Syslog - Main - Troubleshooting Syslog Forwarding

Yeah, I know I'm really late with another tip. It's been pretty crazy around my house, so you'll have to excuse me. Anyhow, I see lots and lots of people searching around for information on how to troubleshoot syslog because messages aren't getting from point A to point B. So, you have followed the directions at: <A href="http://http://www.syslog.org/index.php?module=ContentExpress&func=display&ceid= 12&meid=14" target=_new>http://www.syslog.org/index.php?module=ContentExpress&func=display&ceid=12&meid=14</A> and you're not seeing logs coming out of the central syslog server. What do you do now? First, check the simple things. Make sure that the host you have defined as the loghost on the client is resolveable on the client. Try the IP address of the syslog server to double-check. Next, check that syslogd is actually listening on the network. Use the sockstat or netstat utility to look for syslogd to be bound to port 514: web1# sockstat |grep 514 root syslogd 48589 6 udp6 *:514 *:* root syslogd 981 4 udp4 63.175.100.41:514 *:* ORweb1# netstat -an |grep 514 udp6 0 0 *.514 *.* udp4 0 0 63.175.100.41.514 *.* If it is not listening to the port, the resolution depends on your operating system. On linux, you need to add the "-r" flag to /etc/sysconfig, as detailed in the previous tip. On FreeBSD, you need to make sure that syslogd isn't started up with the -s -s option. "man syslogd" is your friend if you have a different version of UNIX. It should tell you how to start it up with a so cket bound to port 514. If you run into trouble, post a message here: <A href="http://http://www.syslog.org/index.php?name=PNphpBB2&file=posting&mode=newtopic&f=1" target=_new>http://www.syslog.org/index.php?name=PNphpBB2&file=posting&mode=newtopic&f=1</A> If it is listening to port 514, you will need to verify that messages are actually being sent out from the client. On the client, run "tcpdump -X port 514". Then, do something that will cause a message to be generated. You can manually generate one with the logger command, but that is not a real test of whether syslogd is forwarding messages or not. If you do not see any traffic out of tcpdump, you will need to double check your syslog.conf file to make sure that you have the definitions correct. I have found that some of the stock versions of syslogd won't let you do more than one thing with a particular facility/severity combination, so if it is already defined to go to a log file, with another line sending it to a remote host, try commenting out the line for the local log file and restarting syslogd and trying the test again. If you do see log messages, run the same "tcpdump -X port 514" test on the syslog server. If you do not see traffic, there is most likely a firewall somewhere in the path between the systems that is causing the problem. If you do see traffic, check the definitions in syslog.conf to make sure you are capturing the correct facility/severity combination to the log file. If it syslog.conf looks good, stop syslogd and start it up in debug mode. With syslogd in debug mode, trigger something on the client to send a syslog message. You should see some indication as to what is wrong. There are far to many possiblities and differnet versions of syslogd to cover here. If you are having trouble decoding the debug, feel free to post a message here: <A href="http://http://www.syslog.org/index.php?name=PNphpBB2&file=posting&mode=newtopic&f=1" target=_new>http://www.syslog.org/index.php?name=PNphpBB2&file=posting&mode=newtopic&f=1</A> Syslog is really a very simple protocol, but there are 100001 versions of syslogd, so it sometimes takes a bit to make sure everything is matched up for the logs to be sent from one system to another.

