LinuxQuestions.org
Latest LQ Deal: Latest LQ Deals
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software
User Name
Password
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.

Notices


Reply
  Search this Thread
Old 07-03-2009, 02:44 AM   #1
smecherel
Member
 
Registered: Jun 2008
Posts: 43

Rep: Reputation: 15
Question Syslog-ng remote access problem


Hello,
i have a problem integrating a syslog-ng server for capturing syslog messages from my network.

Syslog-ng is installed on a Fedora Core 10 box, and i have for testing another linux box with Ubuntu 9.04.

The client is sending syslog messages towards the server, cause i used tcpdump and wireshark and i can see the packets leaving the client.

Now, on the server, syslog is configured like this:

source s_remote_udp { udp ();};
source s_internal { internal(); };
destination d_localfile {file ("/root/syslog.log"); };
log { source (s_internal); destination (d_localfile); };
log { source (s_remote_udp); destination (d_localfile); };

Internal messages are sent to the local file on server. But the remote messages are not sent.
On the server tcpdump shows that packet sent from the client are received on the interface.

BUT every time on the client i keep receiving back from the server an icmp error Destination Unreachable, with a code of Host Administratively prohibited.
I tried using diferent ports, even a tcp connection, but the same thing - icmp error back with the same code.

The problem must be with the server Fedora, i dont know why is not accepting the packets.

SELinux is disabled on Fedora and no firewall is installed (i don't know if any is installed by default).

I dont't know if this restriction is because of the Fedora O.S. or because of the syslog-ng configuration.
I'm no beginner anymore on linux, but this problem is way out of my knowledge.
Can anyone please help me solve this?
 
Old 07-03-2009, 05:55 AM   #2
centosboy
Senior Member
 
Registered: May 2009
Location: london
Distribution: centos5
Posts: 1,137

Rep: Reputation: 116Reputation: 116
Quote:
Originally Posted by smecherel View Post
Hello,
i have a problem integrating a syslog-ng server for capturing syslog messages from my network.

Syslog-ng is installed on a Fedora Core 10 box, and i have for testing another linux box with Ubuntu 9.04.

The client is sending syslog messages towards the server, cause i used tcpdump and wireshark and i can see the packets leaving the client.

Now, on the server, syslog is configured like this:

source s_remote_udp { udp ();};
source s_internal { internal(); };
destination d_localfile {file ("/root/syslog.log"); };
log { source (s_internal); destination (d_localfile); };
log { source (s_remote_udp); destination (d_localfile); };

Internal messages are sent to the local file on server. But the remote messages are not sent.
On the server tcpdump shows that packet sent from the client are received on the interface.

BUT every time on the client i keep receiving back from the server an icmp error Destination Unreachable, with a code of Host Administratively prohibited.
I tried using diferent ports, even a tcp connection, but the same thing - icmp error back with the same code.

The problem must be with the server Fedora, i dont know why is not accepting the packets.

SELinux is disabled on Fedora and no firewall is installed (i don't know if any is installed by default).

I dont't know if this restriction is because of the Fedora O.S. or because of the syslog-ng configuration.
I'm no beginner anymore on linux, but this problem is way out of my knowledge.
Can anyone please help me solve this?

you need a line like this in the syslog-ng.conf file

Code:
       
source remoteudp { udp(ip(0.0.0.0) port (514)); };
 
Old 07-03-2009, 08:41 AM   #3
smecherel
Member
 
Registered: Jun 2008
Posts: 43

Original Poster
Rep: Reputation: 15
Well, as you can see above, I allready have a more permisive line
source s_remote_udp { udp ();};

But i also tried before that with your example, i even try with a tcp connection, but without any positive result.

