Syslog through TCP protocol?

[Discofris]

I'm using syslog to send logs to my Splunk install. This is done via UDP protocol (default setting). How can I configure syslog on my FreeNAS 8.0.4 to have it communicate via TCP?

 

[peterh]

You don't.

What could be done is to tunnel udp/514 with ssh ( or any other tunnel )

 

[Aaron C. de Bruyn]

The default 'syslogd' in FreeBSD doesn't support TCP connections. A workaround for this might be to create a jail, install rsyslog in the jail and configure it to accept UDP syslog messages and then forward them on via TCP.

 

[AlloAS]

edit "/usr/local/etc/syslog-ng.conf "

and change "destination loghost { tcp("@ip" port(514) localport(514)); };"

then restart syslog-ng "/usr/local/etc/rc.d/syslog-ng restart"

 

[SweetAndLow]

I'm using syslog to send logs to my Splunk install. This is done via UDP protocol (default setting). How can I configure syslog on my FreeNAS 8.0.4 to have it communicate via TCP?

Curious to know why you need or want to use TCP?

 

[cyberjock]

That person hasn't been on the forums in 2 years.. so I doubt he'll answer you. ;)

 

[SweetAndLow]

That person hasn't been on the forums in 2 years.. so I doubt he'll answer you. ;)

Ahh looks like they got me! I'd still like to know the reasoning for only supporting udp and/or why someone would want to use TCP.

 

[Aaron C. de Bruyn]

Curious to know why you need or want to use TCP?

We have ~20 FreeNAS boxes that are "in the middle of nowhere" in Alaska, Washington, and Oregon. Their internet providers are terrible, lots of dropped packets, etc...

Getting syslog data is fairly important since we are contractually obligated to monitor those systems. :)

 

[SweetAndLow]

A better solution would be to store the data locally on site and sync it to a mirror in your central location. You shouldn't use tcp to provide the type of data verification you want. You should use application level verification.

 

[Aaron C. de Bruyn]

A better solution would be to store the data locally on site and sync it to a mirror in your central location. You shouldn't use tcp to provide the type of data verification you want. You should use application level verification.

I disagree. We pump a lot of data in to a logstash server to run reports, generate alerts, and watch trends. It's exactly what syslog was intended for. Running an rsync to copy the data locally would then require us to write a custom script to convert the log lines back into syslog messages for the logstash server. I'd rather just send them directly and reliably using TCP. I'll open the syslog/TLS argument later. ;)

 

[Chris Hager]

I know this is an old post but I recently went through this as well (for different reasons) and came up with the following solution.

Freenas will by default use UDP via the syslog-ng service. For whatever reason this wasn't playing nicely with our graylog syslog server. We suspected the timestamps were malformed (found via tcpdump) and graylog was refusing the packets. Our hack was to change a line in this file: /usr/local/etc/syslog-ng.conf.

destination loghost { udp("[ServerName]" port(514) localport(514)); };​

to:

destination loghost { syslog("[ServerName]" port(514) localport(514)); };​

This startup command keeps it constant after reboots since the file is overwritten at startup:

sed -i -e 's/{ udp(/{ syslog(/g' /usr/local/etc/syslog-ng.conf && service syslog-ng restart​

Since then we've been receiving syslog messages fine via TCP.

 

[lethalduck]

I disagree. We pump a lot of data in to a logstash server to run reports, generate alerts, and watch trends. It's exactly what syslog was intended for. Running an rsync to copy the data locally would then require us to write a custom script to convert the log lines back into syslog messages for the logstash server. I'd rather just send them directly and reliably using TCP. I'll open the syslog/TLS argument later. ;)

Did you open the syslog/TLS discussion? Anyone would have to be slightly crazy to send logs over the internet unencrypted. My other servers all send their logs using TCP(some reliability)/TLS(some privacy) at a minimum. Even then messages are still lost occasionally, and that's where RELP comes to the party. I'd like to get this setup for the filer as well.

 

[lethalduck]

I know this is an old post but I recently went through this as well (for different reasons) and came up with the following solution.

Freenas will by default use UDP via the syslog-ng service. For whatever reason this wasn't playing nicely with our graylog syslog server. We suspected the timestamps were malformed (found via tcpdump) and graylog was refusing the packets. Our hack was to change a line in this file: /usr/local/etc/syslog-ng.conf.

destination loghost { udp("[ServerName]" port(514) localport(514)); };​

to:

destination loghost { syslog("[ServerName]" port(514) localport(514)); };​

This startup command keeps it constant after reboots since the file is overwritten at startup:

sed -i -e 's/{ udp(/{ syslog(/g' /usr/local/etc/syslog-ng.conf && service syslog-ng restart​

Since then we've been receiving syslog messages fine via TCP.

So you didn't need to set-up a jail at all Chris?

 

[mrad]

Hello, Maybe a bt old and offtopic but does anybody know how to ad a second Sysloghost as a Target in the webgui?

 

[Sakuru]

Try separating the entries with commas.

 

[tobiasbp]

Anyone would have to be slightly crazy to send logs over the internet unencrypted.

I agree. Have you find a reasonable way to encrypt outgoing syslog data from FreeNAS?