<html>
<head>
<meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<div class="moz-cite-prefix">El 05/02/2013 18:44, Balazs Scheidler
escribió:<br>
</div>
<blockquote cite="mid:1360097060.28165.11.camel@Nokia-N900-51-1"
type="cite">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<meta name="generator" content="Osso Notes">
<title></title>
<p>----- Original message -----
<br>
> Hi everyone
<br>
> <br>
> I've recently configured a syslog's server using syslog-ng
and i have an <br>
> issue to log from hosts that are outside my network in some
place on <br>
> internet.
<br>
> This is the thing, i have a few APs and a pfsense
firewall/router. Each <br>
> AP can log to a remote syslog server with a specific port.
<br>
> In my syslog server i add a new source, filter, destination
and target <br>
> and in pfsense box i create the rule to let pass trafic to
the internal <br>
> ap's IP.
<br>
> But the problem comes when i do the same for another AP, i
configure <br>
> another port but the syslog server doesn' t log.
<br>
> <br>
> There is a way to log from remote multiple hosts that are
behind just <br>
> one public IP?
<br>
<br>
yeah, sure there is. if the syslog connection is initiated from
behind the nat box, it should work just fine.
<br>
<br>
your email misses some important information to judge what could
go wrong. are you using udp or tcp? <br>
<br>
on the syslog server, one port should be enough, network wise,
unless you are using the incoming port as the basis for
filtering in your syslog-ng config.
<br>
<br>
the best way to approach this problem is to check whether the
packets of the 2nd ap make it to the syslog server. you can use
tcpdump for this purpose. once you know they do, things should
get simple to figure out.
<br>
<br>
> <br>
> Thanks in advance and sorry for my english.
<br>
<br>
no need to apologize, your English is great, and I'm not a
native speaker either. I guess communication in Hungarian (my
native language) would be more cumbersome.
<br>
<br>
Cheers,
<br>
<br>
</p>
</blockquote>
<br>
Hi Balazs, thanks for your reply.<br>
<br>
I apologize, i forgot some important details like you said, i'm
using udp protocol and the both APs are logging into one file, but i
want to log into another file for second AP.<br>
Something like this<br>
<br>
1 AP
---------LocalFirewall--------INTERNET------------MyNetwork-------SyslogServer<br>
port 514 pass RULE
pass RULE UDP 514<br>
<br>
2 AP
---------LocalFirewall--------INTERNET------------MyNetwork-------SyslogServer<br>
port 515 pass
Rule pass Rule
UDP 515<br>
<br>
I configure 2 sources, 2 destinations and 2 filters with these udp
ports but without success.<br>
<br>
I wish to make some others tests like you said with tcpdump but i
haven't remote access.<br>
<br>
Syslog's server knows in wich file has to write by the udp port? <br>
<br>
I post my syslog-ng-conf<br>
<br>
source AP1 {<br>
udp();<br>
};<br>
destination ubnt {<br>
file("/home/Syslog/Antenas/ubnt-syslog");<br>
};<br>
filter ubnt {<br>
host("Remote-dyndns");<br>
};<br>
log {<br>
source(AP1);<br>
destination(ubnt);<br>
filter(ubnt);<br>
};<br>
<br>
<br>
source AP2 {<br>
udp();<br>
};<br>
destination Solera {<br>
file("/home/Syslog/Antenas/Casapueblo/ubntSolera");<br>
};<br>
filter ubntSolera {<br>
host("Remote-dyndns");<br>
};<br>
log {<br>
source(AP2);<br>
filter(ubntSolera);<br>
destination(Solera);<br>
};<br>
<br>
Thanks again<br>
<br>
P.S: my native language is spanish (Uruguay), my Hungarian is worst
than my english, jaja.<br>
<br>
Regards!!<br>
<br>
</body>
</html>