LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   is syslog listening? (https://www.linuxquestions.org/questions/linux-security-4/is-syslog-listening-38802/)

cuss 12-18-2002 03:39 PM
is syslog listening?
 
Hi,

I've configured syslogd to listen to remote hosts adding -r in the /etc/sysconfig/syslog.

SYSLOGD_OPTIONS="-r -m 0"

I then restarted the daemon and turned it on with chkconfig syslog on. When i type netstat -au I see:

Proto Recv-Q Send-Q Local Address Foreign Address State

udp 0 0 *:syslog *.*

There is nothing under the heading State. Shouldn't this say LISTEN? I am logging to this server from a remote host and I think i've done everything but i'm still only seeing local logs and nothing from the remote host.

I also went into /etc/services and added syslog 514/udp.

Is it my setup of syslogd or the fact the remote host isn't configured properly to send its logs to me?

Thanks.

unSpawn 12-18-2002 04:52 PM
If "netstat -an -A inet" doesn't show syslogd listening on local UDP/514, then does the remote host syslog.conf include a rule for logging to remote? You don't have the fw blocking stuff?
Can you test it by forcing a remote message/have netcat listening on the port instead?

cuss 12-19-2002 08:13 AM
I tried the "netstat -an -A inet" command and this is what it showed:

Proto Recv-Q Send-Q Local Address Foreign Address State


udp 0 0 0.0.0.0:514 0.0.0.0:*


Nothing under the column State once again. I know with TCP the State says LISTEN when the port is listening....is this not the same with UDP? If the output of the netstat command is correct and infact there should be nothing under the State column then i will check the FW and the remote syslog.conf file. First though I need to make sure that my syslogd is listening.

cuss 12-19-2002 09:33 AM
It looks as though syslog messages are coming in (tested with tcpdump), however, it looks like they are getting dropped and aren't going into /var/log/messages. Any suggestions?

unSpawn 12-19-2002 11:47 AM
Like it says: "udp 0 0 0.0.0.0:514" means syslogd *is* listening on local UDP/514. Next to that, UDP is a *stateless* protocol.
Btw, last time I TS'ed someones syslogd it was a default fw script blocking. AFAIK, libpcap stuff like Snort or tcpdump go *before* fw routing. If you can't tell from the logs, try to add a log rule to all rejects and denies and it'll show if fw is the culprit.


All times are GMT -5. The time now is 10:45 AM.