1. Logsign Support Center
  2. Logsign Unified SecOps Platform
  3. Integration

OpenVPN Server Logs via Syslog to Logsign

Updated

Overview

This guide explains how to configure OpenVPN Access Server logs to be sent via Syslog and onboard them into Logsign.

Depending on the deployment type, OpenVPN Access Server logs can be:

  • written to the local syslog daemon
  • redirected to an external syslog server
  • forwarded through Docker syslog logging options

After the logs are sent to the Logsign collector, the source can be added from the Logsign interface.

Prerequisites

Before starting, make sure that:

  • OpenVPN Access Server is installed and running
  • You have administrative or root access to the server
  • The Logsign server is reachable from the OpenVPN environment
  • The required syslog network path is allowed
  • You know the IP address of the system that will send syslog logs to Logsign

Option 1: Configure Access Server to log to the local syslog service

Use this option if OpenVPN Access Server will write logs to the server’s local syslog service first.

Step 1 > Connect to the Access Server

Connect to the Access Server console with root privileges.

Step 2 > Open the configuration file

nano /usr/local/openvpn_as/etc/as.conf

Step 3 > Enable syslog logging

Add the following line at the bottom of the file:

SYSLOG=1

Make sure it is written in uppercase.

Step 4 > Save the file

Save the file and exit the editor.

Step 5 > Restart the Access Server service

systemctl restart openvpnas

At this stage, Access Server logs will be written to the local syslog daemon.

Option 2: Redirect Access Server logs to an external syslog server

Use this option if you want the Access Server logs to be forwarded to an external syslog destination.

These steps are based on a Linux syslog daemon example. Adjustments may be required depending on the operating system and syslog service used in the customer environment.

Step 1 > Connect to the Access Server

Connect to the Access Server console with root privileges.

Step 2 > Open the Access Server configuration file

nano /usr/local/openvpn_as/etc/as.conf

Step 3 > Enable syslog logging

Add the following line at the bottom of the file:

SYSLOG=1

Step 4 > Save the file

Save the file and exit.

Step 5 > Restart the Access Server service

systemctl restart openvpnas

Step 6 > Create a syslog rule file

nano /etc/rsyslog.d/openvpnas.conf

Step 7 > Add forwarding rule

For UDP forwarding:

if $programname == 'openvpnas' then @remote.syslog.server

For TCP forwarding:

if $programname == 'openvpnas' then @@remote.syslog.server

Replace remote.syslog.server with the hostname or IP address of the Logsign syslog listener or intermediate syslog relay.

Step 8 > Save the file

Save and exit.

Step 9 > Restart the syslog daemon

service rsyslog restart


Option 3: Access Server in Docker > Forward logs to an external syslog server

If OpenVPN Access Server is running in Docker, syslog forwarding can be configured at Docker level.

Option 3A > Configure syslog driver via Docker daemon logs

Step 1 > Open or create Docker daemon configuration

nano /etc/docker/daemon.json

Step 2 > Add syslog configuration

For UDP:

{
 "log-driver": "syslog",
 "log-opts": {
   "syslog-address": "udp://1.2.3.4:514"
 }
}

For TCP:

{
 "log-driver": "syslog",
 "log-opts": {
   "syslog-address": "tcp://1.2.3.4:514"
 }
}

Replace:

1.2.3.4 with the target syslog server IP or hostname

514 with the relevant syslog port if different

Step 3 > Restart Docker

systemctl restart docker

Step 4 > Verify the logging driver

docker info | grep -i 'Logging Driver'

Expected output should indicate:

Logging Driver: syslog


Option 3B > Configure syslog driver via Docker container logs

Use this option if the syslog settings will be applied directly to the Access Server container.

Step 1 > Run the container with syslog options

Example command:

docker run -d \
 --name=openvpn-as \
 --device /dev/net/tun \
 --cap-add=MKNOD --cap-add=NET_ADMIN \
 -p 943:943 -p 443:443 -p 1194:1194/udp \
 -v <path_to_data>:/openvpn \
 --log-driver=syslog \
 --log-opt syslog-address=udp://1.2.3.4:514 \
 --restart=unless-stopped \
 openvpn/openvpn-as

For TCP, replace:

udp://1.2.3.4:514

with:

tcp://1.2.3.4:514

Step 2 > If the container already exists

Stop the container:

docker stop openvpn-as

Remove the container:

docker rm openvpn-as

Recreate it with the syslog options included.

Step 3 > Verify container log configuration

docker inspect --format '{{ json .HostConfig.LogConfig }}' openvpn-as

Expected output should show syslog as the logging type.

Step 4 > Confirm log traffic

You may verify outgoing syslog traffic on the Docker host with:

tcpdump -eni any port 514


Logsign Source Configuration

After the logs are successfully sent to Logsign, add the source in Logsign with the following values:

Devices: SYSLOG

Vendor List: OpenVPN

Product: OpenVPN Server

IP: IP address of the log sender

Important Note About IP

The IP field in Logsign should match the actual sender of the syslog messages.

This may be:

  • the OpenVPN Access Server itself
  • the Linux server forwarding the logs
  • the Docker host
  • an intermediate syslog relay

The correct value depends on the final log path.

 

Source: https://openvpn.net/as-docs/tutorials/tutorial--syslog.html#tutorial--how-to-log-to-syslog

 

Was this article helpful?
0 out of 0 found this helpful

Articles in this section

See more
Become a Certified Logsign User/Administrator
Sign-up for Logsign Academy and take the courses to learn about Logsign USO Platform in detail. Enjoy the courses, and get your badges and certificates. In these courses, you'll learn how to use Logsign in your work and add value to your career.
Visit Our Blog
Our Logsign USO Platform illustrate our expertise. So do the blog. Through our blog posts, deepen your knowledge on various SecOps topics or get updated about important news & modern approaches for cybersecurity. Get into the habit of reading valuable information provided by Logsign. Be a step ahead.