[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

sending syslog steam from jail to host



Hello (again),

I'm trying to gather syslog events from various jails up to the host system.
On the host, I've a splunk forwarder running. It listens every network interface by default. I've clone lo0 to create a lo1. This "localhost" is used as primary network interface for my jails. For now, on the host, it looks like this:

em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
	options=9b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM>
	ether 00:50:56:b8:33:e9
	inet 159.84.143.219 netmask 0xffffff00 broadcast 159.84.143.255 
	inet 159.84.143.174 netmask 0xffffffff broadcast 159.84.143.174 
	inet 159.84.143.168 netmask 0xffffffff broadcast 159.84.143.168 
	nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
	media: Ethernet autoselect (1000baseT <full-duplex>)
	status: active
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
	options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
	inet6 ::1 prefixlen 128 
	inet6 fe80::1%lo0 prefixlen 64 scopeid 0x2 
	inet 127.0.0.1 netmask 0xff000000 
	nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
lo1: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
	options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
	inet 127.0.0.174 netmask 0xffffffff 
	inet 127.0.0.168 netmask 0xffffffff 
	nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
pflog0: flags=141<UP,RUNNING,PROMISC> metric 0 mtu 33160


And inside one jail, it looks like this:

em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
	options=9b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM>
	ether 00:50:56:b8:33:e9
	inet 159.84.143.168 netmask 0xffffffff broadcast 159.84.143.168 
	media: Ethernet autoselect (1000baseT <full-duplex>)
	status: active
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
	options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
lo1: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
	options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
	inet 127.0.0.168 netmask 0xffffffff 
pflog0: flags=141<UP,RUNNING,PROMISC> metric 0 mtu 33160

This jail's /etc/syslog.conf ends with:

!*
*.*						@127.0.0.168:1234

But it seems it does not work. Some times it will accidentally start working, but my best guess is it highly depends on services start order (host pf, host splunk forwarder, jail network, jail syslogd).

Host's pf.conf has many rules, but this should be enough to allow what I need:

loc_if="lo0"
jail_if="lo1"
set skip on $loc_if
set skip on $jail_if

Any hint?

Patrick