I am stumped. I have tried this with syslog and syslog-ng and can't get it working. No firewall involved, client and server are on the same subnet.

I am trying to send logs for local0 to a remote syslog server. The remote server is working because it is receiving logs from other devices fine. I don't even see packets heading that way in tcpdump. Can anyone think of anything that would block this? Here's my line in syslog.conf:
local0.*<tab><tab><tab>@10.98.1.120

Well what is using local0? If you use your same config but write to a local file instead of udp, does anything go into it?

Sorry, yes, I have data go to it. I even redirected all logs to go to the remote host instead of /var/log/messages, still no luck. Even tested with logger.

iptables then? Is this box on the local subnet? If so, is there an arp entry, or arps on the tcpdump?

Man 3 syslog -
LOG_LOCAL0 through LOG_LOCAL7 reserved for local use

Ya, I have an arp entry and iptables is disabled:

omajelut04 (10.98.1.120) at 00:12:3F:FF:63:CB [ether] on eth0


[root@omajelsflow01 snort]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

That's interesting. I use local0-7 as a destination for other servers without a problem. Either way, I redirected all other logs to the remote server without any luck:
*.info;mail.none;news.none;authpriv.none;cron.none @10.98.1.120

It's not interesting really... "local use" just means it's your own discretion, rather than standards like kernel and mail.

Can't think of anything else to check off hand right now... you can ping the remote machine too, right?

I'm a big fan of syslog-ng so would personally be looking to configure that again.

Ya, I like syslog-ng too. That's what I use on my central syslog server. This server in particular just won't forward to a remote host and can't figure it out. I might reboot three times to see what happens.

third time's the charm.

Really bafflinf me for sure. If it's not iptables, could it possibly be ebtables instead? I'd really doubt it if you're not already aware. Oh, what about SELinux maybe? anything in dmesg? messsages? secure? if you flush your arp table completely, and then send a test with logger, do you see the arp occur immediately then?

Ok, well, we have Ironview/INM running on that box. It opens up a syslog server (for some reason) on 514/udp. Even though the system syslog is not configured to "listen" on 514/udp, it must use that as it's source port for sending logs across the network. That's my guess anyways.

I can't configure syslog-ng to use a specific source port to send the messages for UDP. For TCP, I can specify localport. From this, it is using 514/udp to send the messages:
17:00:00.952697 IP 10.98.1.30.syslog > omajelut04.syslog: SYSLOG local0.info, length: 155

I just disabled the syslog server in INM and now life is good.