Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I've configured syslogd to listen to remote hosts adding -r in the /etc/sysconfig/syslog.
SYSLOGD_OPTIONS="-r -m 0"
I then restarted the daemon and turned it on with chkconfig syslog on. When i type netstat -au I see:
Proto Recv-Q Send-Q Local Address Foreign Address State
udp 0 0 *:syslog *.*
There is nothing under the heading State. Shouldn't this say LISTEN? I am logging to this server from a remote host and I think i've done everything but i'm still only seeing local logs and nothing from the remote host.
I also went into /etc/services and added syslog 514/udp.
Is it my setup of syslogd or the fact the remote host isn't configured properly to send its logs to me?
If "netstat -an -A inet" doesn't show syslogd listening on local UDP/514, then does the remote host syslog.conf include a rule for logging to remote? You don't have the fw blocking stuff?
Can you test it by forcing a remote message/have netcat listening on the port instead?
I tried the "netstat -an -A inet" command and this is what it showed:
Proto Recv-Q Send-Q Local Address Foreign Address State
udp 0 0 0.0.0.0:514 0.0.0.0:*
Nothing under the column State once again. I know with TCP the State says LISTEN when the port is listening....is this not the same with UDP? If the output of the netstat command is correct and infact there should be nothing under the State column then i will check the FW and the remote syslog.conf file. First though I need to make sure that my syslogd is listening.
It looks as though syslog messages are coming in (tested with tcpdump), however, it looks like they are getting dropped and aren't going into /var/log/messages. Any suggestions?
Like it says: "udp 0 0 0.0.0.0:514" means syslogd *is* listening on local UDP/514. Next to that, UDP is a *stateless* protocol.
Btw, last time I TS'ed someones syslogd it was a default fw script blocking. AFAIK, libpcap stuff like Snort or tcpdump go *before* fw routing. If you can't tell from the logs, try to add a log rule to all rejects and denies and it'll show if fw is the culprit.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
