Packetwatch.net
Home Contact Research Papers Guides Pen-Testing Resources Site Map

Syslog-ng in OpenBSD



Last modified: Dec. 9, 2009

Contents
1 - Summary
2 - Dependencies
3 - Syslog-ng installation
4 - Service configuration
5 - Service check


1 - Summary

This guide will show you how to install syslog-ng in OpenBSD. This has been
tested in OpenBSD 4.3, 4.4 and 4.6.


2 - Dependencies

I've created a shell script that can search the list of available packages.

#!/bin/sh
# This script will look for packages with the search term.

echo=/bin/echo
lynx=/usr/bin/lynx
pkg_path=ftp://ftp.openbsd.org/pub/OpenBSD/$rel/packages/$arch/index.txt
tr=/usr/bin/tr
cut=/usr/bin/cut
grep=/usr/bin/grep

if [ $# -ne 1 ]
    then
        exit 0
    else
        # check if a valid parameter
        if [ "$1" == "-help" ]
            then
                $echo Usage: pkg_find [string]
            else
                $lynx -dump $pkg_path | $tr -s " " | $cut -d " " -f 10 | $grep -i $1
        fi
fi
exit 0

# cd ~
# vi pkg_find
# sudo chown root:bin pkg_find
Password:
# sudo chmod 555 pkg_find
Password:
# sudo mv pkg_find /usr/sbin/
Password:

Here is an example of what it can do.
# pkg_find -help
Usage: pkg_find [string]
# pkg_find syslog-ng
syslog-ng-*.tgz


3 - Syslog-ng installation

Install the syslog-ng package.
# pkg_find syslog
syslog-ng-*.tgz
# sudo pkg_add syslog-ng-*.tgz
Password:


4 - Service configuration

Find where the syslog-ng daemon was installed to.
# pkg_info -L syslog-ng-* | grep sbin
/usr/local/sbin/syslog-ng

Run ldd to display the shared objects (.so) needed to run the syslog-ng daemon.
If there are any shared objects in /usr/local you will need to run ldconfig.
# ldd /usr/local/sbin/syslog-ng
/usr/local/sbin/syslog-ng:
        Start    End      Type Open Ref GrpRef Name
        1c000000 3c00c000 exe  1    0   0      /usr/local/sbin/syslog-ng
        06d57000 26d9e000 rlib 0    1   0      /usr/local/lib/libglib-2.0.so.1800.1
        01215000 21219000 rlib 0    2   0      /usr/local/lib/libintl.so.4.0
        0385b000 2393a000 rlib 0    2   0      /usr/local/lib/libiconv.so.6.0
        03042000 23046000 rlib 0    1   0      /usr/local/lib/libevtlog.so.0.0
        020c6000 220cb000 rlib 0    1   0      /usr/lib/libwrap.so.4.0
        035f4000 2362d000 rlib 0    1   0      /usr/lib/libc.so.51.0
        0d979000 2d98d000 rlib 0    1   0      /usr/local/lib/libpcre.so.2.3
        0c0b2000 0c0b2000 rtld 0    1   0      /usr/libexec/ld.so
# sudo ldconfig /usr/lib /usr/local/lib
Password:

Edit the /etc/rc network script so that syslog-ng will start when the system
starts up and not syslog. Comment out the following lines.
  syslogd_flags="${syslogd_flags} -a /var/www/dev/log"
  syslogd_flags="${syslogd_flags} -a /var/named/dev/log"
  syslogd_flags="${syslogd_flags} -a /var/empty/dev/log"
  syslogd ${syslogd_flags}
Add the following right below where you commented out the previous line.
  /sbin/ldconfig /usr/lib /usr/local/lib
  syslog_ng_flags="-p /var/run/syslog-ng.pid"
  /usr/local/sbin/syslog-ng ${syslog_ng_flags}
# sudo vi /etc/rc
Password:

Configure /etc/rc.conf, so the syslog-ng service will start at boot time.
Modify to have the following.
  #syslogd_flags=
  syslog_ng_flags=
# sudo vi /etc/rc.conf
Password:

Find where the configuration file should be put.
# strings /usr/local/sbin/syslog-ng | grep syslog-ng.conf
  -f <fname>, --cfgfile=<fname>    Set config file name, default=/etc/syslog-ng.conf
/etc/syslog-ng.conf

You can create your own configuration file. You can use the following for your source.
  source local { internal(); pipe("/dev/klog" log_prefix("kernel: ")); unix-dgram("/dev/log"); };
# pkg_info -L syslog-ng-* | grep syslog-ng.conf
/usr/local/man/man5/syslog-ng.conf.5
/usr/local/share/examples/syslog-ng/syslog-ng.conf.sample
# sudo cp /usr/local/share/examples/syslog-ng/syslog-ng.conf.sample /etc/syslog-ng.conf
Password:
# sudo cp /etc/syslog-ng.conf /etc/syslog-ng.conf.example
Password:
# sudo chmod u+w /etc/syslog-ng.conf 
Password:
# sudo vi /etc/syslog-ng.conf
Password:
# sudo /usr/local/sbin/syslog-ng -s -f /etc/syslog-ng.conf

Stop the syslog service and start the syslog-ng service.
# sudo kill -9 `cat /var/run/syslog.pid`
Password:
# sudo rm -fP /var/run/syslog.pid
Password:
# sudo ps aux | grep syslog
Password:
_syslogd  3385  0.0  0.1   352   620 ??  S     11:46AM    0:00.01 syslogd -a \
/var/www/dev/log -a /var/empty/dev/log
# sudo kill -9 3385
Password:
# sudo ps aux | grep syslog
Password:
# sudo /usr/local/sbin/syslog-ng -p /var/run/syslog-ng.pid
Password:
# sudo cat /var/run/syslog-ng.pid
Password:
29364


5 - Service check

Reboot your computer. Log in like normal and check to see that the syslog
service isn't running and the syslog-ng service is running. That's it, now you
have syslog-ng running in OpenBSD.
# sudo shutdown -r now
Password:
# sudo ls -1 /var/run/syslog*
Password:
/var/run/syslog-ng.pid
# sudo cat /var/run/syslog-ng.pid
Password:
26820

Last modified: Thu Jan 1 00:00:00 1970 UTC
Packetwatch Research 2002-2024.