remote logging problem syslog-ng logging between routable public networks (?)
Hi, I've searched high and low and I can't find the answer to the following scenario: I would like to be able to use a remote logging host across the internet (I reckognize that security concerns of not using a VPN). I *am* able to do syslog-ng to syslog-ng remote logging on the same network segment. There is no issue here. I cannot log across a LAN extension or across the internet at large. I've tried UDP and TCP. I've even successfully sniffed packets on the remote log server that were sent across the internet. Is there an issue with bridges, routers or ARP and syslog-ng? As far as I can tell, the only difference between the various hosts I am trying to log from is geographic location and network location. Same OS. Same versions, same syslog-ng.conf. I am using Debian 3.0 with syslog-ng 1.5.18. Thanks in advance. Adam Tworkowski
On Mon, Jul 15, 2002 at 04:50:12PM -0400, Adam Tworkowski wrote:
I would like to be able to use a remote logging host across the internet (I reckognize that security concerns of not using a VPN). I *am* able to do syslog-ng to syslog-ng remote logging on the same network segment. There is no issue here. I cannot log across a LAN extension or across the internet at large. I've tried UDP and TCP. I've even successfully sniffed packets on the remote log server that were sent across the internet. Is there an issue with bridges, routers or ARP and syslog-ng? As far as I can tell, the only difference between the various hosts I am trying to log from is geographic location and network location. Same OS. Same versions, same syslog-ng.conf.
Your issues likely have to do with packet filtering between the two hosts. You may have errors in your configuration, though, there's no way for us to tell without more information. Once you work out the connection issues, use stunnel to protect your logging stream. -- From empirical experience, your Exchange admin needs to put down the crack pipe and open a window to disperse the fumes.
Attached are part of my syslog-ng.confs (hopefully the most relevent info).
I would like to be able to use a remote logging host across the internet (I reckognize that security concerns of not using a VPN). I *am* able to do syslog-ng to syslog-ng remote logging on the same network segment. There is no issue here. I cannot log across a LAN extension or across the internet at large. I've tried UDP and TCP. I've even successfully sniffed packets on the remote log server that were sent across the internet. Is there an issue with bridges, routers or ARP and syslog-ng? As far as I can tell, the only difference between the various hosts I am trying to log from is geographic location and network location. Same OS. Same versions, same syslog-ng.conf.
There should be no packet filtering between these hosts. All IPTABLES policies are set to accept. tcpwrappers is in use but I haven't epxressely permitted loging only from the local segment so I don't think this should be an issue. Again, I am doing remote logging on the same subnet and can also see packets arriving at the front door of the remote logging server. Am I missing something?
Your issues likely have to do with packet filtering between the two hosts. You may have errors in your configuration, though, there's no way for us to tell without more information.
I plan to.
Once you work out the connection issues, use stunnel to protect your logging stream.
Thanks. ######################### # syslog-ng.conf (logging host) options { use_fqdn(yes); keep_hostname(yes); use_dns(yes); long_hostnames(off); sync(3); log_fifo_size(300); }; source src { unix-dgram("/dev/log"); internal(); udp(); tcp(); }; destination authlog { file("/var/log/auth.log" owner("root") group("adm") perm(0640)); }; # [etc] ################### # syslog-ng.conf (host) options { long_hostnames(on); sync(0); }; source src { unix-dgram("/dev/log"); internal(); }; destination loghost { tcp("w.x.y.z" port(514)); }; # wxyz=routable IP destination authlog { file("/var/log/auth.log" owner("root") group("adm") perm(0640)); }; # [etc] log { source(src); filter(f_authpriv); destination(loghost); }; # [etc] log { source(src); filter(f_authpriv); destination(authlog); }; -- Regards, Adam Tworkowski
participants (3)
-
Adam Tworkowski
-
Adam Tworkowski
-
Nate Campi