Freebsd – Sending syslog from jail to host fails

freebsdjailsyslog

I'm trying to send logs from a jail to the host system on FreeBSD 10.

I think everything is setup correctly but I can't get it working.

Sending logs directly from Nginx 1.7 works but not sending logs via syslog (e.g. PHP-FPM).

This is my host's /etc/rc.conf:

syslogd_flags="-a 10.0.0.1/24:* -v -v -C"

My host's etc/syslog.conf:

+ABCD
*.=info                                         /var/log/jails/ABCD/nginx-access.log
*.=error                                        /var/log/jails/ABCD/nginx-error.log
*.*                                             /var/log/jails/ABCD/all.log

This is the jail's etc/rc.conf:

syslogd_flags="-ss -v -v"

And the jail's etc/syslog.conf:

!php-fpm
*.*                                             @127.0.0.1

etc/hosts is setup in both systems.

Sending logs manually directly to the host with logger works.

Using the debugging function I can see that the jail is forwarding logs that I create manually with logger -t php-fpm:

Logging to FORW 127.0.0.1

But the logs never arrive on the host. The debugger there doesn't receive any message. Doing the same with Nginx`built-in syslog function works.

I already tried setting syslogd_flags="-s -v -v". I then can't send any logs manually any more and the situation doesn't change.

Best Answer

As @citrin mentions, the -ss flag is not what you want.

The following works for me, on FreeBSD 12.1, with no vnet virtualization configured.

192.168.1.1 is the IP of the host.
192.168.1.68 is the IP of the jail.
Make sure the host and the jail can ping each other.
Make sure you have no firewall rules blocking UDP port 514 between the host and the jail.

In the jail:

# sysrc syslogd_enable=yes
# sysrc syslogd_flags="-s -vv"
# cat /etc/syslog.conf
*.*                                             @192.168.1.1
# grep 192.168 /etc/hosts
#       192.168.0.0     -   192.168.255.255
192.168.1.68            jail
192.168.1.1             host
# service syslogd stop
# service syslogd start

On the host:

# sysrc syslogd_enable="yes"
# sysrc syslogd_flags="-a 192.168.1.68 -vv"
# tail -4 /etc/syslog.conf

+jail
*.*                                /var/log/test-jail.log

# touch /var/log/test-jail.log
# grep 192.168 /etc/hosts
#       192.168.0.0     -   192.168.255.255
192.168.1.1             vlan3
192.168.1.68            jail
# service syslogd stop
# service syslogd start

If that still doesn't work for you, there are some good troubleshooting suggestions in the FreeBSD Handbook page on syslogd. The most notable is the use of the -d switch on the host side:

# sysrc syslogd_flags="-d -a 192.168.1.68 -vv"

That generates a lot of output, so read through it carefully.

Finally, remote syslogging is sometimes a bit fiddly, for reasons perhaps a more senior admin can add in comments. I have the best success when I do not reference /etc/hosts entries in the syslogd_flags string. Using literal IP numbers works better for me. That might be due to not using a legit fully-qualified domain name and/or a real DNS name. As time permits, I will explore those possibilities and update this answer.

Update:

After setting up some test DNS entries and trying various configurations, I think that whatever difficulties I had earlier were due to either hurried work and/or inconsistent attention to detail. Once I have a solid /etc/syslog.conf framework on both jail and host, along with syslog-friendly firewall entries, it appears that my jail-to-host remote logging works using either proper DNS names, /etc/hosts entries, or raw IP numbers.

Related Topic