Problem with Remote Syslog Server Operation
Hi there --
I am going through the motions of setting up a remote syslog server using syslog-ng with the logcheck application. The destination system for the log files is running the Debian 4.0 distribution. The configuration has e-mails sent out to the system administrator. I modified the syslog-ng.conf file on the remote syslog server with the following entries: # Code:
Directives used by Logcheck Code:
# Allow connection to the syslog server I need to have the e-mail(s) that are sent out containing the information for the host in question as well as the syslog server. What other configuration steps do I need to take in order to correct this? |
ok, pick a good demarcation point... are logs hitting the server at all? run "tcpdump -vn port 514" on the server and do something to generate log data on the client. Divide and conquer!
|
Hi there --
Thanks for your reply. Per your request, I ran the tcpdump -vn port 514 command on the syslog server, and then did an ssh connection to the remote host from a third-party machine. The connection to the remote host did appear on-screen on the syslog server. Here is the filtered output in question: Quote:
|
ok, that's half the hassle ruled out then. i thought you needed to specific the port too within syslog-nf.conf but if you run "netstat -panu" to see what's listening on what udp port, that'll cover most of the doubts i'd have.
|
Hi there --
Here are the results of the netstat -panu command on the syslog server: Quote:
Quote:
|
dynamic? what do you mean by that? either way, no there's no service listening, so add the port in there too. i forget the exact syntax, it's a bit weird and nested if i recall.
|
I did some checking, and there is some problem with the syslog-ng configuration. When I tried to manually start the daemon, the following output appeared on-screen:
Quote:
|
so what does the src definition look like now? "udp(ip("0.0.0.0") port(514));" should work. But looking at your anonymized log there... what ip are you specifying? the remote client IP?? the ip you specify is the local server interface, or 0.0.0.0 to include all, generally eth0 AND lo.
|
Hi there --
I took your advise and changed the s_udp setting to read: Code:
ip(0.0.0.0) port(514) |
Hi there --
The remote host is connecting to the syslog server, and there are several log files that are appearing in the appropriate directory. However, one log file, 'messages', is not being copied over to the syslog server. This is the file that I need to have brought over and subsequently e-mailed to the administrator. The remote host uses syslog, and the entry that is in place on that system is the following: Code:
# Allow connection to the syslog server |
How did you do that?
Wait how did you "change the s_udp setting" ?
|
how?? he just changed the text in the file...? :confused:
btw, please don't drag up dead threads, it gets very confusing. |
Ok... I'll make a new one. No idea what text file you mean.
|
erm, what?? I mean syslog-ng.conf. Is this a serious question?
|
I do not see the setting in syslog-ng.conf that I need - I searched the file for "udp" and "remote" but did not find what I need.
Could you please answer with a little less malice? If not, don't bother. Thanks. I am new to syslog. |
All times are GMT -5. The time now is 06:38 AM. |