Hi all,
New here. Apologies if I am re-hashing something discussed before.
I did read back a few months of this list and didn't see any relevant
discussion.
Unlike many here who are providing anonymous VPN services and who
don't want logging at all, I am helping set up Wireguard in a corporate
VPN environment. The logging requirements here are very different.
Specifically, there is a need for permanent logs. And, the logs should
ideally include:
- when a client connects
- when a client disconnects
- ideally also how much data was transferred in and out
during a session
So this is precisely the opposite logging requirement from those
who are managing anonymous VPNs. That's understood, and my proposed
changes maintain current default no-logging behavior for those that
need no logging.
I have made replacements [1] for device/logger.go that allow syslog
to be used for logging if available.
There are two files, both are needed. There are OS-dependent
compilation directives so that the syslog version is not used on
Windows or Plan9, which do not have syslog.
In both, the behavior is exactly the same as now by default. If no
other config is used, logging is still at info level to stdout as is
current practice. I.e., you can drop these in and nothing will change
for current users, even on systems that support syslog.
To use the new syslog logging, environment variables must be set.
Logging level and logging destination are controlled by the existing
variable LOG_LEVEL and the new WG_LOG_DEST and WG_LOG_FACILITY:
LOG_LEVEL "debug", "info", "error", "silent"
(default is still "info")
WG_LOG_DEST "stdout", "syslog"
(default is "stdout")
WG_LOG_FACILITY
any syslog facility, e.g., "daemon", "local0",
"local1", etc (also "log_", prefix OK and
either lower- or upper-case)
(default is "daemon")
Note that when using syslog, your syslog.conf needs to be configured
to send messages from your chosen facility.level to somewhere useful.
Also, it's worth saying that wireguard-go's logging includes some
UTF-8 characters. Certain OSs' syslogd don't handle 8-bit data
very well. E.g., FreeBSD. A patch for FreeBSD's syslogd is at [2].
Since this is backwards compatible, it would be great to see this
logger.go and logger_syslog.go replace the current logger.go.
I have also been playing with some patches to add the session start and
end log messages. I realize that this is a stateless protocol and that
the idea of a session isn't really there. While my current placement of
these session log messages in receive.go and in timers.go is close, it
isn't perfect. Right now I am logging "session start" in the initial
handshake code and "session end" in the handshake timeout code. Neither
are perfect but, as I said, close. I need to look more at the peer
state information that is currently maintained in order to see if
there's a better place to put these log messages. I realize also that
these session log messages must not be logged for those who don't want
any logging. These session log patches are NOT part of the current
proposed logger.go changes. If anyone wants to see these, I'll send
them along separately.
-jr
[1] optional syslog logging for wireguard-go
http://opal.com/jr/wireguard/logger.go
http://opal.com/jr/wireguard/logger_syslog.go
(both files are needed)
[2] Patch for FreeBSD's syslogd to support UTF-8 chars in messages
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=244226
