syslog - LOCAL7

[Anonymous]

Thx for your responsivness.
Here is the log. It seems to me nothing happens
Thx again.

[root@suna18-3 log]# service syslog stop
Shutting down kernel logger:                               [  OK  ]
Shutting down system logger:                               [  OK  ]
[root@suna18-3 log]# syslogd -m 0 -r -x -d
Allocated parts table for 1024 file descriptors.
Starting.
Called init.
Called allocate_log, nlogs = -1.
cfline(.info;mail.none;authpriv.none;cron.none           /var/log/messages)
symbolic name: info ==> 6
symbolic name: none ==> 16
symbolic name: mail ==> 16
symbolic name: none ==> 16
symbolic name: authpriv ==> 80
symbolic name: none ==> 16
symbolic name: cron ==> 72
leading char in action: /
filename: /var/log/messages
Called allocate_log, nlogs = 0.
cfline(*.debug                                          /var/log/messages)
symbolic name: debug ==> 7
leading char in action: /
filename: /var/log/messages
Opened UNIX socket `/dev/log'.
Opened syslog UDP port.
 0:  X  X  X  X  X  X  X  X  X  X  X  X  X  X  X  X  X  X  X  X  X  X  X  X  X FILE: /var/log/messages
 1: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FILE: /var/log/messages
logmsg: syslog.info<46>, flags 4, from suna18-3, msg syslogd 1.4.1: restart (remote reception).
Called fprintlog, logging to FILE /var/log/messages
syslogd: restarted.
Debugging disabled, SIGUSR1 to turn on debugging.
 
[1]+  Stopped                 syslogd -m 0 -r -x -d
[root@suna18-3 log]# bg
[1]+ syslogd -m 0 -r -x -d &
[root@suna18-3 log]# kill -
[root@suna18-3 log]# ps -ef | grep syslogd
root     25426  1258  0 18:43 pts/12   00:00:00 syslogd -m 0 -r -x -d
root     25428  1258  0 18:44 pts/12   00:00:00 grep syslogd
[root@suna18-3 log]# kill -SIGUSR1 25426
[root@suna18-3 log]# Select interrupted.
Listening on syslog UDP port.
Calling select, active file descriptors (max 6): 3 6
Select interrupted.
Listening on syslog UDP port.
Calling select, active file descriptors (max 6): 3 6
Select interrupted.
Listening on syslog UDP port.
Calling select, active file descriptors (max 6): 3 6
 
Successful select, descriptor count = 1, Activity on: 3
Message from UNIX socket: #3
Message length: 85, File descriptor: 3.
logmsg: auth.info<38>, flags 2, from suna18-3, msg Dec 29 18:45:01 crond(pam_unix)[25429]: session opened for user root by (uid=0)
Called fprintlog, logging to FILE /var/log/messages
Listening on syslog UDP port.
Calling select, active file descriptors (max 6): 3 6
 
Successful select, descriptor count = 1, Activity on: 3
Message from UNIX socket: #3
Message length: 154, File descriptor: 3.
logmsg: cron.info<78>, flags 2, from suna18-3, msg Dec 29 18:45:01 crond[25430]: (root) CMD (/usr/bin/mrtg /etc/mrtg/mrtg.cfg --lock-file /var/lock/mrtg/mrtg_l --confcache-file /var/lib/mrtg/mrtg.ok)
Called fprintlog, logging to FILE /var/log/messages
Listening on syslog UDP port.
Calling select, active file descriptors (max 6): 3 6
 
Successful select, descriptor count = 1, Activity on: 3
Message from UNIX socket: #3
Message length: 86, File descriptor: 3.
logmsg: auth.info<38>, flags 2, from suna18-3, msg Dec 29 18:45:01 crond(pam_unix)[25431]: session opened for user nsite by (uid=0)
Called fprintlog, logging to FILE /var/log/messages
Listening on syslog UDP port.
Calling select, active file descriptors (max 6): 3 6
 
