[SOLVED] trouble with remote logging using syslog-ng
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I ran the command at the client. From the output of the command below it looks like messages are leaving the client?
Code:
# tcpdump -vn port 514 -i eth0
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
15:17:22.644226 IP (tos 0x0, ttl 64, id 12474, offset 0, flags [DF], proto UDP (17), length 127)
SyslogClient's_IP.33079 > SyslogServer's_IP.514: SYSLOG, length: 99
Facility kernel (0), Severity info (6)
Msg: Oct 7 15:17:22 syslogclient kernel: [13274.558125] device eth0 entered promiscuous mode\0x0a
I already have a router sending it's syslog to the server, and the router's logs are arriving fine. Running the above command on the server shows the log lines from the router.
I redirected tcpdump's output to a file, did some grep-ing, turns out the client is sending the log lines to the server. However log lines are not being written to file.
I believe this is the line responsible for writing to file:
looks fine offhand, run the serve rin foreground mode and see what it says.
looking at the manpage "syslog-ng -Fedv" looks like the chap, but some of those options might clash. I'd also add any command line parameters already in use, so run "ps -ef | grep syslog-ng" to see how it's currently being run and modify accordingly. Stop the service first of course.
i ran "ps -ef | grep syslog-ng", syslog-ng is running without any arguments.
i ran syslog-ng -Fedv > ~/test.txt 2>&1 ... then logged into the syslog client via ssh, just to generate some logs. tcpdump would have captured logs being generated in such cases as it did earlier in the day. However, nothing shows up in the output of syslog-ng being run in the foreground.
Is is possible that syslog-ng may be dropping logs without processing them...or is it that i am too tired
Do let me know what you think...if theres something else i should try.
No, it'd be logging the fact that it's received them from somewhere, even if it does drop them on the floor. If you're succesfully logging from the router already though, you should be able to see those logs in the debug trail. So if those router logs aren't visible in the debug either, something is going wrong in the debug commands themselves.
hi all,
sorry i haven't been able to post back. been caught up with other work.
havent been able to give time to this problem.
i have a doubt, the versions on syslog-ng running on the syslog server and the client are different, thouth only the minor numbers differ. It shouldn't make any difference, right?
@voleg: I will surely try out the configuration without the filter, but the same setup works for the Router. I am able to see the logs from the router being written properly to file. Any clue why it would be different in the case of a Linux machine?
It's not that it shouldn't make any difference, it's not allowed to make a difference. They are talking syslog. a standard protocol, they aren't allowed to have anything software / version specific anywhere in the interaction, otherwise it wouldn't be standard syslog traffic anymore.
When logging from Linux Servers syslog uses the machine's hostname and not the IP address as in the case of devices such as routers. Replacing the IP address of the server with it's hostname fixed the issue.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.