LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software
User Name
Password
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.

Notices


Reply
  Search this Thread
Old 04-02-2008, 10:34 AM   #1
kaplan71
Member
 
Registered: Nov 2003
Posts: 809

Rep: Reputation: 39
Problem with Remote Syslog Server Operation


Hi there --

I am going through the motions of setting up a remote syslog server using syslog-ng with the logcheck application. The destination system for the log files is running the Debian 4.0 distribution. The configuration has e-mails sent out to the system administrator.

I modified the syslog-ng.conf file on the remote syslog server with the following entries:

#
Code:
Directives used by Logcheck
        create_dirs(yes);
        long_hostnames(off);
        keep_hostname(yes);
...
use_dns(yes);
...
source s_udp {
                udp ( ip(<ip address>) ); # server name
        };
...
# Directive used with Logcheck
destination df_udp {
        file ("/var/log/$HOST/$FACILITY");
        };
...
# Directive used with Logcheck
log {
        source(s_udp);
        destination (df_udp);
};
I then went to the host that is sending its log files to the remote syslog server, and modified its syslog.conf file with the following:

Code:
# Allow connection to the syslog server
*.*                                                     @<syslog server ip address>
I restarted the syslog daemon on the host, and also manually ran the appropriate cron job on the syslog server. However, there are entries concerning only the syslog server, and there are none for the other host appearing in the e-mail that is sent out.


I need to have the e-mail(s) that are sent out containing the information for the host in question as well as the syslog server. What other configuration steps do I need to take in order to correct this?
 
Old 04-02-2008, 10:58 AM   #2
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985
ok, pick a good demarcation point... are logs hitting the server at all? run "tcpdump -vn port 514" on the server and do something to generate log data on the client. Divide and conquer!
 
Old 04-02-2008, 12:17 PM   #3
kaplan71
Member
 
Registered: Nov 2003
Posts: 809

Original Poster
Rep: Reputation: 39
Hi there --

Thanks for your reply. Per your request, I ran the tcpdump -vn port 514 command on the syslog server, and then did an ssh connection to the remote host from a third-party machine. The connection to the remote host did appear on-screen on the syslog server. Here is the filtered output in question:

Quote:
<username>@syslogserver:/var/log$ sudo /usr/sbin/tcpdump -vn port 514

tcpdump: listening on eth1, link-type EN10MB (Ethernet), capture size 96 bytes
13:08:48.559841 IP (tos 0x0, ttl 64, id 14, offset 0, flags [DF], proto: UDP (17), length: 82) <remote host>.514 > <syslog server>.514: SYSLOG, length: 54

Facility auth (4), Severity info (6)
Msg: sshd(pam_unix)[1167]: session closed for user <username>\012
13:10:43.620120 IP (tos 0x0, ttl 64, id 15, offset 0, flags [DF], proto: UDP (17), length: 93) <remote host>.514 > <syslog server>: SYSLOG, length: 65
The log messages from the remote host do appear to be reaching the syslog server.
 
Old 04-02-2008, 01:41 PM   #4
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985
ok, that's half the hassle ruled out then. i thought you needed to specific the port too within syslog-nf.conf but if you run "netstat -panu" to see what's listening on what udp port, that'll cover most of the doubts i'd have.
 
Old 04-02-2008, 01:49 PM   #5
kaplan71
Member
 
Registered: Nov 2003
Posts: 809

Original Poster
Rep: Reputation: 39
Hi there --

Here are the results of the netstat -panu command on the syslog server:

Quote:
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
udp 0 0 0.0.0.0:2049 0.0.0.0:* -
udp 0 0 0.0.0.0:32770 0.0.0.0:* -
udp 0 0 0.0.0.0:32771 0.0.0.0:* 3271/rpc.statd
udp 0 0 0.0.0.0:903 0.0.0.0:* 3271/rpc.statd
udp 0 0 132.183.12.123:137 0.0.0.0:* 3179/nmbd
udp 0 0 0.0.0.0:137 0.0.0.0:* 3179/nmbd
udp 0 0 132.183.12.123:138 0.0.0.0:* 3179/nmbd
udp 0 0 0.0.0.0:138 0.0.0.0:* 3179/nmbd
udp 0 0 0.0.0.0:10000 0.0.0.0:* 3577/perl
udp 0 0 0.0.0.0:789 0.0.0.0:* 3157/rpc.mountd
udp 0 0 0.0.0.0:68 0.0.0.0:* 3254/dhclient
udp 0 0 0.0.0.0:111 0.0.0.0:* 2488/portmap
udp 0 0 0.0.0.0:631 0.0.0.0:* 2954/cupsd
Here are the results from the same command on the remote host:

