Set up server as remote logging host

[outpostmm]

Hello,

I have a pfSense firewall appliance in front of the cPanel server, and I'm trying to configure pfSense to send its system logs to the cPanel server, the firewall has already failed once and I'm not sure why.

How do I configure the cPanel server to accept logs from pfSense without interfering with the cPanel logging? This server is running CentOS 7.2 and WHM 56. The pfSense GUI is fairly straightforward, but I'm not sure how to configure the cPanel server to accept the logs. The firewall is at 192.168.1.1 on the LAN.

Thanks

 

[outpostmm]

I was able to use tcpdump to verify that the cPanel server is receiving logging traffic on UDP port 514 from the pfSense device, but I can't get the server to write those messages to a log file. I'm using this for the rsyslog.conf file:

# rsyslog configuration file

# For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html
# If you experience problems, see http://www.rsyslog.com/doc/troubleshoot.html

#### MODULES ####

# The imjournal module bellow is now used as a message source instead of imuxsock.
$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
$ModLoad imjournal # provides access to the systemd journal
#$ModLoad imklog # reads kernel messages (the same are read from journald)
#$ModLoad immark  # provides --MARK-- message capability

# Provides UDP syslog reception
$ModLoad imudp
$UDPServerRun 514
$UDPServerAddress 10.10.10.130

# Provides TCP syslog reception
#$ModLoad imtcp
#$InputTCPServerRun 514


#### GLOBAL DIRECTIVES ####

# Where to place auxiliary files
$WorkDirectory /var/lib/rsyslog

# Use default timestamp format
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat

# File syncing capability is disabled by default. This feature is usually not required,
# not useful and an extreme performance hit
#$ActionFileEnableSync on

# Include all config files in /etc/rsyslog.d/
$IncludeConfig /etc/rsyslog.d/*.conf

# Turn off message reception via local log socket;
# local messages are retrieved through imjournal now.
$OmitLocalLogging on

# File to store the position in the journal
$IMJournalStateFile imjournal.state


#### RULES ####

if $fromhost-ip == '10.10.10.129' then /var/log/pfsense.log
& ~

# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.*                                                 /dev/console

# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none                /var/log/messages

# The authpriv file has restricted access.
authpriv.*                                              /var/log/secure

# Log all the mail messages in one place.
mail.*                                                  -/var/log/maillog


# Log cron stuff
cron.*                                                  /var/log/cron

# Everybody gets emergency messages
*.emerg                                                 :omusrmsg:*

# Save news errors of level crit and higher in a special file.
uucp,news.crit                                          /var/log/spooler

# Save boot messages also to boot.log
local7.*                                                /var/log/boot.log

 

[outpostmm]

According to netstat -tulpn, it looks like rsyslog might not be listening on port 514:

udp        0      0 0.0.0.0:514             0.0.0.0:*                           7461/rsyslogd
udp6       0      0 :::514                  :::*                                7461/rsyslogd

The "State" column is blank, it does not say "listen".

 

[cPanelMichael]

Hello,

Have you created the /var/log/pfsense.log file on this system with 0640 permissions and restarted rsyslogd on the cPanel server after making the changes to it's configuration file?

Thank you.

 

[outpostmm]

I've been restarting rsyslog regularly during this process, my first edit to the file caused it to log everything to a custom file so I at least know that I'm editing the right file. I did create the pfsense.log file as root, at 0644.

Other than verifying that the server is receiving the UDP messages on port 514, I'm not sure how else to proceed. Maybe the rule in rsyslog.conf just isn't matching, for example, but I'm not sure how to test that. When I run this:

tcpdump -i em1 -c25 -nnS udp

I see the packets coming in like this:

11:22:02.840991 IP 10.10.10.129.514 > 10.10.10.130.514: SYSLOG local0.info, length: 142
11:22:02.841079 IP 10.10.10.129.514 > 10.10.10.130.514: SYSLOG local0.info, length: 167
11:22:04.841013 IP 10.10.10.129.514 > 10.10.10.130.514: SYSLOG local0.info, length: 173

Those are actually WAN IPs, I'm just changing the first 3 octets. I've also been grepping for "syslog" in /var/log/messages but I haven't seen any errors that I don't know the cause of (a few errors caused by errors in the conf file I fixed). I do see some entries like the following, but they don't look like errors.

Jun 20 16:21:21 server7 kernel: type=1130 audit(1466464881.905:1984119): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=rsyslog comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'

 

[cPanelMichael]

You may need to consult with a qualified system administrator to help determine how to properly configure this software. You can find a list of system administration services at:

System Administration Services

Thank you.