syslogd not reading messages from a remote machine

Andy Greenwood greenwood.andy at gmail.com
Fri Jan 11 07:51:36 PST 2008 

I have recently set up a Fortigate-60 to run as a firewall/vpn on my 
home network. I have a FreeBSD 7.0-prerelease machine sitting behind it 
in the DMZ which is running ssh/web/etc. I'm trying to get the FG to log 
to the BSD box's syslog. I have set up the necessary stuff on the FG, 
and can send test logs from there to the bsd box. Running tcpdump on the 
bsd box gives me this when sending those test logs:

[root at zeus ports]$ tcpdump -n -e -ttt -vv -i dc0 port 514
tcpdump: listening on dc0, link-type EN10MB (Ethernet), capture size 96 
bytes
000000 00:09:0f:12:11:41 > 00:00:e8:13:b3:5c, ethertype IPv4 (0x0800), 
length 468: (tos 0x0, ttl 64, id 53661, offset 0, flags [none], proto 
UDP (17), length 454) 10.10.10.1.3023 > 10.10.10.2.514: SYSLOG, length: 426
        Facility local7 (23), Severity warning (4)
        Msg: date=2008-01-11 time=18:37:10 devname=Fortigate-6[|syslog]
000196 00:09:0f:12:11:41 > 00:00:e8:13:b3:5c, ethertype IPv4 (0x0800), 
length 337: (tos 0x0, ttl 64, id 53662, offset 0, flags [none], proto 
UDP (17), length 323) 10.10.10.1.3023 > 10.10.10.2.514: SYSLOG, length: 295
        Facility local7 (23), Severity warning (4)
        Msg: date=2008-01-11 time=18:37:10 devname=Fortigate-6[|syslog]
000227 00:09:0f:12:11:41 > 00:00:e8:13:b3:5c, ethertype IPv4 (0x0800), 
length 337: (tos 0x0, ttl 64, id 53663, offset 0, flags [none], proto 
UDP (17), length 323) 10.10.10.1.3023 > 10.10.10.2.514: SYSLOG, length: 295
        Facility local7 (23), Severity warning (4)
        Msg: date=2008-01-11 time=18:37:10 devname=Fortigate-6[|syslog]
000292 00:09:0f:12:11:41 > 00:00:e8:13:b3:5c, ethertype IPv4 (0x0800), 
length 447: (tos 0x0, ttl 64, id 53664, offset 0, flags [none], proto 
UDP (17), length 433) 10.10.10.1.3023 > 10.10.10.2.514: SYSLOG, length: 405
        Facility local7 (23), Severity warning (4)
        Msg: date=2008-01-11 time=18:37:10 devname=Fortigate-6[|syslog]
000230 00:09:0f:12:11:41 > 00:00:e8:13:b3:5c, ethertype IPv4 (0x0800), 
length 324: (tos 0x0, ttl 64, id 53665, offset 0, flags [none], proto 
UDP (17), length 310) 10.10.10.1.3023 > 10.10.10.2.514: SYSLOG, length: 282
        Facility local7 (23), Severity warning (4)
        Msg: date=2008-01-11 time=18:37:10 devname=Fortigate-6[|syslog]
000143 00:09:0f:12:11:41 > 00:00:e8:13:b3:5c, ethertype IPv4 (0x0800), 
length 247: (tos 0x0, ttl 64, id 53666, offset 0, flags [none], proto 
UDP (17), length 233) 10.10.10.1.3023 > 10.10.10.2.514: SYSLOG, length: 205
        Facility local7 (23), Severity warning (4)
        Msg: date=2008-01-11 time=18:37:10 devname=Fortigate-6[|syslog]
000152 00:09:0f:12:11:41 > 00:00:e8:13:b3:5c, ethertype IPv4 (0x0800), 
length 279: (tos 0x0, ttl 64, id 53667, offset 0, flags [none], proto 
UDP (17), length 265) 10.10.10.1.3023 > 10.10.10.2.514: SYSLOG, length: 237
        Facility local7 (23), Severity warning (4)
        Msg: date=2008-01-11 time=18:37:10 devname=Fortigate-6[|syslog]
000152 00:09:0f:12:11:41 > 00:00:e8:13:b3:5c, ethertype IPv4 (0x0800), 
length 299: (tos 0x0, ttl 64, id 53668, offset 0, flags [none], proto 
UDP (17), length 285) 10.10.10.1.3023 > 10.10.10.2.514: SYSLOG, length: 257
        Facility local7 (23), Severity warning (4)
        Msg: date=2008-01-11 time=18:37:10 devname=Fortigate-6[|syslog]
^C


So I know that the packets are getting to the machine. I've set up 
syslogd to accept packets from 10.10.10.1/32 in rc.conf, and confirmed 
that the FG's IP should be accepted by syslogd
[root at zeus ports]$ grep syslogd /etc/rc.conf
syslogd_flags="-a 10.10.10.1/32"
[root at zeus ports]$ ps auxww | grep syslogd
root     8538  0.0  0.1  3156  1088  ??  Ss   10:44AM   0:00.02 
/usr/sbin/syslogd -l /var/run/log -l /var/named/var/run/log -a 10.10.10.1/32

the FG is set to log via local7, and I've set that up too.
[root at zeus ports]$ grep local7 /etc/syslog.conf
local7.*                                        /var/log/fortigate

and the log file exists also.
[root at zeus ports]$ ls -l /var/log/fortigate
-rw-r-----  1 root  wheel  0 Jan 11 07:22 /var/log/fortigate

In desperation I even added this to my /etc/syslog.conf, trying to get 
the messages to appear anywhere, but they aren't showing up in all.log 
either.
*.*                                           /var/log/all.log

I've restarted syslogd after every change I've made, but no dice. Can 
anyone shed some light on why these messages aren't logging and what I 
need to do to fix it?


Thanks so much!

More information about the freebsd-questions mailing list