From owner-freebsd-questions@FreeBSD.ORG Sat Mar 12 22:12:52 2011 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B1D7F1065678 for ; Sat, 12 Mar 2011 22:12:52 +0000 (UTC) (envelope-from peter@boosten.org) Received: from smtpq2.tb.mail.iss.as9143.net (smtpq2.tb.mail.iss.as9143.net [212.54.42.165]) by mx1.freebsd.org (Postfix) with ESMTP id 620F48FC1E for ; Sat, 12 Mar 2011 22:12:52 +0000 (UTC) Received: from [212.54.42.149] (helo=smtp17.tb.mail.iss.as9143.net) by smtpq2.tb.mail.iss.as9143.net with esmtp (Exim 4.71) (envelope-from ) id 1PyWjt-00039n-DH; Sat, 12 Mar 2011 22:52:45 +0100 Received: from 541980a1.cm-5-2c.dynamic.ziggo.nl ([84.25.128.161] helo=ra.egypt.nl) by smtp17.tb.mail.iss.as9143.net with esmtp (Exim 4.71) (envelope-from ) id 1PyWjq-0004B3-Oc; Sat, 12 Mar 2011 22:52:42 +0100 Received: from [192.168.13.34] (peters-ipod.egypt.nl [192.168.13.34]) by ra.egypt.nl (Postfix) with ESMTP id 7C22639865; Sat, 12 Mar 2011 22:52:42 +0100 (CET) References: <201103112331.AA2596602004@mail.Go2France.com> <201103122240713.SM06140@W500.Go2France.com> Message-Id: <3E21B80B-7386-4B4F-9B50-E87AA8D843DA@boosten.org> From: Peter Boosten To: Len Conrad In-Reply-To: <201103122240713.SM06140@W500.Go2France.com> Content-Type: text/plain; charset=utf-8; format=flowed; delsp=yes Content-Transfer-Encoding: quoted-printable X-Mailer: iPod Mail (7E18) Mime-Version: 1.0 (iPod Mail 7E18) Date: Sat, 12 Mar 2011 22:52:23 +0100 X-ZiggoSMTP-MailScanner-Information: Please contact the ISP for more information X-ZiggoSMTP-MailScanner-ID: 1PyWjq-0004B3-Oc X-ZiggoSMTP-MailScanner: Found to be clean X-ZiggoSMTP-MailScanner-SpamCheck: geen spam, SpamAssassin (niet cached, score=-0.842, vereist 5, BAYES_00 -1.90, RDNS_DYNAMIC 0.98, SPF_PASS -0.00, TW_HK 0.08) X-ZiggoSMTP-MailScanner-From: peter@boosten.org X-Spam-Status: No Cc: "freebsd-questions@freebsd.org" Subject: Re: syslog-ng logging stopped X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 12 Mar 2011 22:12:52 -0000 That probably means that it's not syslog-ng causing the problems. Maybe some firewall rule? Peter -- =20 HTTP://www.boosten.org On 12 mrt 2011, at 22:40, Len Conrad wrote: > > >> ---------- Original Message ---------------------------------- >> From: I=C3=83=C2=B1igo Ortiz de Urbina >> Date: Fri, 11 Mar 2011 23:12:49 +0100 >> >>> Whats in dmesg and /var/log/? You shared extensive and excellent >>> troubleshooting info but didnt spot none of these. >>> >>> Keep us updated im sure im not the only one puzzled :) >>> >>> On 3/11/11, Len Conrad wrote: >>>> uname -a >>>> FreeBSD 7.0-RELEASE >>>> >>>> syslog-ng --version >>>> syslog-ng 2.0.10 >>>> >>>> change date on syslog-ng.conf is "Apr 20 2009" >>>> >>>> syslog-ng been running untouched for that long. Millions of lines/=20= >>>> per day >>>> log from 10 source machine. >>>> >>>> about 00:20 today Friday, all syslogging to syslog-ng stopped. >>>> >>>> sockstat -4 shows udp/tcp 514 listening >>>> >>>> chkrootkit shows nothing wrong >>>> >>>> stop syslog-ng >>>> >>>> then pkg_delete, and then >>>> >>>> cd /usr/ports/sysutils/syslog-ng2 >>>> >>>> make && make install >>>> >>>> start it, >>>> >>>> no change >>>> >>>> I rebooted the syslog server. no change >>>> >>>> trafshow -i bce0 -n >>>> >>>> then filter 514 >>>> >>>> ... shows 100KBs arriving from our syslog clients. >>>> >>>> tshark capture "port 514" on syslog-ng box shows plenty of =20 >>>> traffic arriving >>>> with untouched pf rules active, >>>> >>>> pfctl -d no change so pfctl -e >>>> >>>> df shows plenty of disk space for /var >>>> >>>> suggestions? >>>> >>>> Len >>>> >>>> >>>> _______________________________________________ >>>> freebsd-questions@freebsd.org mailing list >>>> http://lists.freebsd.org/mailman/listinfo/freebsd-questions >>>> To unsubscribe, send any mail to = "freebsd-questions-unsubscribe@freebsd.org=20 >>>> " >>>> >>> >>> >>> --=20 >>> I=C3=83=C2=B1igo Ortiz de Urbina Cazenave >>> http://www.twitter.com/ioc32 >> >> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D >> >> dmesg -a | less showed nothing >> >> /var/log/console.log showed nothing >> >> /var/log/messages showed nothing > > btw, I later replaced syslog-ng with syslogd, listening UDP:514. no =20= > lines in messages, maillog. > > Len > > > > > > >> _______________________________________________ >> freebsd-questions@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-questions >> To unsubscribe, send any mail to = "freebsd-questions-unsubscribe@freebsd.org=20 >> " > > > > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to = "freebsd-questions-unsubscribe@freebsd.org=20 > "