El 05/02/2013 18:44, Balazs Scheidler escribió:

----- Original message -----
> Hi everyone
>
> I've recently configured a syslog's server using syslog-ng and i have an
> issue to log from hosts that are outside my network in some place on
> internet.
> This is the thing, i have a few APs and a pfsense firewall/router. Each
> AP can log to a remote syslog server with a specific port.
> In my syslog server i add a new source, filter, destination and target
> and in pfsense box i create the rule to let pass trafic to the internal
> ap's IP.
> But the problem comes when i do the same for another AP, i configure
> another port  but the syslog server doesn' t log.
>
> There is a way to log from remote multiple hosts that are behind just
> one public IP?

yeah, sure there is. if the syslog connection is initiated from behind the nat box, it should work just fine.

your email misses some important information to judge what could go wrong. are you using udp or tcp?

on the syslog server, one port should be enough, network wise, unless you are using the incoming port as the basis for filtering in your syslog-ng config.

the best way to approach this problem is to check whether the packets of the 2nd ap make it to the syslog server. you can use tcpdump for this purpose. once you know they do, things should get simple to figure out.

>
> Thanks in advance and sorry for my english.

no need to apologize, your English is great, and I'm not a native speaker either. I guess communication in Hungarian (my native language) would be more cumbersome.

Cheers,


Hi Balazs, thanks for your reply.

I apologize, i forgot some important details like you said, i'm using udp protocol and the both APs are logging into one file, but i want to log into another file for second AP.
Something like this

1 AP ---------LocalFirewall--------INTERNET------------MyNetwork-------SyslogServer
port 514         pass RULE                                           pass RULE          UDP 514

2 AP ---------LocalFirewall--------INTERNET------------MyNetwork-------SyslogServer
port 515         pass Rule                                               pass Rule         UDP 515

I configure 2 sources, 2 destinations and 2 filters with these udp ports but without success.

I wish to make some others tests like you said with tcpdump but i haven't remote access.

Syslog's server knows in wich file has to write by the udp port?

I post my syslog-ng-conf

source AP1 {
  udp();
  };
destination ubnt {
  file("/home/Syslog/Antenas/ubnt-syslog");
  };
filter ubnt {
  host("Remote-dyndns");
  };
log {
  source(AP1);
  destination(ubnt);
  filter(ubnt);
  };


source AP2 {
  udp();
  };
destination Solera {
  file("/home/Syslog/Antenas/Casapueblo/ubntSolera");
  };
filter ubntSolera {
  host("Remote-dyndns");
  };
log {
  source(AP2);
  filter(ubntSolera);
  destination(Solera);
  };

Thanks again

P.S: my native language is spanish (Uruguay), my Hungarian is worst than my english, jaja.

Regards!!