Successful select, descriptor count = 1, Activity on: 3
Message from UNIX socket: #3
Message length: 119, File descriptor: 3.
logmsg: cron.info<78>, flags 2, from suna18-3, msg Dec 29 18:45:01 crond[25432]: (nsite) CMD (nsite php /usr/local/apache2/htdocs/cacti/poller.php > /dev/null 2>&1)
Called fprintlog, logging to FILE /var/log/messages
Listening on syslog UDP port.
Calling select, active file descriptors (max 6): 3 6
 
Successful select, descriptor count = 1, Activity on: 3
Message from UNIX socket: #3
Message length: 75, File descriptor: 3.
logmsg: auth.info<38>, flags 2, from suna18-3, msg Dec 29 18:45:01 crond(pam_unix)[25431]: session closed for user nsite
Called fprintlog, logging to FILE /var/log/messages
Listening on syslog UDP port.
Calling select, active file descriptors (max 6): 3 6
 
Successful select, descriptor count = 1, Activity on: 3
Message from UNIX socket: #3
Message length: 74, File descriptor: 3.
logmsg: auth.info<38>, flags 2, from suna18-3, msg Dec 29 18:45:01 crond(pam_unix)[25429]: session closed for user root
Called fprintlog, logging to FILE /var/log/messages
Listening on syslog UDP port.
Calling select, active file descriptors (max 6): 3 6
Select interrupted.
Listening on syslog UDP port.
Calling select, active file descriptors (max 6): 3 6
Select interrupted.
Listening on syslog UDP port.
Calling select, active file descriptors (max 6): 3 6

[mutex]

It's only processing messages that are coming in from the unix sockets.  Did you verify that the cisco box had sent out some messages while you were running syslogd in debug?  If so, I'm not sure where to go, because you're clearly seeing them on tcpdump, but syslogd isn't getting them.  Are you running a firewall (iptables, etc) on the linux syslog server?  If so, it's possible that tcpdump is catching them before they get filtered out.  I'm not certain of the order of network flow in Linux.

[rgerhards]

Linux stock sysklogd package does not care about the source port. That, btw, is a smart idea, because the source port of 514 is a side-effect of daemon implementation. A highly parallel, performance-tuned multi-threading syslogd is not able to use port 514 (because that would limit the sender to a single thread, and that even with synchronization needs to the receiver...).

[jlsuzanne]

I did not configure firewall. However i did the same test after installing syslog-ng.
same results syslog packets do arrive on the server but are not logged.
Hereafter syslog-ng debugs :

[root@suna18-3 syslogng]# netstat -a | grep syslog
warning, got duplicate tcp line.
udp        0      0 *:syslog                    *:*                                    
[root@suna18-3 syslogng]#