Quote:
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
udp 0 0 0.0.0.0:32768 0.0.0.0:* 2075/rpc.statd
udp 0 0 127.0.0.1:32769 127.0.0.1:32769 ESTABLISHED 2532/postmaster
udp 0 0 0.0.0.0:514 0.0.0.0:* 420/syslogd
udp 0 0 0.0.0.0:10000 0.0.0.0:* 18739/perl
udp 0 0 0.0.0.0:979 0.0.0.0:* 2075/rpc.statd
udp 0 0 0.0.0.0:5353 0.0.0.0:* 2293/mDNSResponder
udp 0 0 0.0.0.0:111 0.0.0.0:* 2057/portmap
udp 0 0 0.0.0.0:631 0.0.0.0:* 23159/cupsd
udp 0 0 132.183.12.167:123 0.0.0.0:* 2375/ntpd
udp 0 0 127.0.0.1:123 0.0.0.0:* 2375/ntpd
udp 0 0 0.0.0.0:123 0.0.0.0:* 2375/ntpd
udp 0 0 :::123 :::* 2375/ntpd
The syslog-ng port, 514, does not appear in either of the servers' output. Is it dymanic?
 
Old 04-02-2008, 03:18 PM   #6
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985
dynamic? what do you mean by that? either way, no there's no service listening, so add the port in there too. i forget the exact syntax, it's a bit weird and nested if i recall.
 
Old 04-02-2008, 03:57 PM   #7
kaplan71
Member
 
Registered: Nov 2003
Posts: 809

Original Poster
Rep: Reputation: 39
I did some checking, and there is some problem with the syslog-ng configuration. When I tried to manually start the daemon, the following output appeared on-screen:

Quote:
#:/etc/init.d/syslog-ng start
Starting system logging: syslog-ngError binding socket; addr='AF_INET(<remote host>:514)', error='Cannot assign requested address (99)'
Error initializing source driver; source='s_udp'
start failed.
Any ideas? Thanks.
 
Old 04-02-2008, 04:03 PM   #8
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985
so what does the src definition look like now? "udp(ip("0.0.0.0") port(514));" should work. But looking at your anonymized log there... what ip are you specifying? the remote client IP?? the ip you specify is the local server interface, or 0.0.0.0 to include all, generally eth0 AND lo.
 
Old 04-02-2008, 06:55 PM   #9
kaplan71
Member
 
Registered: Nov 2003
Posts: 809

Original Poster
Rep: Reputation: 39
Hi there --

I took your advise and changed the s_udp setting to read:

Code:
ip(0.0.0.0) port(514)
I was able to successfully activate the syslog-ng daemon. I'll keep an eye on it overnight, and let you know what happens. Thanks for the help.
 
Old 04-03-2008, 09:54 AM   #10
kaplan71
Member
 
Registered: Nov 2003
Posts: 809

Original Poster
Rep: Reputation: 39
Hi there --

The remote host is connecting to the syslog server, and there are several log files that are appearing in the appropriate directory. However, one log file, 'messages', is not being copied over to the syslog server. This is the file that I need to have brought over and subsequently e-mailed to the administrator.

The remote host uses syslog, and the entry that is in place on that system is the following:

Code:
# Allow connection to the syslog server
messages.*                                              @<ip address>
How can I get the messages file to be copied over to the syslog server? Thanks.
 
Old 08-17-2011, 10:10 AM   #11
isthisyournacho
LQ Newbie
 
Registered: Aug 2011
Posts: 14

Rep: Reputation: Disabled
How did you do that?

Wait how did you "change the s_udp setting" ?
 
Old 08-17-2011, 10:15 AM   #12
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985
how?? he just changed the text in the file...?

btw, please don't drag up dead threads, it gets very confusing.
 
0 members found this post helpful.
Old 08-17-2011, 10:20 AM   #13
isthisyournacho
LQ Newbie
 
Registered: Aug 2011
Posts: 14

Rep: Reputation: Disabled
Ok... I'll make a new one. No idea what text file you mean.
 
Old 08-17-2011, 10:32 AM   #14
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985
erm, what?? I mean syslog-ng.conf. Is this a serious question?
 
0 members found this post helpful.
Old 08-17-2011, 10:52 AM   #15
isthisyournacho
LQ Newbie
 
Registered: Aug 2011
Posts: 14

Rep: Reputation: Disabled
I do not see the setting in syslog-ng.conf that I need - I searched the file for "udp" and "remote" but did not find what I need.

Could you please answer with a little less malice? If not, don't bother. Thanks. I am new to syslog.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
[syslog-ng] logging remote server by IP address noir911 Linux - Server 4 06-22-2018 08:01 AM
Remote Syslog-np server Cheza Linux - Server 2 11-07-2007 07:33 PM
loging syslog messages to a Remote Server nevxille Linux - Newbie 1 10-18-2006 06:12 AM
Syslog to a Remote Server Antonius_Block Linux - Software 1 05-06-2006 03:29 AM
logging to a remote syslog server is dropping packets draeician73 Linux - Security 1 10-20-2004 06:19 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Software

All times are GMT -5. The time now is 04:45 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration