log centralizer?

Dave Cottlehuber dch at skunkwerks.at
Mon Aug 7 10:40:04 UTC 2017

On Mon, 7 Aug 2017, at 07:39, Aleksandr Miroslav wrote:
> I'm looking for a mechanism to collect and store all logs into a
> centralized location. I'm not looking for a fancy graphical interface
> (a la Splunk) to search those logs just yet, just collecting them on a
> centralized server is fine for the moment.
> Is there something available in ports/base that I can use for this
> purpose? I took a quick look at ELK, it seems overly complicated, but
> iIve never used it.

While you *could* do this with base syslogd, it's not safe - you'd need
to accept inbound UDP packets on your central servers, and there's no
encryption support either.
https://www.freebsd.org/cgi/man.cgi?query=syslogd has a nice quote:

>      The ability to log	messages received in UDP packets is equivalent to an
     unauthenticated remote disk-filling service, and should probably be
     abled by default.       Some sort of inter-syslogd authentication
     ought to be worked      out.  To prevent the worst abuse, use of
     the -a option
     is      therefore highly recommended.

Here's what I use:

- disable syslogd by default in /etc/rc.conf
- use sysutils/rsyslog8 on each server forwarding to a central rsyslogd
- sysutils/spiped as an alternative to TLS certs for securing the
rsyslog connections between systems
- rsyslog can be configured to buffer forwarding to a disk queue if the
remote instance isn't available (e.g. because you're rebooting/updating

that alone is enough to meet your needs, but adding:

- sysutils/graylog 
- textproc/elasticsearch2

is an easy additional config to get a nice searchable GUI. I'm happy to
share some configs if you want to go down this path.


More information about the freebsd-questions mailing list