www
2021-10-17 +0200 12:00:00 CEST

0chaos.eu

/posts/2021/10/freebsd-syslogd-in-jail/

Home About Posts Git

security freebsd jails syslog

– FreeBSD syslogd in a jail

Configuration

I am using the host ip on all jails, and I allow raw sockets:

/etc/jail.conf

exec.start = "/bin/sh /etc/rc";
exec.stop = "/bin/sh /etc/rc.shutdown";
exec.clean;
mount.devfs;
allow.raw_sockets;

# Set defaults
ip4 = inherit;
persist;

I have two jails, jsyslog will be the syslogd server and jroot will be the client.

jsyslog

The syslog server config, can be anything, that you like. I have removed all the standard log files, and replaced them with my own multi directory file structure.

/etc/syslog.conf

# System logs
security.*                                      /var/log2/sys/security.log
auth.info;authpriv.info                         /var/log2/sys/auth.log
*.notice;kern.debug;lpr.info;mail.crit;news.err /var/log2/sys/system.log
cron.*                                          /var/log2/sys/cron.log
*.crit                                          /var/log2/sys/critical.log

# Mail logs
mail.info                                       /var/log2/mail/info.log

I rotate all my logs when they hit 1 MB, and I delete, when there are 5 or 7 files. Flags:

-J Compress files with bzip. -C Create files if they don’t exist.

/etc/newsyslog.conf

# System logs
# -----------
/var/log2/sys/security.log              640  7     1000 * JC
/var/log2/sys/auth.log                  640  7     1000 * JC
/var/log2/sys/system.log                640  5     1000 * JC
/var/log2/sys/cron.log                  640  7     1000 * JC
/var/log2/sys/critical.log              640  7     1000 * JC

# Mail
# ----
/var/log2/mail/info.log                 640  7     1000 * JC

Remember to start syslogd without any -s flags, and make sure port 514 is free (514 is default port).

jroot

The only thing jroot does is redirecting everything to the remote syslog server.

/etc/syslog.conf

# Everything is commented out except this:
*.*                                             @loghost.chaos.local

I have an alias for loghost in my /etc/hosts file:

/etc/hosts

::1                     localhost localhost.my.domain
127.0.0.1               localhost localhost.my.domain

# This one is the important line
192.168.1.3             loghost.chaos.local loghost

Since no logs are stored in the jail, newsyslog shouldn’t do anything. You can either disable it, or comment out /etc/newsyslog.conf. I’ve commented out the config file, because newsyslog could be started by any program.

Remember to change the rc.syslog flags in /etc/rc.conf, multiple syslogd daemons can’t listen on the same port, and are therefore required to bind to different ports. I’m using theese flags:

/etc/rc.conf

syslogd_enable="YES"
syslogd_flags="-s -b :5141"

Testing if it works

If you enter the jroot jail, you can use logger(1) to test if the messages arrive. If it doesn’t work, you always have the posibility of starting syslogd manually, probably using the debug flag (-d; BSD extension).