a centralized logging server using syslog-ng from the ports. The way I read your e-mail is that I will no longer be able to log messages using syslog-ng from the local host but the port will continue to work as expected. Would I be able to run syslogd for the local host and syslog-ng for remote hosts simultaneously? IIRC I saw people posting on misc who were doing that in the past but I think when I played with it syslog-ng didn't want to start until I turned off syslogd. How suitable is syslogd from the base as a centralized logging server. I know that it supports TCP and TLS now but does it play well with rsyslog or syslog-ng? I have bunch of Linux servers to log. Thanks, Predrag
Re: Socklog on OpenBSD -current
On 3/29/16 5:42 PM, Stuart Henderson wrote: On 2016-03-29, Jeff Ross wrote: Greetings all! I've been away from OpenBSD for a while and for sure I've missed more than a few things. Just updated a firewall in anticipation of upgrading my server but there are things that have changed. What has me puzzled now is the change to syslogd. For literally years I've run socklog from ports to replace the stock syslog with no problems but now it simply doesn't work on 5.9 -current. My former installations of socklog all listen to /dev/log but when I couldn't get anything to work listening there I switched to listening to 0.0.0.0:514 but still no joy. If anyone out there is using socklog, or possibly any alternative to syslog, I'd sure appreciate a clue by four to get socklog running again. OpenBSD's syslog functions now use sendsyslog(2) which doesn't use /dev/log sockets any more. Here is where syslogd was modified to do things this way: http://anoncvs.spacehopper.org/openbsd-src/commit/?id=c40e16771993e74275857863c928d7f9cffe3699 - it's probably not all that complex to convert other logging daemons, but afaik nobody has yet felt the need to do this for any of the alternative log daemons in ports. If you don't want to write code and want to stick with socklog, the easiest way is probably a minimal syslogd(8) setup that forwards everything via UDP. Thank you, Stuart! As always, you've been very helpful. For now I'll stick to forwarding and play with the code as time permits. Jeff
Re: Socklog on OpenBSD -current
On 2016-03-29, Jeff Ross wrote: > Greetings all! > > I've been away from OpenBSD for a while and for sure I've missed more > than a few things. Just updated a firewall in anticipation of upgrading > my server but there are things that have changed. > > What has me puzzled now is the change to syslogd. For literally years > I've run socklog from ports to replace the stock syslog with no problems > but now it simply doesn't work on 5.9 -current. > > My former installations of socklog all listen to /dev/log but when I > couldn't get anything to work listening there I switched to listening to > 0.0.0.0:514 but still no joy. > > If anyone out there is using socklog, or possibly any alternative to > syslog, I'd sure appreciate a clue by four to get socklog running again. OpenBSD's syslog functions now use sendsyslog(2) which doesn't use /dev/log sockets any more. Here is where syslogd was modified to do things this way: http://anoncvs.spacehopper.org/openbsd-src/commit/?id=c40e16771993e74275857863c928d7f9cffe3699 - it's probably not all that complex to convert other logging daemons, but afaik nobody has yet felt the need to do this for any of the alternative log daemons in ports. If you don't want to write code and want to stick with socklog, the easiest way is probably a minimal syslogd(8) setup that forwards everything via UDP.
Socklog on OpenBSD -current