By the way...i've noticed another thing. On the client (Ubuntu 9.04) the CPU stays at 100% and i think thats very strange
What could cause that high procentage usage for syslog-ng?

cosmin@Dell:~$ top

top - 14:18:03 up 24 min, 2 users, load average: 0.96, 1.04, 0.79
Tasks: 133 total, 2 running, 131 sleeping, 0 stopped, 0 zombie
Cpu(s): 12.8%us, 38.4%sy, 0.0%ni, 48.8%id, 0.0%wa, 0.0%hi, 0.0%si, 0.0%st
Mem: 2060488k total, 498444k used, 1562044k free, 18084k buffers
Swap: 2931820k total, 0k used, 2931820k free, 250712k cached

PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
2522 root 20 0 3340 1032 616 R 99 0.1 19:17.89 syslog-ng
3017 root 20 0 306m 35m 11m S 1 1.7 0:24.38 Xorg
4366 cosmin 20 0 30580 18m 13m S 1 0.9 0:02.50 gnome-system-mo

Now the client is configured like this:
source s_internal { internal(); };
source s_local {file ("/proc/kmsg" log_prefix("kernel: ")); unix-stream ("/dev/log"); };
destination d_localfile { file ("/home/cosmin/syslog.log"); };
destination d_remote {udp ("192.168.53.248" port(514)); };
log { source(s_local); destination(d_localfile); };
log { source(s_internal); destination(d_localfile); };
log { source(s_local); destination(d_remote); };


The server has this configuration
source s_internal { internal(); };
source s_remote_udp {udp (ip (0.0.0.0) port(514)); };
destination d_localfile {file ("/root/syslog.log"); };
log { source (s_remote_udp); destination (d_localfile); };
log { source (s_sys); destination (d_localfile); };

The server is still refusing messages from remote sites.
 
Old 07-03-2009, 10:22 AM   #4
smecherel
Member
 
Registered: Jun 2008
Posts: 43

Original Poster
Rep: Reputation: 15
I have installed ntop, an application wich is listening on tcp 3000 (verified with netstat and telnet localhost).
But the same problem is when i try to access the server from remote hosts. The same icmp error which makes me think that "something" is blocking those packets from reaching the server aplications on Fedora core 10.

Can someone help me with this?
 
Old 07-03-2009, 12:10 PM   #5
nuwen52
Member
 
Registered: Feb 2009
Distribution: Debian, CentOS 5, Gentoo, FreeBSD, Fedora, Mint, Slackware64
Posts: 208

Rep: Reputation: 46
I don't see something wrong with the config, so if you think something's blocking it, I would first recommend dropping the firewall on the server machine temporarily (as long as it's on a trusted network).
 
Old 07-05-2009, 09:12 PM   #6
chrism01
LQ Guru
 
Registered: Aug 2004
Location: Sydney
Distribution: Centos 7.7 (?), Centos 8.1
Posts: 17,814

Rep: Reputation: 2553Reputation: 2553Reputation: 2553Reputation: 2553Reputation: 2553Reputation: 2553Reputation: 2553Reputation: 2553Reputation: 2553Reputation: 2553Reputation: 2553
The iptables based firewall is part of the std install on Linux. You can see what's currently set by using

iptables -L
 
Old 07-07-2009, 02:40 AM   #7
smecherel
Member
 
Registered: Jun 2008
Posts: 43

Original Poster
Rep: Reputation: 15
Sorry for answering so late.
You were right guys about the firewall, on the Fedora server iptables was on, and as soon as I turned it off, everything worked great.
Know i have to learn how to configure iptables, cause i don.t want to leave it off.
Before closing the thread, does anyone know o good point to start learning iptables?
 
Old 07-08-2009, 03:47 AM   #8
centosboy
Senior Member
 
Registered: May 2009
Location: london
Distribution: centos5
Posts: 1,137

Rep: Reputation: 116Reputation: 116
Quote:
Originally Posted by smecherel View Post
Sorry for answering so late.
You were right guys about the firewall, on the Fedora server iptables was on, and as soon as I turned it off, everything worked great.
Know i have to learn how to configure iptables, cause i don.t want to leave it off.
Before closing the thread, does anyone know o good point to start learning iptables?

firestarter guarddog fwbuilder - some of the gui tools you could use...
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Problem with Remote Syslog Server Operation kaplan71 Linux - Software 16 08-17-2011 12:51 PM
syslog-ng trying for remote logging sir-lancealot Linux - Server 0 06-26-2009 12:03 PM
Remote syslog and CentOS5. Devileyezz Red Hat 3 10-02-2007 11:18 AM
Remote Access Problem sanu Linux - Networking 4 07-12-2006 07:54 AM
Getting logs from a remote syslog ganninu Linux - Newbie 4 09-10-2003 10:05 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Software

All times are GMT -5. The time now is 06:21 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration