Sending syslog from jail to host fails

Question

I'm trying to send logs from a jail to the host system on FreeBSD 10.

I think everything is setup correctly but I can't get it working.

Sending logs directly from Nginx 1.7 works but not sending logs via syslog (e.g. PHP-FPM).

This is my host's /etc/rc.conf:

syslogd_flags="-a 10.0.0.1/24:* -v -v -C"

My host's etc/syslog.conf:

+ABCD
*.=info                                         /var/log/jails/ABCD/nginx-access.log
*.=error                                        /var/log/jails/ABCD/nginx-error.log
*.*                                             /var/log/jails/ABCD/all.log

This is the jail's etc/rc.conf:

syslogd_flags="-ss -v -v"

And the jail's etc/syslog.conf:

!php-fpm
*.*                                             @127.0.0.1

etc/hosts is setup in both systems.

Sending logs manually directly to the host with logger works.

Using the debugging function I can see that the jail is forwarding logs that I create manually with logger -t php-fpm:

Logging to FORW 127.0.0.1

But the logs never arrive on the host. The debugger there doesn't receive any message. Doing the same with Nginx`built-in syslog function works.

I already tried setting syslogd_flags="-s -v -v". I then can't send any logs manually any more and the situation doesn't change.

Jim L. · Answer 1 · 2019-11-25T21:34:51.057

As @citrin mentions, the -ss flag is not what you want.

The following works for me, on FreeBSD 12.1, with no vnet virtualization configured.

192.168.1.1 is the IP of the host.
192.168.1.68 is the IP of the jail.
Make sure the host and the jail can ping each other.
Make sure you have no firewall rules blocking UDP port 514 between the host and the jail.

In the jail:

# sysrc syslogd_enable=yes
# sysrc syslogd_flags="-s -vv"
# cat /etc/syslog.conf
*.*                                             @192.168.1.1
# grep 192.168 /etc/hosts
#       192.168.0.0     -   192.168.255.255
192.168.1.68            jail
192.168.1.1             host
# service syslogd stop
# service syslogd start

On the host:

# sysrc syslogd_enable="yes"
# sysrc syslogd_flags="-a 192.168.1.68 -vv"
# tail -4 /etc/syslog.conf

+jail
*.*                                /var/log/test-jail.log

# touch /var/log/test-jail.log
# grep 192.168 /etc/hosts
#       192.168.0.0     -   192.168.255.255
192.168.1.1             vlan3
192.168.1.68            jail
# service syslogd stop
# service syslogd start

If that still doesn't work for you, there are some good troubleshooting suggestions in the FreeBSD Handbook page on syslogd. The most notable is the use of the -d switch on the host side:

# sysrc syslogd_flags="-d -a 192.168.1.68 -vv"

That generates a lot of output, so read through it carefully.

Finally, remote syslogging is sometimes a bit fiddly, for reasons perhaps a more senior admin can add in comments. I have the best success when I do not reference /etc/hosts entries in the syslogd_flags string. Using literal IP numbers works better for me. That might be due to not using a legit fully-qualified domain name and/or a real DNS name. As time permits, I will explore those possibilities and update this answer.

Update:

After setting up some test DNS entries and trying various configurations, I think that whatever difficulties I had earlier were due to either hurried work and/or inconsistent attention to detail. Once I have a solid /etc/syslog.conf framework on both jail and host, along with syslog-friendly firewall entries, it appears that my jail-to-host remote logging works using either proper DNS names, /etc/hosts entries, or raw IP numbers.

score 0 · Answer 2 · answered Apr 02 '15 at 15:03

With -ss flags syslogd don't open any sockets, event to send logs to other host. Use in jail syslogd_flags="-s -b localhost"

Configure php-fpm in jail to log via unix socket to local syslogd and verify, that messages from php-fpm can be written by local syslogd to file.

php-fpm.conf:

error_log = syslog;
syslog.facility = local7

/etc/syslog.conf

!*
local7.* /var/log/for-test-php.log

If messages are written to log inside jail, replace path to file with @10.x.x.x Where 10.x.x.x is IP address of main host, reachable from jail.

On main host you can run syslogd in foreground to check if messages are received:

service syslogd stop
syslogd -a 10.0.0.1/24:* -v -v -d
....
Ctrl+C
service syslogd start

`localhost` is defined as `127.0.0.1`in the jail's `hosts` file. That is the address of the host. Is that correct? Or should I bind the jail's syslog to the jail's IP? Either way: The problem persists. Logs are being written to file if I want to. If I want to forward them, the debug mode in the jail tells me they're being forwarded but the debugger in the host never gets a message. Not even `logger -h 127.0.0.1 "test"` reaches the host then. — basbebe, Apr 02 '15 at 15:21

Sending syslog from jail to host fails

2 Answers2