The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Set up server as remote logging host

Discussion in 'General Discussion' started by outpostmm, Jun 16, 2016.

  1. outpostmm

    outpostmm Member

    Joined:
    Dec 3, 2008
    Messages:
    15
    Likes Received:
    0
    Trophy Points:
    1
    Hello,

    I have a pfSense firewall appliance in front of the cPanel server, and I'm trying to configure pfSense to send its system logs to the cPanel server, the firewall has already failed once and I'm not sure why.

    How do I configure the cPanel server to accept logs from pfSense without interfering with the cPanel logging? This server is running CentOS 7.2 and WHM 56. The pfSense GUI is fairly straightforward, but I'm not sure how to configure the cPanel server to accept the logs. The firewall is at 192.168.1.1 on the LAN.

    Thanks
     
  2. outpostmm

    outpostmm Member

    Joined:
    Dec 3, 2008
    Messages:
    15
    Likes Received:
    0
    Trophy Points:
    1
    I was able to use tcpdump to verify that the cPanel server is receiving logging traffic on UDP port 514 from the pfSense device, but I can't get the server to write those messages to a log file. I'm using this for the rsyslog.conf file:

    Code:
    # rsyslog configuration file
    
    # For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html
    # If you experience problems, see http://www.rsyslog.com/doc/troubleshoot.html
    
    #### MODULES ####
    
    # The imjournal module bellow is now used as a message source instead of imuxsock.
    $ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
    $ModLoad imjournal # provides access to the systemd journal
    #$ModLoad imklog # reads kernel messages (the same are read from journald)
    #$ModLoad immark  # provides --MARK-- message capability
    
    # Provides UDP syslog reception
    $ModLoad imudp
    $UDPServerRun 514
    $UDPServerAddress 10.10.10.130
    
    # Provides TCP syslog reception
    #$ModLoad imtcp
    #$InputTCPServerRun 514
    
    
    #### GLOBAL DIRECTIVES ####
    
    # Where to place auxiliary files
    $WorkDirectory /var/lib/rsyslog
    
    # Use default timestamp format
    $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
    
    # File syncing capability is disabled by default. This feature is usually not required,
    # not useful and an extreme performance hit
    #$ActionFileEnableSync on
    
    # Include all config files in /etc/rsyslog.d/
    $IncludeConfig /etc/rsyslog.d/*.conf
    
    # Turn off message reception via local log socket;
    # local messages are retrieved through imjournal now.
    $OmitLocalLogging on
    
    # File to store the position in the journal
    $IMJournalStateFile imjournal.state
    
    
    #### RULES ####
    
    if $fromhost-ip == '10.10.10.129' then /var/log/pfsense.log
    & ~
    
    # Log all kernel messages to the console.
    # Logging much else clutters up the screen.
    #kern.*                                                 /dev/console
    
    # Log anything (except mail) of level info or higher.
    # Don't log private authentication messages!
    *.info;mail.none;authpriv.none;cron.none                /var/log/messages
    
    # The authpriv file has restricted access.
    authpriv.*                                              /var/log/secure
    
    # Log all the mail messages in one place.
    mail.*                                                  -/var/log/maillog
    
    
    # Log cron stuff
    cron.*                                                  /var/log/cron
    
    # Everybody gets emergency messages
    *.emerg                                                 :omusrmsg:*
    
    # Save news errors of level crit and higher in a special file.
    uucp,news.crit                                          /var/log/spooler
    
    # Save boot messages also to boot.log
    local7.*                                                /var/log/boot.log
     
  3. outpostmm

    outpostmm Member

    Joined:
    Dec 3, 2008
    Messages:
    15
    Likes Received:
    0
    Trophy Points:
    1
    According to netstat -tulpn, it looks like rsyslog might not be listening on port 514:

    Code:
    udp        0      0 0.0.0.0:514             0.0.0.0:*                           7461/rsyslogd
    udp6       0      0 :::514                  :::*                                7461/rsyslogd
    
    The "State" column is blank, it does not say "listen".
     
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    653
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello,

    Have you created the /var/log/pfsense.log file on this system with 0640 permissions and restarted rsyslogd on the cPanel server after making the changes to it's configuration file?

    Thank you.
     
  5. outpostmm

    outpostmm Member

    Joined:
    Dec 3, 2008
    Messages:
    15
    Likes Received:
    0
    Trophy Points:
    1
    I've been restarting rsyslog regularly during this process, my first edit to the file caused it to log everything to a custom file so I at least know that I'm editing the right file. I did create the pfsense.log file as root, at 0644.

    Other than verifying that the server is receiving the UDP messages on port 514, I'm not sure how else to proceed. Maybe the rule in rsyslog.conf just isn't matching, for example, but I'm not sure how to test that. When I run this:

    Code:
    tcpdump -i em1 -c25 -nnS udp
    I see the packets coming in like this:

    Code:
    11:22:02.840991 IP 10.10.10.129.514 > 10.10.10.130.514: SYSLOG local0.info, length: 142
    11:22:02.841079 IP 10.10.10.129.514 > 10.10.10.130.514: SYSLOG local0.info, length: 167
    11:22:04.841013 IP 10.10.10.129.514 > 10.10.10.130.514: SYSLOG local0.info, length: 173
    Those are actually WAN IPs, I'm just changing the first 3 octets. I've also been grepping for "syslog" in /var/log/messages but I haven't seen any errors that I don't know the cause of (a few errors caused by errors in the conf file I fixed). I do see some entries like the following, but they don't look like errors.

     
  6. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    653
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    You may need to consult with a qualified system administrator to help determine how to properly configure this software. You can find a list of system administration services at:

    System Administration Services

    Thank you.
     
Loading...

Share This Page