OpenVPN Community Edition (Using SNMP and Syslog)

[macaujohn2000]

Dear all,

I am using OpenVPN Community Edition, I have PRTG and Syslog Server, how can I set OpenVPN logging to syslog server and SNMP to PRGT server?

Thanks!

[janjust]

For syslog logging, add

Code: Select all

syslog  [name]

to the server config ; SNMP is not built into OpenVPN, so you cannot configure anything there. Perhaps there are some snmp traps written by others that you might find useful.

[macaujohn2000]

Is this log /etc/openvpn/openvpn.log and /var/log/message? will merge together?

[janjust]

from reading the sources it looks that if you specify both

Code: Select all

log /etc/openvpn/openvpn.log
syslog openvpn

then openvpn will log output to both files. I did not test this, however.

[macaujohn2000]

As centos is to use rsyslog, how could I use? is it just add "rsyslog openvpn" in server.conf?

[janjust]

no just add

Code: Select all

syslog

(with an optional logging name) , as explained in the manual page. It does not matter if your OS uses syslog or rsyslog, this is an openvpn configuration option.

[macaujohn2000]

--daemon [progname]
Become a daemon after all initialization functions are completed. This option will cause all message and error output to be sent to the syslog file (such as /var/log/messages), except for the output of shell scripts and ifconfig commands, which will go to /dev/null unless otherwise redirected. The syslog redirection occurs immediately at the point that --daemon is parsed on the command line even though the daemonization point occurs later. If one of the --log options is present, it will supercede syslog redirection.
The optional progname parameter will cause OpenVPN to report its program name to the system logger as progname. This can be useful in linking OpenVPN messages in the syslog file with specific tunnels. When unspecified, progname defaults to "openvpn".

When OpenVPN is run with the --daemon option, it will try to delay daemonization until the majority of initialization functions which are capable of generating fatal errors are complete. This means that initialization scripts can test the return status of the openvpn command for a fairly reliable indication of whether the command has correctly initialized and entered the packet forwarding event loop.

In OpenVPN, the vast majority of errors which occur after initialization are non-fatal.

--syslog [progname]
Direct log output to system logger, but do not become a daemon. See --daemon directive above for description of progname parameter.

1. Is this means when i do not set 'log' or 'log-append', 'daemon openvpn' will make /var/log/messages that including all openvpn messages?
2. if i also sets 'syslog openvpn', it will no longer preserve any local messages in server? it only redirect to server?

[janjust]

1. Is this means when i do not set 'log' or 'log-append', 'daemon openvpn' will make /var/log/messages that including all openvpn messages?

yes

2. if i also sets 'syslog openvpn', it will no longer preserve any local messages in server? it only redirect to server?

if you use 'deamon' then you don't need to set 'syslog' anymore.

[macaujohn2000]

Why? because I want to keep local messages log and also redirect to syslog server, could you help to fix this problem?

[janjust]

that's a syslog setting - when you use 'syslog' or 'daemon' openvpn will send all output to the syslog daemon running on the local host; how that hosts stores messages locally and/or forwards them to a central host is a syslog/rsyslog setting and is outside the scope of this forum.