Running syslog-ng in BastilleBSD

Bastille, the lightweight jail (container) management system for FreeBSD, was already covered here. Recently, they released Bastille 1.0 and BastilleBSD, a hardened FreeBSD variant that comes with Bastille pre-installed.

What is Bastille?

Bastille is a lightweight jail management system for FreeBSD. Linux users might know jails as containers. FreeBSD jails arrived many years earlier. Just like on Linux, jails were originally not that easy to use. Bastille provides an easy-to-use shell script to work with FreeBSD jails, slightly similar to Podman (I will compare Bastille to Podman, as unlike Docker, Bastille does not have a continuously running daemon component). I wish it had already been available when I was managing tens of thousands of FreeBSD jails two decades ago :-)

You can learn more about Bastille from the documentation at https://bastille.readthedocs.io/en/latest/

What is BastilleBSD?

BastilleBSD is a variant of FreeBSD by the creators of Bastille. The installation process looks pretty similar to the original FreeBSD installer, however it comes with security hardening enabled by default:

BastilleBSD security hardening screen

I t also installs Bastille out of box and configures the firewall among other things during installation. You can learn more about it and download at https://bastillebsd.org/platform/

Installing syslog-ng on BastilleBSD

I must admit that here I followed instructions from my blog four years ago: https://www.syslog-ng.com/community/b/blog/posts/running-syslog-ng-in-bastille-revisited However, this time I had to do a lot less setup, as everything was prepared during installation. All I had to do was create the actual jail using Bastille.

As the 14.3 FreeBSD release is already pre-loaded, there is no need for the bootstrapping steps from the previous blog. The pf firewall is also configured and ready to use. As a first step, we create the jail. We use the name alcatraz, use the 14.3 FreeBSD release and a random IP address (AFAIR this was in the Bastille documentation, but could be anything unique and private).

bastille create alcatraz 14.3-RELEASE 10.17.89.50

Next, we bootstrap (that is, checkout using Git) the syslog-ng template. Bastille templates are similar to Dockerfiles from a distance. They describe what packages to install and how to configure them. There are many other templates, but here we use the one for syslog-ng.

bastille bootstrap https://gitlab.com/BastilleBSD-Templates/syslog-ng

We can now apply the template to the FreeBSD jail, meaning that Bastille will run the instructions within the template:

bastille template alcatraz BastilleBSD-Templates/syslog-ng

At the end of the process, syslog-ng is started within the jail. As the BastilleBSD template was created four years ago, it still has a version 3.30 syslog-ng configuration. It prints a warning on the terminal:

[2025-07-30T10:21:08.374200] WARNING: Configuration file format is too old, syslog-ng is running in compatibility mode. Please update it to use the syslog-ng 4.8 format at your time of convenience. To upgrade the configuration, please review the warnings about incompatible changes printed by syslog-ng, and once completed change the @version header at the top of the configuration file; config-version='3.30'

The configuration in the template has several modifications compared to the regular FreeBSD syslog-ng configuration. It adds a tcp source on port 514 and disables a few lines in the configuration, which would try to print important logs to the console. The default configuration does not use any new features, so if you are OK with a warning message, you can leave it as-is. But it is easy to fix the config. Just open a shell within the jail:

bastille console alcatraz

And edit the syslog-ng configuration:

vi /usr/local/etc/syslog-ng.conf

Replace the version number with the actual syslog-ng version. By the time of this blog, it is 4.8. Restart syslog-ng for the configuration to take effect:

service syslog-ng restart

Exit from the jail, and configure the firewall, so outside hosts can also log to your syslog-ng server.

bastille rdr alcatraz tcp 514 514

Testing

First, do a local checkthat logging works. Open a shell within the jail, and follow the /var/log/messages file:

bastille ~ # bastille console alcatraz

[alcatraz]:
root@alcatraz:~ # cd /var/log/
root@alcatraz:/var/log # tail -f messages
Jul 30 10:21:06 alcatraz pkg[68431]: py311-packaging-25.0 installed
Jul 30 10:21:07 alcatraz pkg[68431]: glib-2.84.1_2,2 installed
Jul 30 10:21:07 alcatraz pkg[68431]: zstd-1.5.7 installed
Jul 30 10:21:07 alcatraz pkg[68431]: curl-8.14.1 installed
Jul 30 10:21:07 alcatraz pkg[68431]: syslog-ng-4.8.2_3 installed
Jul 30 10:21:08 alcatraz syslogd: exiting on signal 15
Jul 30 10:21:08 alcatraz syslog-ng[32431]: syslog-ng starting up; version='4.8.2'
Jul 30 11:04:14 alcatraz syslog-ng[32431]: syslog-ng shutting down; version='4.8.2'
Jul 30 11:04:14 alcatraz syslog-ng[65729]: syslog-ng starting up; version='4.8.2'

In another terminal, open a second session within the jail, and send a test message:

logger bla

You should see a similar message in the terminal window where you follow /var/log/messages:

Jul 30 11:04:17 alcatraz root[68398]: bla

Now try to send a log message from a remote host. Parameter names of logger might be different (this one is from openSUSE:

logger -n 172.16.167.141 -P 514 -T --rfc3164 bla bla

You should see messages similar to this in your log:

Jul 30 11:38:50 alcatraz syslog-ng[65729]: Syslog connection accepted; fd='23', client='AF_INET(172.16.167.1:46548)', local='AF_INET(0.0.0.0:514)'
Jul 30 11:38:50 172.16.167.1 czanik: bla bla
Jul 30 11:38:50 alcatraz syslog-ng[65729]: Syslog connection closed; fd='23', client='AF_INET(172.16.167.1:46548)', local='AF_INET(0.0.0.0:514)'

What is next?

This blog is just scratching the surface. In a production environment, you most likely want to build your own configuration, with encrypted connections and remote logs saved separately from local logs. Data is now stored within the jail, but you will most likely want to store it in a separate directory. And so on.

-

If you have questions or comments related to syslog-ng, do not hesitate to contact us. You can reach us by email or even chat with us. For a list of possibilities, check our GitHub page under the “Community” section at https://github.com/syslog-ng/syslog-ng. On Twitter, I am available as @PCzanik, on Mastodon as @Pczanik@fosstodon.org.

Related Content