Privacy Policy

edit SideBar


Privacy Policy

edit SideBar

Main: Troubleshooting Syslog Forwarding

<P><FONT face=Verdana>Yeah, I know I'm really late with
another tip.  It's been pretty crazy around my house, so you'll have to
excuse me.</FONT> </P><P><FONT face=Verdana>Anyhow, I see lots and lots of people
searching around for information on how to troubleshoot syslog because messages
aren't getting from point A to point B.</FONT> </P><P><FONT face=Verdana>So, you have followed the directions
at: </FONT> <A href="http://http://www.syslog.org/index.php?module=ContentExpress&func=display&ceid= 12&meid=14" target=_new><FONT
face=Verdana>http://www.syslog.org/index.php?module=ContentExpress&func=display&ceid=12&meid=14</FONT></A><FONT
face=Verdana> and you're not seeing logs coming out of the central syslog
server.  What do you do now?</FONT> </P><P><FONT face=Verdana>First, check the simple things. 
Make sure that the host you have defined as the loghost on the client is
resolveable on the client.  Try the IP address of the syslog server to
double-check.</FONT> </P><P><FONT face=Verdana>Next, check that syslogd is actually
listening on the network.  Use the sockstat or netstat utility to look for
syslogd to be bound to port 514:</FONT> </P><P><FONT face=Verdana>web1# sockstat |grep 514<BR>root     syslogd    48589 6  udp6   *:514                 *:*<BR>root     syslogd    981   4  udp4   63.175.100.41:514     *:*<BR></FONT></P><P><FONT face=Verdana>OR</FONT></P><P><FONT face=Verdana>web1# netstat -an |grep 514<BR>udp6       0      0  *.514                  *.*<BR>udp4       0      0  63.175.100.41.514      *.*<BR></FONT></P><P><FONT face=Verdana>If it is not listening to the port,
the resolution depends on your operating system.  On linux, you need to add
the "-r" flag to /etc/sysconfig, as detailed in the previous tip.</FONT> </P><P><FONT face=Verdana>On FreeBSD, you need to make sure that
syslogd isn't started up with the -s -s option.  "man syslogd" is your
friend if you have a different version of UNIX.  It should tell you how to
start it up with a so</FONT> cket bound to port 514.  If you run into trouble, post a message here: <A href="http://http://www.syslog.org/index.php?name=PNphpBB2&file=posting&mode=newtopic&f=1" target=_new>http://www.syslog.org/index.php?name=PNphpBB2&file=posting&mode=newtopic&f=1</A> </P><P><FONT face=Verdana>If it is listening to port 514, you
will need to verify that messages are actually being sent out from the
client.  On the client, run "tcpdump -X port 514".  Then, do something
that will cause a message to be generated.  You can manually generate one
with the logger command, but that is not a real test of whether syslogd is
forwarding messages or not.  If you do not see any traffic out of tcpdump,
you will need to double check your syslog.conf file to make sure that you have
the definitions correct.  I have found that some of the stock versions of
syslogd won't let you do more than one thing with a particular facility/severity
combination, so if it is already defined to go to a log file, with another line
sending it to a remote host, try commenting out the line for the local log file
and restarting syslogd and trying the test again.</FONT> </P><P><FONT face=Verdana>If you do see log messages, run the
same "tcpdump -X port 514" test on the syslog server.  If you do not see
traffic, there is most likely a firewall somewhere in the path between the
systems that is causing the problem.  If you do see traffic, check the
definitions in syslog.conf to make sure you are capturing the correct
facility/severity combination to the log file.  If it syslog.conf looks
good, stop syslogd and start it up in debug mode.  With syslogd in debug
mode, trigger something on the client to send a syslog message.  You should
see some indication as to what is wrong.  There are far to many
possiblities and differnet versions of syslogd to cover here.  If you are
having trouble decoding the debug, feel free to post a message here: </FONT> <A href="http://http://www.syslog.org/index.php?name=PNphpBB2&file=posting&mode=newtopic&f=1" target=_new><FONT
face=Verdana>http://www.syslog.org/index.php?name=PNphpBB2&file=posting&mode=newtopic&f=1</FONT></A> </P><P>Syslog is really a very simple protocol, but there are 100001 versions of syslogd, so it sometimes takes a bit to make sure everything is matched up for the logs to be sent from one system to another.</P>