dch at skunkwerks.at
Mon Aug 7 10:40:04 UTC 2017
On Mon, 7 Aug 2017, at 07:39, Aleksandr Miroslav wrote:
> I'm looking for a mechanism to collect and store all logs into a
> centralized location. I'm not looking for a fancy graphical interface
> (a la Splunk) to search those logs just yet, just collecting them on a
> centralized server is fine for the moment.
> Is there something available in ports/base that I can use for this
> purpose? I took a quick look at ELK, it seems overly complicated, but
> iIve never used it.
While you *could* do this with base syslogd, it's not safe - you'd need
to accept inbound UDP packets on your central servers, and there's no
encryption support either.
https://www.freebsd.org/cgi/man.cgi?query=syslogd has a nice quote:
> The ability to log messages received in UDP packets is equivalent to an
unauthenticated remote disk-filling service, and should probably be
abled by default. Some sort of inter-syslogd authentication
ought to be worked out. To prevent the worst abuse, use of
the -a option
is therefore highly recommended.
Here's what I use:
- disable syslogd by default in /etc/rc.conf
- use sysutils/rsyslog8 on each server forwarding to a central rsyslogd
- sysutils/spiped as an alternative to TLS certs for securing the
rsyslog connections between systems
- rsyslog can be configured to buffer forwarding to a disk queue if the
remote instance isn't available (e.g. because you're rebooting/updating
that alone is enough to meet your needs, but adding:
is an easy additional config to get a nice searchable GUI. I'm happy to
share some configs if you want to go down this path.
More information about the freebsd-questions