Privacy Policy

edit SideBar


Privacy Policy

edit SideBar

Main: Troubleshooting Syslog Forwarding

Main.TroubleshootingSyslogForwarding History

Hide minor edits - Show changes to output

February 13, 2007, at 09:04 PM by 76.20.240.110 -
Added lines 1-41:
<P><FONT face=Verdana>Yeah, I know I'm really late with
another tip.&nbsp; It's been pretty crazy around my house, so you'll have to
excuse me.</FONT> </P><P><FONT face=Verdana>Anyhow, I see lots and lots of people
searching around for information on how to troubleshoot syslog because messages
aren't getting from point A to point B.</FONT> </P><P><FONT face=Verdana>So, you have followed the directions
at: </FONT> <A href="http://http://www.syslog.org/index.php?module=ContentExpress&amp;func=display&amp;ceid= 12&amp;meid=14" target=_new><FONT
face=Verdana>http://www.syslog.org/index.php?module=ContentExpress&amp;func=display&amp;ceid=12&amp;meid=14</FONT></A><FONT
face=Verdana> and you're not seeing logs coming out of the central syslog
server.&nbsp; What do you do now?</FONT> </P><P><FONT face=Verdana>First, check the simple things.&nbsp;
Make sure that the host you have defined as the loghost on the client is
resolveable on the client.&nbsp; Try the IP address of the syslog server to
double-check.</FONT> </P><P><FONT face=Verdana>Next, check that syslogd is actually
listening on the network.&nbsp; Use the sockstat or netstat utility to look for
syslogd to be bound to port 514:</FONT> </P><P><FONT face=Verdana>web1# sockstat |grep 514<BR>root&nbsp;&nbsp;&nbsp;&nbsp; syslogd&nbsp;&nbsp;&nbsp; 48589 6&nbsp; udp6&nbsp;&nbsp; *:514&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; *:*<BR>root&nbsp;&nbsp;&nbsp;&nbsp; syslogd&nbsp;&nbsp;&nbsp; 981&nbsp;&nbsp; 4&nbsp; udp4&nbsp;&nbsp; 63.175.100.41:514&nbsp;&nbsp;&nbsp;&nbsp; *:*<BR></FONT></P><P><FONT face=Verdana>OR</FONT></P><P><FONT face=Verdana>web1# netstat -an |grep 514<BR>udp6&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0&nbsp; *.514&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; *.*<BR>udp4&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0&nbsp; 63.175.100.41.514&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; *.*<BR></FONT></P><P><FONT face=Verdana>If it is not listening to the port,
the resolution depends on your operating system.&nbsp; On linux, you need to add
the "-r" flag to /etc/sysconfig, as detailed in the previous tip.</FONT> </P><P><FONT face=Verdana>On FreeBSD, you need to make sure that
syslogd isn't started up with the -s -s option.&nbsp; "man syslogd" is your
friend if you have a different version of UNIX.&nbsp; It should tell you how to
start it up with a so</FONT> cket bound to port 514.&nbsp; If you run into trouble, post a message here: <A href="http://http://www.syslog.org/index.php?name=PNphpBB2&amp;file=posting&amp;mode=newtopic&amp;f=1" target=_new>http://www.syslog.org/index.php?name=PNphpBB2&amp;file=posting&amp;mode=newtopic&amp;f=1</A> </P><P><FONT face=Verdana>If it is listening to port 514, you
will need to verify that messages are actually being sent out from the
client.&nbsp; On the client, run "tcpdump -X port 514".&nbsp; Then, do something
that will cause a message to be generated.&nbsp; You can manually generate one
with the logger command, but that is not a real test of whether syslogd is
forwarding messages or not.&nbsp; If you do not see any traffic out of tcpdump,
you will need to double check your syslog.conf file to make sure that you have
the definitions correct.&nbsp; I have found that some of the stock versions of
syslogd won't let you do more than one thing with a particular facility/severity
combination, so if it is already defined to go to a log file, with another line
sending it to a remote host, try commenting out the line for the local log file
and restarting syslogd and trying the test again.</FONT> </P><P><FONT face=Verdana>If you do see log messages, run the
same "tcpdump -X port 514" test on the syslog server.&nbsp; If you do not see
traffic, there is most likely a firewall somewhere in the path between the
systems that is causing the problem.&nbsp; If you do see traffic, check the
definitions in syslog.conf to make sure you are capturing the correct
facility/severity combination to the log file.&nbsp; If it syslog.conf looks
good, stop syslogd and start it up in debug mode.&nbsp; With syslogd in debug
mode, trigger something on the client to send a syslog message.&nbsp; You should
see some indication as to what is wrong.&nbsp; There are far to many
possiblities and differnet versions of syslogd to cover here.&nbsp; If you are
having trouble decoding the debug, feel free to post a message here: </FONT> <A href="http://http://www.syslog.org/index.php?name=PNphpBB2&amp;file=posting&amp;mode=newtopic&amp;f=1" target=_new><FONT
face=Verdana>http://www.syslog.org/index.php?name=PNphpBB2&amp;file=posting&amp;mode=newtopic&amp;f=1</FONT></A> </P><P>Syslog is really a very simple protocol, but there are 100001 versions of syslogd, so it sometimes takes a bit to make sure everything is matched up for the logs to be sent from one system to another.</P>