Greetings all! I've been away from OpenBSD for a while and for sure I've missed more than a few things. Just updated a firewall in anticipation of upgrading my server but there are things that have changed. What has me puzzled now is the change to syslogd. For literally years I've run socklog from ports to replace the stock syslog with no problems but now it simply doesn't work on 5.9 -current. My former installations of socklog all listen to /dev/log but when I couldn't get anything to work listening there I switched to listening to 0.0.0.0:514 but still no joy. If anyone out there is using socklog, or possibly any alternative to syslog, I'd sure appreciate a clue by four to get socklog running again. Thanks! Jeff dmesg; OpenBSD 5.9-current (GENERIC.MP) #1682: Tue Mar 29 12:08:00 MDT 2016 dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC.MP cpu0: Intel(R) Core(TM)2 CPU T5600 @ 1.83GHz ("GenuineIntel" 686-class) 1.84 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,NXE,LONG,SSE3,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,LAHF,PERF,SENSOR real mem = 1040486400 (992MB) avail mem = 1008070656 (961MB) mpath0 at root scsibus0 at mpath0: 256 targets mainbus0 at root bios0 at mainbus0: date 07/29/05, SMBIOS rev. 2.4 @ 0xe (38 entries) bios0: vendor Apple Inc. version "MM21.88Z.009A.B00.0706281359" date 06/28/07 bios0: Apple Inc. Macmini2,1 acpi0 at bios0: rev 2 acpi0: sleep states S0 S3 S4 S5 acpi0: tables DSDT FACP HPET APIC MCFG ASF! SBST ECDT SSDT SSDT SSDT acpi0: wakeup devices PXS1(S4) PXS2(S4) USB1(S3) USB2(S3) USB3(S3) USB4(S3) USB7(S3) acpitimer0 at acpi0: 3579545 Hz, 24 bits acpihpet0 at acpi0: 14318179 Hz acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges cpu0: apic clock running at 166MHz cpu0: mwait min=64, max=64, C-substates=0.2.2.2.2, IBE cpu1 at mainbus0: apid 1 (application processor) cpu1: Intel(R) Core(TM)2 CPU T5600 @ 1.83GHz ("GenuineIntel" 686-class) 1.84 GHz cpu1: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,NXE,LONG,SSE3,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,LAHF,PERF,SENSOR ioapic0 at mainbus0: apid 1 pa 0xfec0, version 20, 24 pins ioapic0: misconfigured as apic 0, remapped to apid 1 acpimcfg0 at acpi0 addr 0xe000, bus 0-255 acpiec0 at acpi0 acpiprt0 at acpi0: bus 0 (PCI0) acpiprt1 at acpi0: bus 1 (RP01) acpiprt2 at acpi0: bus 2 (RP02) acpiprt3 at acpi0: bus 3 (PCIB) acpicpu0 at acpi0: !C2(500@1 mwait@0x10), C1(1000@1 mwait), PSS acpicpu1 at acpi0: !C2(500@1 mwait@0x10), C1(1000@1 mwait), PSS acpibtn0 at acpi0: PWRB "PNP0A08" at acpi0 not configured "PNP0C02" at acpi0 not configured "PNP0C0F" at acpi0 not configured "PNP0C0F" at acpi0 not configured "PNP0C0F" at acpi0 not configured "PNP0C0F" at acpi0 not configured "PNP0C0F" at acpi0 not configured "PNP0C0F" at acpi0 not configured "PNP0C0F" at acpi0 not configured "PNP0C0F" at acpi0 not configured "APP0001" at acpi0 not configured "PNP0C09" at acpi0 not configured "PNP0200" at acpi0 not configured "INT0800" at acpi0 not configured "PNP0103" at acpi0 not configured "PNP" at acpi0 not configured "PNP0C04" at acpi0 not configured "PNP0C02" at acpi0 not configured "PNP0B00" at acpi0 not configured "PNP0100" at acpi0 not configured acpivideo0 at acpi0: GFX0 bios0: ROM list: 0xc/0xe600! cpu0: Enhanced SpeedStep 1834 MHz: speeds: 1833, 1667, 1500, 1333, 1000 MHz memory map conflict 0xe00f8000/0x1000 memory map conflict 0xfed1c000/0x4000 memory map conflict 0xfffb/0x3 pci0 at mainbus0 bus 0: configuration mode 1 (bios) pchb0 at pci0 dev 0 function 0 "Intel 82945GM Host" rev 0x03 inteldrm0 at pci0 dev 2 function 0 "Intel 82945GM Video" rev 0x03 drm0 at inteldrm0 intagp0 at inteldrm0 agp0 at intagp0: aperture at 0x4000, size 0x1000 inteldrm0: apic 1 int 16 inteldrm0: 1600x900 wsdisplay0 at inteldrm0 mux 1: console (std, vt100 emulation) wsdisplay0: screen 1-5 added (std, vt100 emulation) vendor "Intel", unknown product 0x27a3 (class DASP subclass Time and Frequency, rev 0x03) at pci0 dev 7 function 0 not configured azalia0 at pci0 dev 27 function 0 "Intel 82801GB HD Audio" rev 0x02: msi azalia0: codecs: Sigmatel STAC9220/1 audio0 at azalia0 ppb0 at pci0 dev 28 function 0 "Intel 82801GB PCIE" rev 0x02: apic 1 int 17 pci1 at ppb0 bus 1 mskc0 at pci1 dev 0 function 0 "Marvell Yukon 88E8053" rev 0x22, Yukon-2 EC rev. A3 (0x2): apic 1 int 16 msk0 at mskc0 port A: address 00:1f:f3:44:ee:6f eephy0 at msk0 phy 0: 88E Gigabit PHY, rev. 2 ppb1 at pci0 dev 28 function 1 "Intel 82801GB PCIE" rev 0x02: apic 1 int 16 pci2 at ppb1 bus 2 ath0 at pci2 dev 0 function 0 "Atheros AR5424" rev 0x01: apic 1 int 17 ath0: AR5424 10.3 phy 6.1 rf 10.2 eeprom 5.3, WOR5_ETSIC, address 00:1f:f3:fa:8d:3e uhci0