Big View Syslog and Log Analysis Wiki and Forums Home Edit History Recent Changes
Home Syslog Forums Tools Syslog Tips How To FAQ Web Links Syslog-NG Wiki Event Log Wiki Web Log Wiki edit SideBar TriadSkin powered by PmWiki	Main Troubleshooting Syslog Forwarding <P><FONT face=Verdana>Yeah, I know I'm really late with another tip. It's been pretty crazy around my house, so you'll have to excuse me.</FONT> </P><P><FONT face=Verdana>Anyhow, I see lots and lots of people searching around for information on how to troubleshoot syslog because messages aren't getting from point A to point B.</FONT> </P><P><FONT face=Verdana>So, you have followed the directions at: </FONT> <A href="http://http://www.syslog.org/index.php?module=ContentExpress&func=display&ceid= 12&meid=14" target=_new><FONT face=Verdana>http://www.syslog.org/index.php?module=ContentExpress&func=display&ceid=12&meid=14</FONT></A><FONT face=Verdana> and you're not seeing logs coming out of the central syslog server. What do you do now?</FONT> </P><P><FONT face=Verdana>First, check the simple things. Make sure that the host you have defined as the loghost on the client is resolveable on the client. Try the IP address of the syslog server to double-check.</FONT> </P><P><FONT face=Verdana>Next, check that syslogd is actually listening on the network. Use the sockstat or netstat utility to look for syslogd to be bound to port 514:</FONT> </P><P><FONT face=Verdana>web1# sockstat \|grep 514<BR>root syslogd 48589 6 udp6 :514 :<BR>root syslogd 981 4 udp4 63.175.100.41:514 :<BR></FONT></P><P><FONT face=Verdana>OR</FONT></P><P><FONT face=Verdana>web1# netstat -an \|grep 514<BR>udp6 0 0 .514 .<BR>udp4 0 0 63.175.100.41.514 .<BR></FONT></P><P><FONT face=Verdana>If it is not listening to the port, the resolution depends on your operating system. On linux, you need to add the "-r" flag to /etc/sysconfig, as detailed in the previous tip.</FONT> </P><P><FONT face=Verdana>On FreeBSD, you need to make sure that syslogd isn't started up with the -s -s option. "man syslogd" is your friend if you have a different version of UNIX. It should tell you how to start it up with a so</FONT> cket bound to port 514. If you run into trouble, post a message here: <A href="http://http://www.syslog.org/index.php?name=PNphpBB2&file=posting&mode=newtopic&f=1" target=_new>http://www.syslog.org/index.php?name=PNphpBB2&file=posting&mode=newtopic&f=1</A> </P><P><FONT face=Verdana>If it is listening to port 514, you will need to verify that messages are actually being sent out from the client. On the client, run "tcpdump -X port 514". Then, do something that will cause a message to be generated. You can manually generate one with the logger command, but that is not a real test of whether syslogd is forwarding messages or not. If you do not see any traffic out of tcpdump, you will need to double check your syslog.conf file to make sure that you have the definitions correct. I have found that some of the stock versions of syslogd won't let you do more than one thing with a particular facility/severity combination, so if it is already defined to go to a log file, with another line sending it to a remote host, try commenting out the line for the local log file and restarting syslogd and trying the test again.</FONT> </P><P><FONT face=Verdana>If you do see log messages, run the same "tcpdump -X port 514" test on the syslog server. If you do not see traffic, there is most likely a firewall somewhere in the path between the systems that is causing the problem. If you do see traffic, check the definitions in syslog.conf to make sure you are capturing the correct facility/severity combination to the log file. If it syslog.conf looks good, stop syslogd and start it up in debug mode. With syslogd in debug mode, trigger something on the client to send a syslog message. You should see some indication as to what is wrong. There are far to many possiblities and differnet versions of syslogd to cover here. If you are having trouble decoding the debug, feel free to post a message here: </FONT> <A href="http://http://www.syslog.org/index.php?name=PNphpBB2&file=posting&mode=newtopic&f=1" target=_new><FONT face=Verdana>http://www.syslog.org/index.php?name=PNphpBB2&file=posting&mode=newtopic&f=1</FONT></A> </P><P>Syslog is really a very simple protocol, but there are 100001 versions of syslogd, so it sometimes takes a bit to make sure everything is matched up for the logs to be sent from one system to another.</P> Edit Page History Source Attach File Backlinks List Group Page last modified on February 13, 2007, at 09:04 PM
skin config pmwiki-2.2.0-beta57 Information Security News \| Jerry Bell's blog \| Enterprise IT \| Tropical Fish