Tutorial: How To Log To Syslog
You can log to the local syslog daemon by changing a configuration setting, as shown in this tutorial.
Overview
By changing a configuration setting, as shown in this tutorial, Access Server can write to and store its logs to the local syslog daemon or an external syslog server.
An installed Access Server.
Root access on the console.
Connect to the Access Server console and get root privileges.
Open the as.conf file for editing:
nano /usr/local/openvpn_as/etc/as.conf
At the bottom, add this line:
SYSLOG=1
Important
Ensure it's CAPITALIZED.
Save and exit by pressing Ctrol+x, then y.
Restart the Access Server service:
systemctl restart openvpnas
Access Server now logs to the syslog daemon, /var/log/syslog, by default.
Suppose you want to redirect to another syslog server on the network. In that case, you can configure the operating system's syslog daemon to redirect any Access Server service syslog line to an external network syslog server. All syslog lines regarding Access Server contain the keyword openvpnas, so it’s possible to filter for this with a rule in the syslog daemon and forward only that information.
Note
The following instructions assume you’re using the Ubuntu operating system. You may need to look up documentation and make adjustments as needed if you’re using another OS.
Connect to the Access Server console and get root privileges.
Open the as.conf file for editing:
nano /usr/local/openvpn_as/etc/as.conf
At the bottom, add this line:
SYSLOG=1
Important
Ensure it's CAPITALIZED.
Save and exit by pressing Ctrl+x, then y.
Restart the Access Server service:
systemctl restart openvpnas
Create a file for the rsyslog daemon rule:
nano /etc/rsyslog.d/openvpnas.conf
This creates a new, empty file.
Add this line to log to an external UDP syslog system:
if $programname == 'openvpnas' then @remote.syslog.server
Or add this line if it's an external TCP syslog system:
if $programname == 'openvpnas' then @@remote.syslog.server
Save and exit by pressing Ctrl+x, then y.
Restart the syslog daemon:
service rsyslog restart
Tip
(Optional) You can specify another file, like /var/log/myownfilename.log, instead of supplying a remote server address, like @remote.syslog.server.
By default, Docker captures the standard output (and standard error) of all your containers and writes them in files using the JSON format.
When you install Access Server in a Docker container, the Access Server logs are stored in this JSON log file under the Linux host.
This JSON log file is generally stored at:
/var/lib/docker/containers/[container-id]/[container-id]-json.log
In addition, there are two ways to store Docker logs:
Docker daemon logs: These logs are generated by the Docker daemon and located on the host. It provides insights into the state of the Docker platform.
Docker container logs: These logs capture the output from applications running inside containers.
Suppose you want to redirect to another Syslog server on the network. You can do this by using the Syslog driver and setting it in either Docker daemons logs or Docker container logs. This is explained in detail below.
Note
The following instructions assume you’re using Docker CE installed in a headless Linux environment. If you’re using desktop (GUI) environments such as Windows, macOS, or Linux, you may need to look up documentation for Docker Desktop and make adjustments as needed. However, there is no guarantee that this will work in Docker Desktop.
Option 1: Configuring Syslog driver via Docker daemon logs
Locate or create the
daemon.jsonfile:On Linux hosts, the
daemon.jsonfile is located at/etc/docker.If the file doesn't exist, create it:
nano /etc/docker/daemon.json
Add the following configuration:
{ "log-driver": "syslog", "log-opts": { "syslog-address": "udp://1.2.3.4:514"1 } }Replace
1.2.3.4with the external Syslog server IP or domain. To use a different port, replace514with the desired port. The Syslog default port is UDP port 514.If you want to use TCP for Syslog:
{ "log-driver": "syslog", "log-opts": { "syslog-address": "tcp://1.2.3.4:514" } }Restart Docker for the changes to take effect:
systemctl restart docker
Verify the configuration:
docker info | grep -i 'Logging Driver'
Expected output:
root@Docker:~# docker info | grep -i 'Logging Driver' Logging Driver: syslog
Option 2: Configuring Syslog driver via Docker container logs
Use the
docker runcommand to set the appropriate values for thelog-driverandlog-optkeys when creating the Access Server Docker container or updating an existing container:If you're creating the Docker container the first time, run these commands:
docker run -d \ --name=openvpn-as --device /dev/net/tun \ --cap-add=MKNOD --cap-add=NET_ADMIN \ -p 943:943 -p 443:443 -p 1194:1194/udp \ -v <path to data>1:/openvpn \ --log-driver=syslog \ --log-opt syslog-address=udp://1.2.3.4:514 \2 --restart=unless-stopped \ openvpn/openvpn-as
If you've already created the Access Server in Docker CE, you can remove the container and rerun the
docker runcommands:Stop the existing container:
docker stop openvpn-as
Remove the container:
docker rm openvpn-as
Note
Configuration files will remain intact in the persistent volume (
-v <path to data>:/openvpn).Recreate the container with logging options:
docker run -d \ --name=openvpn-as --device /dev/net/tun \ --cap-add=MKNOD --cap-add=NET_ADMIN \ -p 943:943 -p 443:443 -p 1194:1194/udp \ -v <path to data>:/openvpn \1 --log-driver=syslog \ --log-opt syslog-address=udp://1.2.3.4:514 \2 --restart=unless-stopped \ openvpn/openvpn-as
Verify configuration:
docker inspect --format '{{ json .HostConfig.LogConfig }}' openvpn-asExpected output:
root@Docker:~# docker inspect --format '{{ json .HostConfig.LogConfig }}' openvpn-as {"Type":"syslog","Config":{"syslog-address":"udp://1.2.3.4:514"}}
Check the external Syslog server to confirm logs are being set by running a
tcpdumpon the Docker host:tcpdump -eni any port 514
Sample output:
root@Docker:~# tcpdump -eni any port 514 tcpdump: data link type LINUX_SLL2 tcpdump: verbose output suppressed, use -v[v]... for full protocol decode listening on any, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144 bytes 17:13:08.362673 eth1 Out ifindex 3 92:70:5f:89:b2:b1 ethertype IPv4 (0x0800), length 232: 10.136.249.187.50755 > 1.2.3.4.514: SYSLOG daemon.info, length: 184 17:13:08.363036 eth1 Out ifindex 3 92:70:5f:89:b2:b1 ethertype IPv4 (0x0800), length 226: 10.136.249.187.50755 > 1.2.3.4.514: SYSLOG daemon.info, length: 178 17:13:08.363336 eth1 Out ifindex 3 92:70:5f:89:b2:b1 ethertype IPv4 (0x0800), length 202: 10.136.249.187.50755 > 1.2.3.4.514: SYSLOG daemon.info, length: 154 17:13:08.363557 eth1 Out ifindex 3 92:70:5f:89:b2:b1 ethertype IPv4 (0x0800), length 253: 10.136.249.187.50755 > 1.2.3.4.514: SYSLOG daemon.info, length: 205 17:13:08.363756 eth1 Out ifindex 3 92:70:5f:89:b2:b1 ethertype IPv4 (0x0800), length 247: 10.136.249.187.50755 > 1.2.3.4.514: SYSLOG daemon.info, length: 199