I have a remote server with rsyslog on Ubuntu 16.04 LTS. It’s successfully getting logs from Raspbian, Ubuntu 16.04/18.04, and Windows Server 2019. For some reason I’m having trouble getting logs from IPFire r146.
From the command line, I can use logger to get entries on the remote syslog server, via UDP or TCP. But the only IPFire logs that make it to the remote server are syslogd restarts, and only if I have it set to use UDP. There are a lot of IPFire logs not getting forwarded! Since logger works over UDP or TCP, I’m inclined to think it’s not a firewall problem, but I’m running out of ideas on what to try.
Any suggestions?
Thanks!
I configured a ubuntu18 server to accept UDP remote logs, then on ipfire, Log settings, enabled rsyslog, 10.0.0.49, save. It takes some time but it started sending data.
(I trimmed the output)
Sep 24 13:03:38 u18s rsyslogd: rsyslogd's userid changed to 102
Sep 24 13:03:38 u18s rsyslogd: [origin software="rsyslogd" swVersion="8.32.0" x-pid="2774" x-info="http://www.rsyslog.com"] start
Sep 24 13:05:20 syslogd 1.5.1: restart (remote reception).
Sep 24 13:06:24 ipfire.lan dhcpd: DHCPREQUEST for 10.0.0.40
Sep 24 13:06:24 ipfire.lan dhcpd: DHCPACK on 10.0.0.40 to
Sep 24 13:08:50 ipfire.lan kernel: DROP_NEWNOTSYN IN=red0 OUT=
Sep 24 13:08:50 ipfire.lan kernel: DROP_NEWNOTSYN IN=red0 OUT=
Sep 24 13:09:17 ipfire.lan dhcpd: DHCPREQUEST for 10.0.0.30
Sep 24 13:09:17 ipfire.lan dhcpd: DHCPACK on 10.0.0.30
I have the remote syslog set to save all incoming messages from a remote server to a single file in the pattern /var/log/remote/.log. When the hostname isn’t available, it uses the IP address. I’ve discovered that incoming messages from ipfire don’t have a consistent format, and the logs are ending up in multiple files.
One of the files uses an IP address that isn’t associated with ipfire at all, but it looks like it’s the contents of ipfire:/var/log/messages. The messages related to syslogd restart aren’t sent with any indication of host, so the file gets saved as syslogd.log. I’ll keep exploring tomorrow.
One question this raises is about the format of the messages. As far as I can tell, this output isn’t really RFC-compliant, is it? If not, is there a way to make the remote logging compliant? If they are, what RFC are they following?
Thanks again.
I’ve looked at things more closely and it does appear that I’m getting all the logs. I was able to add a condition to my rsyslog config to manually assign a hostname to the logs coming from ipfire and consolidate them. But if ipfire’s syslog is forwarding things in some standard way, I’d prefer to handle incoming messages based on that standard rather than through a fragile custom rule.
There’s still a question of why I can’t seem to receive messages when I choose TCP in ipfre log settings, but it works from the logger command.