A basic question:

I'd like to set up a remote log server. I edited syslog.conf on the client as appropriate, changing default settings such as /var/log/messages to @LOGHOSTNAME. On the log server I edited /etc/sysconfig/syslog, changing SYSLOGD_OPTIONS="-m 0" to SYSLOGD_OPTIONS="-rm 0" which should allow the daemon to receive remote logs.

The log server is not receiving remote logs, and I noticed that port 514 is not open. Do I just need to open this port, and if so, how?

Thanks!

did you make sure to restart the syslogd daemon ? usually something like /etc/init.d/syslog stop then do a start.... not sure though without knowing what distro your using.

to open port 514 on the remote system, not sure what distro your using but like in slackware is what i use.. i would check the /etc/services file.. in which port 514 is used for syslog.
also make sure the system your sending the log to doesn't have any firewall rules setup, like ipchains for example.. if it does, you'll have to have port 514 open and allowed to pass thru..

Thanks Tricky!

You know I had tried those good suggestions, and was about to give up when the problem 'magically' went away. By the way, both boxes are RH 7.2.

Actually I think I must not have been taking actions on the log client that would generate a write to the server. Since port 514 was not open and I was sure that it had to be, I thought there must have been some other problem.

Thanks to snort, I learned that the logs are received on the non-well-known and randomly chosen ports, not 514. This is contrary to what I had read. It seems to work out better this way though, as you can have no services running on dedicated ports. Adding a few chains/tables rules on top of that, the log server becomes much harder to detect from scanning programs.

Ahhhh, it's always such a relief when something that should work, actually does.