[syslog-ng]remote logging problem syslog-ng logging between routable public networks (?)

Adam Tworkowski adam@dexagon.net
Tue, 16 Jul 2002 12:17:16 -0400


Attached are part of my syslog-ng.confs (hopefully the most relevent info).  

> > I would like to be able to use a remote logging host across the internet
> > (I reckognize that security concerns of not using a VPN).  I *am* able to
> > do syslog-ng to syslog-ng remote logging on the same network segment. 
> > There is no issue here.   I cannot log across a LAN extension or across
> > the internet at large.   I've tried UDP and TCP.  I've even successfully
> > sniffed packets on the remote log server that were sent across the
> > internet.   Is there an issue with bridges, routers or ARP and syslog-ng?
> >  As far as I can tell, the only difference between the various hosts I am
> > trying to log from is geographic location and network location.  Same OS.
> > Same versions, same syslog-ng.conf.

There should be no packet filtering between these hosts.  All IPTABLES 
policies are set to accept.  tcpwrappers is in use but I haven't epxressely 
permitted loging only from the local segment so I don't think this should be 
an issue.

Again,  I am doing remote logging on the same subnet and can also see packets 
arriving at the front door of the remote logging server.  Am I missing 
something?  

> Your issues likely have to do with packet filtering between the two
> hosts. You may have errors in your configuration, though, there's no way
> for us to tell without more information.

I plan to.

> Once you work out the connection issues, use stunnel to protect your
> logging stream.

Thanks.

#########################
# syslog-ng.conf (logging host)

options { use_fqdn(yes); keep_hostname(yes); use_dns(yes); 
long_hostnames(off); sync(3); log_fifo_size(300); };

source src {
   unix-dgram("/dev/log");
   internal();
   udp();
   tcp();
};
destination authlog { file("/var/log/auth.log" owner("root") group("adm") 
perm(0640)); };

# [etc]

###################
# syslog-ng.conf (host)

options { long_hostnames(on); sync(0); };
source src { unix-dgram("/dev/log"); internal(); };
destination loghost { tcp("w.x.y.z" port(514)); };  # wxyz=routable IP
destination authlog { file("/var/log/auth.log" owner("root") group("adm") 
perm(0640)); };
# [etc]
log { source(src); filter(f_authpriv); destination(loghost); };
# [etc]
log { source(src); filter(f_authpriv); destination(authlog); };

-- 
Regards,

Adam Tworkowski