Hi Guys,

Just want to ask regarding syslog server, i'ved setup a RHEL4 as a syslog server, and i follow their tutorial on how to accept syslogs from remote, setting SYSLOGD_OPTIONS="-m 0 -r" but for some reasons, i could not manage to make the syslog service to listen on port 514.

Here what i did, I set the value -r on /etc/sysconfig/syslog (see info below)

# THIS FILE IS LOCATED ON /etc/sysconfig/syslog
# Options to syslogd
# -m 0 disables 'MARK' messages.
# -r enables logging from remote machines
# -x disables DNS lookups on messages recieved with -r
# See syslogd(8) for more details
SYSLOGD_OPTIONS="-m 0 -r -x"
# Options to klogd
# -2 prints all kernel oops messages twice; once for klogd to decode, and
# once for processing with 'ksymoops'
# -x disables all klogd processing of oops messages entirely
# See klogd(8) for more details
KLOGD_OPTIONS="-x"

After restarting the service by typing service syslog restart, i issue a command netstat -ntlp, i couldn't find any port 514 for syslog. Pls help me guys...

[root@localhost ~]# netstat -ntlp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:8100 0.0.0.0:* LISTEN 3169/python
tcp 0 0 0.0.0.0:199 0.0.0.0:* LISTEN 2904/snmpd
tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN 3056/mysqld
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 2798/portmap
tcp 0 0 0.0.0.0:8080 0.0.0.0:* LISTEN 3173/python
tcp 0 0 0.0.0.0:8081 0.0.0.0:* LISTEN 3178/python
tcp 0 0 :::22 :::* LISTEN 2955/sshd



gurl4sh25

firstly, not a networkig question. moved to Linux - Server.

secondly. drop syslogd. use syslog-ng instead, MUCH MUCH better for this. also, splunk is even cooler still...

Ok, sorry for the wrong forum, so is there any step by step tutorial on how to install syslog-ng? and where can i down load this installer for redhat? many thanks

well plenty of standard documents exist for it, just google. as for a download, google for "syslog-ng el4 rpm" and you're bound to get lucky. probably want the 2.0.3 version out a few weeks ago, but i've not seen rpm's for it yet.

ok, just finish installing it, so how do i make it to accept syslogs? is there any good tutorial for setting up a centralized syslog-ng?

i end u pusing gentoo guides as they're quite well written and generic, but you can find many many guides online to suit your needs. balabit.com is the syslog-ng home for the ultimate reference.

ok thanks acid_kewpie, but right now i'ved been encountering errors when i do some modification on syslog-ng.conf, i add this line

source local {
unix-stream("/dev/log");
udp();
tcp(ip(0.0.0.0) port(514) max-connections(300));
internal();
};

and when i start the syslog-ng using the command service syslog-ng start, i get an error of...

[root@localhost syslog-ng]# service syslog-ng start
Starting system logger: io.c: bind_inet_socket() bind failed 0.0.0.0:514 Permission denied
Error initializing configuration, exiting.
[FAILED]

but when i remove the line "tcp(ip(0.0.0.0) port(514) max-connections(300));" everything runs smoothly, what i'm trying to do is to run it or listen it on port 514, so that it can accept syslog messages.

Please help..

wll that's for a source called "local" and in it you're looking to recieve network conenctions from other hosts? not particuarly local is it? ;-) add a seperate log source, e.g. "net" to receive these. you'll most likely want to keep seperate local machine logs from logs being sent to you from other sites, as they are often relating to different things...

that's not the actual problem though. it's probably that syslogd is already running (you will need to uninstall the rpm package for it - rpm -e sysklogd - and restart the service. also check output of "lsof -i UDP:514" to see if anything is currently hooked onto that port (or TCP:514 of course...)

i'ved already uninstalled sysklogd, and have verified that there's no syslog running on the background, i'ved tried to change the line

tcp(ip(0.0.0.0) port(514) max-connections(300));

to

udp(ip(0.0.0.0) port(514) max-connections(300));

and everything seems right and running, but when i change back to tcp, i'ved encountered an error

[root@localhost etc]# service syslog-ng start
Starting system logger: Error binding socket; addr='AF_INET(0.0.0.0:514)', error='Permission denied (13)'
Error initializing source driver; source='s_sys'
[FAILED]

what i really wanted to do is to establish it on a tcp port. seem's a pretty tough one to resolve... =(

well remember firstly that udp is MUCH more common than tpc for syslog. tcp is getting more common, and it may well be you can live purely with tcp, but it's still officially "odd".

as for the problem then... try "tcp(port(514));" and also try port 5140 to see if an ephemeral port works better, shoudln't do though.