[root@suna18-3 syslog-ng]# syslog-ng -d
io.c: Preparing fd 3 for reading
io.c: listening on fd 4
io.c: Preparing fd 5 for reading
syslog-ng version 1.6.8 starting
io.c: Preparing fd 6 for reading
Read EOF on fd 6.
Marking fd 6 for closing.
Closing fd 6.
io.c: Preparing fd 6 for reading
io.c: Preparing fd 7 for writing
io.c: Preparing fd 8 for reading
Read EOF on fd 6.
Marking fd 6 for closing.
io.c: Preparing fd 9 for reading
Read EOF on fd 8.
Marking fd 8 for closing.
Closing fd 6.
Read EOF on fd 9.
Marking fd 9 for closing.
Closing fd 8.
Closing fd 9.
io.c: Preparing fd 6 for reading
Read EOF on fd 6.
Marking fd 6 for closing.
Closing fd 6.
io.c: Preparing fd 6 for reading
Read EOF on fd 6.
Marking fd 6 for closing.
Closing fd 6.
io.c: Preparing fd 6 for reading
io.c: Preparing fd 8 for reading
Read EOF on fd 6.
Marking fd 6 for closing.
io.c: Preparing fd 9 for reading
Read EOF on fd 8.
Marking fd 8 for closing.
io.c: Preparing fd 10 for reading
Closing fd 6.
Read EOF on fd 9.
Marking fd 9 for closing.
Closing fd 8.
Read EOF on fd 10.
Marking fd 10 for closing.
Closing fd 9.
Closing fd 10.
io.c: Preparing fd 6 for reading
Read EOF on fd 6.
Marking fd 6 for closing.
Closing fd 6.
io.c: Preparing fd 6 for reading
Read EOF on fd 6.
Marking fd 6 for closing.
Closing fd 6.
STATS: dropped 0
io.c: Preparing fd 6 for reading
io.c: Preparing fd 8 for reading
Read EOF on fd 6.
Marking fd 6 for closing.
io.c: Preparing fd 9 for reading
Read EOF on fd 8.
Marking fd 8 for closing.
io.c: Preparing fd 10 for reading
Closing fd 6.
Read EOF on fd 9.
Marking fd 9 for closing.
Closing fd 8.
Read EOF on fd 10.
Marking fd 10 for closing.
Closing fd 9.
Closing fd 10.
io.c: Preparing fd 6 for reading
Read EOF on fd 6.
Marking fd 6 for closing.
Closing fd 6.
gc_mark: Marking object of class 'syslog_backend' (0)
gc_mark: Marking object of class 'syslog_config' (1)
gc_mark: Marking object of class 'resource_list' (2)
gc_mark: Marking object of class 'io_fd' (3)
gc_mark: Marking object of class 'pkt_buffer' (4)
gc_mark: Marking object of class 'io_fd' (4)
gc_mark: Marking object of class 'log_reader' (5)
gc_mark: Marking object of class 'afsocket_source_connection' (6)
gc_mark: Marking object of class 'afinet_source' (7)
gc_mark: Marking object of class 'inet_address_info' (
gc_mark: Marking object of class 'object_queue' (
gc_mark: Marking object of class 'log_source_group' (
gc_mark: Marking object of class 'log_center' (9)
gc_mark: Marking object of class 'log_connection' (10)
gc_mark: Marking object of class 'log_endpoint_info' (11)
gc_mark: Marking object of class 'log_source_group' (12)
gc_mark: Marking object of class 'affile_source' (13)
gc_mark: Marking object of class 'io_fd' (14)
gc_mark: Marking object of class 'log_reader' (15)
gc_mark: Marking object of class 'afunix_source' (14)
gc_mark: Marking object of class 'listen_fd' (15)
gc_mark: Marking object of class 'afsocket_accept_callback' (16)
gc_mark: Marking object of class 'unix_address_info' (15)
gc_mark: Marking object of class 'object_queue' (15)
gc_mark: Marking object of class 'log_source_driver' (15)
gc_mark: Marking object of class 'log_endpoint_info' (11)
gc_mark: Marking object of class 'log_dest_group' (12)
gc_mark: Marking object of class 'affile_dest' (13)
gc_mark: Marking object of class 'affile_dest_writer' (14)
gc_mark: Marking object of class 'log_connection' (11)
gc_mark: Marking object of class 'log_endpoint_info' (12)
gc_mark: Marking object of class 'log_endpoint_info' (12)
gc_mark: Marking object of class 'afsocket_source_close_callback' (5)
gc_mark: Marking object of class 'UNKNOWN' (1)
io.c: Preparing fd 6 for reading
Read EOF on fd 6.
Marking fd 6 for closing.
Closing fd 6.
io.c: Preparing fd 6 for reading
io.c: Preparing fd 8 for reading
Read EOF on fd 6.
Marking fd 6 for closing.
io.c: Preparing fd 9 for reading
Read EOF on fd 8.
Marking fd 8 for closing.
