www.edain.de - m0n0wall and syslog-ng

Home / Howtos / m0n0wall and syslog-ng

m0n0wall and syslog-ng

Storing m0n0wall logs on a remote host

Last update: 16.02.2008

I wanted to store m0n0wall's log files on my small server to keep them for review. As a default m0n0wall writes its logfiles to a local ramdisk which means that all logs are gone when the system is rebooted. There is also a time limit in m0n0wall syslog daemon so older log entries are automatically deleted.

Requirements

System that is reachable via network for m0n0wall
Syslog daemon with UDP socket enabled running on that machine
Minor configuration change in m0n0wall
Setup file for syslog daemon
Properly configured DNS

In my setup I use a FreeBSD 6.2 and syslog-ng (instead of the default syslog service). Here's what I did:

1. Installation of syslog-ng

syslog-ng is available as a port or package for FreeBSD so I just did a

pkg_add -r syslog-ng

and followed the setup instructions after installation.

stop the default syslog daemon
enable syslog-ng in /etc/rc.conf
create a config file for syslog-ng in /usr/local/etc/syslog-ng (a sample is provided)

2. Configuring syslog-ng

To enable syslog-ng's UDP socket to accept syslog packets from other hosts on the network open

/usr/local/etc/syslog-ng/syslog-ng.conf

in your favourite editor and add this:

source src_net { udp( ip(0.0.0.0) port(514) );};

Add a filter for your m0n0wall IP (where the syslog packets are sent from, in most cases the LAN IP):

filter gw { host ("<m0n0wall_dns_name>"); };

Create a destination directive for m0n0walls log files and where to write these files:


destination m0n0wall { file("/var/log/m0n0wall/$FACILITY.log"); };
destination m0n0wall_filter { file("/var/log/m0n0wall/filter.log"); };

Add the logging conditions:


log { source(src_net); filter(gw); filter (f_local0); destination(gw_filter); flags(final);};
log { source(src_net); filter(gw); destination(gw); flags(final);};

3. Start syslog-ng

Save the file and start syslog-ng with its start scrip

/usr/local/etc/rc.d/syslog-ng.sh start

4. m0n0wall configuration

Open m0n0walls webfrontend and navigate to Diagnostics-Logs.

Check Enable syslog'ing to remote syslog server and enter the IP address of the machine where syslog-ng is running:

5. Log rotation

If you don't want your new logfiles to grow beyound limits add it to the newsyslog (for FreeBSD) or logrotate configuration.

Rotation on freebsd 5.5 with newsyslog (/etc/newsyslog.conf):

/var/log/m0n0wall/filter.log 640 90 * @T00 JBN

Happy syslogging!

Any suggestions? - E-Mail to Author

Menu: