– FreeBSD syslogd in a jail
I am using the host ip on all jails, and I allow raw sockets:
exec.start = "/bin/sh /etc/rc"; exec.stop = "/bin/sh /etc/rc.shutdown"; exec.clean; mount.devfs; allow.raw_sockets; # Set defaults ip4 = inherit; persist;
I have two jails,
jsyslog will be the syslogd server and
will be the client.
The syslog server config, can be anything, that you like. I have removed all the standard log files, and replaced them with my own multi directory file structure.
# System logs security.* /var/log2/sys/security.log auth.info;authpriv.info /var/log2/sys/auth.log *.notice;kern.debug;lpr.info;mail.crit;news.err /var/log2/sys/system.log cron.* /var/log2/sys/cron.log *.crit /var/log2/sys/critical.log # Mail logs mail.info /var/log2/mail/info.log
I rotate all my logs when they hit 1 MB, and I delete, when there are 5 or 7 files. Flags:
-J Compress files with bzip. -C Create files if they don’t exist.
# System logs # ----------- /var/log2/sys/security.log 640 7 1000 * JC /var/log2/sys/auth.log 640 7 1000 * JC /var/log2/sys/system.log 640 5 1000 * JC /var/log2/sys/cron.log 640 7 1000 * JC /var/log2/sys/critical.log 640 7 1000 * JC # Mail # ---- /var/log2/mail/info.log 640 7 1000 * JC
Remember to start syslogd without any
-s flags, and make sure port
514 is free (514 is default port).
The only thing jroot does is redirecting everything to the remote syslog server.
# Everything is commented out except this: *.* @loghost.chaos.local
I have an alias for loghost in my
::1 localhost localhost.my.domain 127.0.0.1 localhost localhost.my.domain # This one is the important line 192.168.1.3 loghost.chaos.local loghost
Since no logs are stored in the jail, newsyslog shouldn’t do anything. You can
either disable it, or comment out
/etc/newsyslog.conf. I’ve commented out
the config file, because newsyslog could be started by any program.
Remember to change the rc.syslog flags in
syslogd daemons can’t listen on the same port, and are therefore required
to bind to different ports. I’m using theese flags:
syslogd_enable="YES" syslogd_flags="-s -b :5141"
Testing if it works
If you enter the jroot jail, you can use
logger(1) to test if the messages
arrive. If it doesn’t work, you always have the posibility of starting
syslogd manually, probably using the debug flag (
-d; BSD extension).