NXLog User Guide

33. OpenBSD

NXLog can collect various types of system logs on OpenBSD platforms. For deployment details, see the supported OpenBSD platforms, OpenBSD installation, and monitoring.

Basic Security Mode (BSM) Auditing

The im_bsm module collects logs generated by the BSM auditing system.

Note	OpenBSD does not support BSM Auditing.

Example 168. Collecting BSM Audit Logs

This example reads BSM audit logs from the /dev/auditpipe device file.

nxlog.conf


  1
2
3
4

  <Input bsm>
    Module      im_bsm
    DeviceFile  /dev/auditpipe
</Input>

Custom Programs

The im_exec module allows log data to be collected from custom external programs.

Example 169. Using an External Command

This example uses the tail command to read from a file.

Note	The im_file module should be used to read log messages from files. This example only demonstrates the use of the im_exec module.

nxlog.conf


  1
2
3
4
5
6

  <Input exec>
    Module  im_exec
    Command /usr/bin/tail
    Arg     -f
    Arg     /var/log/messages
</Input>

DNS Monitoring

Logs can be collected from BIND 9.

File Integrity Monitoring

File and directory changes can be detected and logged for auditing with the im_fim module. See File Integrity Monitoring.

Example 170. Monitoring File Integrity

This example monitors files in the /etc and /srv directories, generating events when files are modified or deleted. Files ending in .bak are excluded from the watch list.

nxlog.conf


  1
2
3
4
5
6
7
8
9

  <Input fim>
    Module          im_fim
    File            "/etc/*"
    File            "/srv/*"
    Exclude         "*.bak"
    Digest          sha1
    ScanInterval    3600
    Recursive       TRUE
</Input>

Kernel

Logs from the kernel can be collected directly with the im_kernel module. See Linux System Logs.

Note	The system logger may need to be disabled or reconfigured to collect logs with im_kernel. To completely disable syslogd on OpenBSD, run `rcctl stop syslogd` and `rcctl disable syslogd`.

Example 171. Collecting Kernel Logs

This configuration reads events from the kernel.

nxlog.conf


  1
2
3

  <Input kernel>
    Module  im_kernel
</Input>

Local Syslog

Messages written to /dev/log can be collected with the im_uds module. Events written to file in Syslog format can be collected with im_file. In both cases, the xm_syslog module can be used to parse the events. See the Linux System Logs and Collecting and Parsing Syslog sections for more information.

Example 172. Reading Syslog Messages From File

This example reads Syslog messages from /var/log/messages and parses them with the parse_syslog() procedure.

nxlog.conf


  1
2
3
4
5
6
7
8
9

  <Extension _syslog>
    Module  xm_syslog
</Extension>

<Input in>
    Module  im_file
    File    "/var/log/messages"
    Exec    parse_syslog();
</Input>

Log Files

The im_file module can be used to collect events from log files.

Example 173. Reading From Log Files

This configuration reads messages from the /opt/test/input.log file. No parsing is performed; each line is available in the $raw_event field.

nxlog.conf


  1
2
3
4

  <Input in>
    Module  im_file
    File    "/opt/test/input.log"
</Input>

Process Accounting

The im_acct module can be used to gather details about who runs what processes.

Example 174. Reading Process Accounting Logs

This configuration turns on process accounting (using /var/account/acct as the log file) and watches for messages.

nxlog.conf


  1
2
3
4
5

  <Input acct>
    Module  im_acct
    AcctOn  TRUE
    File    "/var/account/acct"
</Input>