Host behind a NAT and multiple log files
Hi everyone I've recently configured a syslog's server using syslog-ng and i have an issue to log from hosts that are outside my network in some place on internet. This is the thing, i have a few APs and a pfsense firewall/router. Each AP can log to a remote syslog server with a specific port. In my syslog server i add a new source, filter, destination and target and in pfsense box i create the rule to let pass trafic to the internal ap's IP. But the problem comes when i do the same for another AP, i configure another port but the syslog server doesn' t log. There is a way to log from remote multiple hosts that are behind just one public IP? Thanks in advance and sorry for my english. Regards, -- -- Mauricio Améndola Communications / Technical Department KERNEL Consultores Zabala 1327/402 , 11000, Montevideo, Uruguay T+(598-2) 915 6563 / (598-2) 915 9336
----- Original message -----
Hi everyone
I've recently configured a syslog's server using syslog-ng and i have an issue to log from hosts that are outside my network in some place on internet. This is the thing, i have a few APs and a pfsense firewall/router. Each AP can log to a remote syslog server with a specific port. In my syslog server i add a new source, filter, destination and target and in pfsense box i create the rule to let pass trafic to the internal ap's IP. But the problem comes when i do the same for another AP, i configure another port but the syslog server doesn' t log.
There is a way to log from remote multiple hosts that are behind just one public IP?
yeah, sure there is. if the syslog connection is initiated from behind the nat box, it should work just fine. your email misses some important information to judge what could go wrong. are you using udp or tcp? on the syslog server, one port should be enough, network wise, unless you are using the incoming port as the basis for filtering in your syslog-ng config. the best way to approach this problem is to check whether the packets of the 2nd ap make it to the syslog server. you can use tcpdump for this purpose. once you know they do, things should get simple to figure out.
Thanks in advance and sorry for my english.
no need to apologize, your English is great, and I'm not a native speaker either. I guess communication in Hungarian (my native language) would be more cumbersome. Cheers,
Hi,
I apologize, i forgot some important details like you said, i'm using udp protocol and the both APs are logging into one file, but i want to log into another file for second AP. Something like this
1 AP ---------LocalFirewall--------INTERNET------------MyNetwork-------SyslogServer port 514 pass RULE pass RULE UDP 514
2 AP ---------LocalFirewall--------INTERNET------------MyNetwork-------SyslogServer port 515 pass Rule pass Rule UDP 515
I configure 2 sources, 2 destinations and 2 filters with these udp ports but without success.
you didn't configure both ports
I wish to make some others tests like you said with tcpdump but i haven't remote access.
Syslog's server knows in wich file has to write by the udp port?
although syslog-ng is quite advanced it doesn't have mind-reading capabilities (yet) so you must tell it how to process messages
I post my syslog-ng-conf
source AP1 { udp();
instead of plain udp() you could use udp(port(514)); although 514 is the default port but it won't hurt to set it explicitely ...
source AP2 { udp();
and here use udp(port(515)); so syslog-ng will actually listen on the port your filters imply dynamic DNS so I'm not sure that it is a good idea to use hostnames for filtering (especially when you're using the *same* hostname for two different devices so unless NAT is involved at least one filter won't match on incoming logs). Just remove the filters and when the logs are written to disk you can add back / refine the filtering. hth, Sandor
participants (3)
-
Balazs Scheidler
-
KERNEL - Mauricio Améndola
-
Sandor Geller