Hi,
> On 17 Sep 2024, at 12:06, fuxjez <m...@osfux.nl> wrote:
>
> Hi,
>
> I'm experimenting with FreeBSD's 14.1's wireguard implementation.
>
> So far i've been quite satisfied with using it locally (over an unsecured
> network). I would like to set up a PoC using wg as a VPN provider (replacing
> openvpn) next.
>
> Before opening wireguard endpoints up for global connectivity I would like
> wireguard logs to be parsed by something like Fail2ban (so I can have pf ward
> off baddies). I've managed to get wireguards' logs into /var/log/messages by
> issueing:
>
> /sbin/ifconfig wg0 debug
>
> Since they are quite verbose and are polluting /var/log/messages, I'd like
> for them to land in /var/ramdisk_log/wireguard.log instead. I've instructing
> newsyslog to create the logfile :
>
> [root@system:/]# cat /var/ramdisk_log/wireguard.log
> Sep 17 00:27:36 system newsyslog[55203]: logfile first created
> [root@system:/]# ls -laht /var/ramdisk_log/wireguard.log
> -rw-rw---- 1 root wheel 66B Sep 17 00:27 /var/ramdisk_log/wireguard.log
> [root@system:/]#
>
> and have since attempted to redirect the "wg0" logs to
> /var/ramdisk_log/wireguard.log by using these syslog includes:
>
> :msg, contains, ".*wg0: .*"
> *.* /var/ramdisk_log/wireguard.log
I think the value for “contains” has to be a simple string
> and
>
> :msg, regex, "wg[0-9]{1,2}\:\ "
> *.* /var/ramdisk_log/wireguard.log
regex uses a basic RE so it would have to be "wg[0-9]\{1,2\}\:\ “
(ie escape the { } ) ; or if you want an extended (modern) RE:
:msg, ereregex, "wg[0-9]{1,2}\:\ "
>
> Unfortunately, the includes are not redirecting the wg0 logs to my preferred
> location (the includes are placed in /etc/syslog.d/wireguard.conf which is
> parsed by syslogd) and I'm out of ideas / logs on how to further troubleshoot
> why the logstream doesn't get redirected :(
>
> Im hoping somebody - a little better versed in syslog - could provide me with
> some insights / pointers...
>
> Feedback appreciated!
>
> ruben
>
--
Bob Bishop
r...@gid.co.uk