io.c: Preparing fd 10 for reading
Closing fd 6.
Read EOF on fd 9.
Marking fd 9 for closing.
Closing fd 8.
Read EOF on fd 10.
Marking fd 10 for closing.
Closing fd 9.
Closing fd 10.
io.c: Preparing fd 6 for reading
Read EOF on fd 6.
Marking fd 6 for closing.
Closing fd 6.
io.c: Preparing fd 6 for reading
Read EOF on fd 6.
Marking fd 6 for closing.
Closing fd 6.
STATS: dropped 0
io.c: Preparing fd 6 for reading
Read EOF on fd 6.
Marking fd 6 for closing.
Closing fd 6.
io.c: Preparing fd 6 for reading
Read EOF on fd 6.
Marking fd 6 for closing.
Closing fd 6.
io.c: Preparing fd 6 for reading
Read EOF on fd 6.
Marking fd 6 for closing.
Closing fd 6.
io.c: Preparing fd 6 for reading
Read EOF on fd 6.
Marking fd 6 for closing.
Closing fd 6.
io.c: Preparing fd 6 for reading
Read EOF on fd 6.
Marking fd 6 for closing.
Closing fd 6.
io.c: Preparing fd 6 for reading
Read EOF on fd 6.
Marking fd 6 for closing.
Closing fd 6.
io.c: Preparing fd 6 for reading
Read EOF on fd 6.
Marking fd 6 for closing.
Closing fd 6.
io.c: Preparing fd 6 for reading
Read EOF on fd 6.
Marking fd 6 for closing.
Closing fd 6.
io.c: Preparing fd 6 for reading
Read EOF on fd 6.
Marking fd 6 for closing.
Closing fd 6.
io.c: Preparing fd 6 for reading
Read EOF on fd 6.
Marking fd 6 for closing.
Closing fd 6.
io.c: Preparing fd 6 for reading
Read EOF on fd 6.
Marking fd 6 for closing.
Closing fd 6.
gc_mark: Marking object of class 'syslog_backend' (0)
gc_mark: Marking object of class 'syslog_config' (1)
gc_mark: Marking object of class 'resource_list' (2)
gc_mark: Marking object of class 'io_fd' (3)
gc_mark: Marking object of class 'pkt_buffer' (4)
gc_mark: Marking object of class 'io_fd' (4)
gc_mark: Marking object of class 'log_reader' (5)
gc_mark: Marking object of class 'afsocket_source_connection' (6)
gc_mark: Marking object of class 'afinet_source' (7)
gc_mark: Marking object of class 'inet_address_info' (
gc_mark: Marking object of class 'object_queue' (
gc_mark: Marking object of class 'log_source_group' (
gc_mark: Marking object of class 'log_center' (9)
gc_mark: Marking object of class 'log_connection' (10)
gc_mark: Marking object of class 'log_endpoint_info' (11)
gc_mark: Marking object of class 'log_source_group' (12)
gc_mark: Marking object of class 'affile_source' (13)
gc_mark: Marking object of class 'io_fd' (14)
gc_mark: Marking object of class 'log_reader' (15)
gc_mark: Marking object of class 'afunix_source' (14)
gc_mark: Marking object of class 'listen_fd' (15)
gc_mark: Marking object of class 'afsocket_accept_callback' (16)
gc_mark: Marking object of class 'unix_address_info' (15)
gc_mark: Marking object of class 'object_queue' (15)
gc_mark: Marking object of class 'log_source_driver' (15)
gc_mark: Marking object of class 'log_endpoint_info' (11)
gc_mark: Marking object of class 'log_dest_group' (12)
gc_mark: Marking object of class 'affile_dest' (13)
gc_mark: Marking object of class 'affile_dest_writer' (14)
gc_mark: Marking object of class 'log_connection' (11)
gc_mark: Marking object of class 'log_endpoint_info' (12)
gc_mark: Marking object of class 'log_endpoint_info' (12)
gc_mark: Marking object of class 'afsocket_source_close_callback' (5)
gc_mark: Marking object of class 'UNKNOWN' (1)
io.c: Preparing fd 6 for reading
Read EOF on fd 6.
Marking fd 6 for closing.
Closing fd 6.
STATS: dropped 0
io.c: Preparing fd 6 for reading
io.c: Preparing fd 8 for reading
Read EOF on fd 6.
Marking fd 6 for closing.
Read EOF on fd 8.
Marking fd 8 for closing.
Closing fd 6.
Closing fd 8.
io.c: Preparing fd 6 for reading
Read EOF on fd 6.

[mutex]

This one has still got me puzzled.  Do you hav any other devices that you can use to send syslog messages to that server?  I know you have tried the logger command, but that's going to use the unix socket to deliver the message. Using logger on another system on your network would give a more realistic test.