LinuxQuestions.org
Page 1 of 2 1 2
Show 50 post(s) from this thread on one page

LinuxQuestions.org (/questions/)
-   Linux - Software (https://www.linuxquestions.org/questions/linux-software-2/)
-   -   Problem with Remote Syslog Server Operation (https://www.linuxquestions.org/questions/linux-software-2/problem-with-remote-syslog-server-operation-632477/)

kaplan71 04-02-2008 10:34 AM
Problem with Remote Syslog Server Operation
 
Hi there --

I am going through the motions of setting up a remote syslog server using syslog-ng with the logcheck application. The destination system for the log files is running the Debian 4.0 distribution. The configuration has e-mails sent out to the system administrator.

I modified the syslog-ng.conf file on the remote syslog server with the following entries:

#
Code:
Directives used by Logcheck
        create_dirs(yes);
        long_hostnames(off);
        keep_hostname(yes);
...
use_dns(yes);
...
source s_udp {
                udp ( ip(<ip address>) ); # server name
        };
...
# Directive used with Logcheck
destination df_udp {
        file ("/var/log/$HOST/$FACILITY");
        };
...
# Directive used with Logcheck
log {
        source(s_udp);
        destination (df_udp);
};
I then went to the host that is sending its log files to the remote syslog server, and modified its syslog.conf file with the following:

Code:
# Allow connection to the syslog server
*.*                                                    @<syslog server ip address>
I restarted the syslog daemon on the host, and also manually ran the appropriate cron job on the syslog server. However, there are entries concerning only the syslog server, and there are none for the other host appearing in the e-mail that is sent out.


I need to have the e-mail(s) that are sent out containing the information for the host in question as well as the syslog server. What other configuration steps do I need to take in order to correct this?

acid_kewpie 04-02-2008 10:58 AM
ok, pick a good demarcation point... are logs hitting the server at all? run "tcpdump -vn port 514" on the server and do something to generate log data on the client. Divide and conquer!

kaplan71 04-02-2008 12:17 PM
Hi there --

Thanks for your reply. Per your request, I ran the tcpdump -vn port 514 command on the syslog server, and then did an ssh connection to the remote host from a third-party machine. The connection to the remote host did appear on-screen on the syslog server. Here is the filtered output in question:

Quote:
<username>@syslogserver:/var/log$ sudo /usr/sbin/tcpdump -vn port 514

tcpdump: listening on eth1, link-type EN10MB (Ethernet), capture size 96 bytes
13:08:48.559841 IP (tos 0x0, ttl 64, id 14, offset 0, flags [DF], proto: UDP (17), length: 82) <remote host>.514 > <syslog server>.514: SYSLOG, length: 54

Facility auth (4), Severity info (6)
Msg: sshd(pam_unix)[1167]: session closed for user <username>\012
13:10:43.620120 IP (tos 0x0, ttl 64, id 15, offset 0, flags [DF], proto: UDP (17), length: 93) <remote host>.514 > <syslog server>: SYSLOG, length: 65
The log messages from the remote host do appear to be reaching the syslog server.

acid_kewpie 04-02-2008 01:41 PM
ok, that's half the hassle ruled out then. i thought you needed to specific the port too within syslog-nf.conf but if you run "netstat -panu" to see what's listening on what udp port, that'll cover most of the doubts i'd have.

kaplan71 04-02-2008 01:49 PM
Hi there --

Here are the results of the netstat -panu command on the syslog server:

Quote:
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
udp 0 0 0.0.0.0:2049 0.0.0.0:* -
udp 0 0 0.0.0.0:32770 0.0.0.0:* -
udp 0 0 0.0.0.0:32771 0.0.0.0:* 3271/rpc.statd
udp 0 0 0.0.0.0:903 0.0.0.0:* 3271/rpc.statd
udp 0 0 132.183.12.123:137 0.0.0.0:* 3179/nmbd
udp 0 0 0.0.0.0:137 0.0.0.0:* 3179/nmbd
udp 0 0 132.183.12.123:138 0.0.0.0:* 3179/nmbd
udp 0 0 0.0.0.0:138 0.0.0.0:* 3179/nmbd
udp 0 0 0.0.0.0:10000 0.0.0.0:* 3577/perl
udp 0 0 0.0.0.0:789 0.0.0.0:* 3157/rpc.mountd
udp 0 0 0.0.0.0:68 0.0.0.0:* 3254/dhclient
udp 0 0 0.0.0.0:111 0.0.0.0:* 2488/portmap
udp 0 0 0.0.0.0:631 0.0.0.0:* 2954/cupsd
Here are the results from the same command on the remote host:

Quote:
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
udp 0 0 0.0.0.0:32768 0.0.0.0:* 2075/rpc.statd
udp 0 0 127.0.0.1:32769 127.0.0.1:32769 ESTABLISHED 2532/postmaster
udp 0 0 0.0.0.0:514 0.0.0.0:* 420/syslogd
udp 0 0 0.0.0.0:10000 0.0.0.0:* 18739/perl
udp 0 0 0.0.0.0:979 0.0.0.0:* 2075/rpc.statd
udp 0 0 0.0.0.0:5353 0.0.0.0:* 2293/mDNSResponder
udp 0 0 0.0.0.0:111 0.0.0.0:* 2057/portmap
udp 0 0 0.0.0.0:631 0.0.0.0:* 23159/cupsd
udp 0 0 132.183.12.167:123 0.0.0.0:* 2375/ntpd
udp 0 0 127.0.0.1:123 0.0.0.0:* 2375/ntpd
udp 0 0 0.0.0.0:123 0.0.0.0:* 2375/ntpd
udp 0 0 :::123 :::* 2375/ntpd
The syslog-ng port, 514, does not appear in either of the servers' output. Is it dymanic?

acid_kewpie 04-02-2008 03:18 PM
dynamic? what do you mean by that? either way, no there's no service listening, so add the port in there too. i forget the exact syntax, it's a bit weird and nested if i recall.

kaplan71 04-02-2008 03:57 PM
I did some checking, and there is some problem with the syslog-ng configuration. When I tried to manually start the daemon, the following output appeared on-screen:

Quote:
#:/etc/init.d/syslog-ng start
Starting system logging: syslog-ngError binding socket; addr='AF_INET(<remote host>:514)', error='Cannot assign requested address (99)'
Error initializing source driver; source='s_udp'
start failed.
Any ideas? Thanks.

acid_kewpie 04-02-2008 04:03 PM
so what does the src definition look like now? "udp(ip("0.0.0.0") port(514));" should work. But looking at your anonymized log there... what ip are you specifying? the remote client IP?? the ip you specify is the local server interface, or 0.0.0.0 to include all, generally eth0 AND lo.

kaplan71 04-02-2008 06:55 PM
Hi there --

I took your advise and changed the s_udp setting to read:

Code:
ip(0.0.0.0) port(514)
I was able to successfully activate the syslog-ng daemon. I'll keep an eye on it overnight, and let you know what happens. Thanks for the help.

kaplan71 04-03-2008 09:54 AM
Hi there --

The remote host is connecting to the syslog server, and there are several log files that are appearing in the appropriate directory. However, one log file, 'messages', is not being copied over to the syslog server. This is the file that I need to have brought over and subsequently e-mailed to the administrator.

The remote host uses syslog, and the entry that is in place on that system is the following:

Code:
# Allow connection to the syslog server
messages.*                                              @<ip address>
How can I get the messages file to be copied over to the syslog server? Thanks.

isthisyournacho 08-17-2011 10:10 AM
How did you do that?
 
Wait how did you "change the s_udp setting" ?

acid_kewpie 08-17-2011 10:15 AM
how?? he just changed the text in the file...? :confused:

btw, please don't drag up dead threads, it gets very confusing.

isthisyournacho 08-17-2011 10:20 AM
Ok... I'll make a new one. No idea what text file you mean.

acid_kewpie 08-17-2011 10:32 AM
erm, what?? I mean syslog-ng.conf. Is this a serious question?

isthisyournacho 08-17-2011 10:52 AM
I do not see the setting in syslog-ng.conf that I need - I searched the file for "udp" and "remote" but did not find what I need.

Could you please answer with a little less malice? If not, don't bother. Thanks. I am new to syslog.


All times are GMT -5. The time now is 06:38 AM.
Page 1 of 2 1 2
Show 50 post(s) from this thread on one page