Date: Fri, 28 Oct 2011 21:16:28 -0700 From: Kevin Oberman <kob6558@gmail.com> To: Larry Rosenman <ler@lerctr.org> Cc: freebsd-current@freebsd.org Subject: Re: syslogd: Remote Logging busted? Message-ID: <CAN6yY1vZQ2Gbq1e=brjFoic9h2Fbsu4KN5%2B_j0%2B9FuvAHNR3kA@mail.gmail.com> In-Reply-To: <alpine.BSF.2.00.1110282234550.70536@borg> References: <0dcf638e123d2161d0e9d3c77386a8e7.squirrel@webmail.lerctr.org> <CAN6yY1sKd_hZ3baTfcjUjBm-RmSuxUJQ2XOWT9HACwcXu%2B8xBg@mail.gmail.com> <alpine.BSF.2.00.1110282234550.70536@borg>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, Oct 28, 2011 at 8:37 PM, Larry Rosenman <ler@lerctr.org> wrote: > On Fri, 28 Oct 2011, Kevin Oberman wrote: > >> On Fri, Oct 28, 2011 at 7:22 PM, Larry Rosenman <ler@lerctr.org> wrote: >>> >>> I enabled remote logging for my home subnet, and syslogd doesn't seem(!= ) >>> to >>> be logging the messages. >>> >>> They ARE making it to the system. >>> >>> Can someone look at bin/162135 which has all the details, including >>> tcpdump to show that the messages are making it to the system. >> >> Just to be clear, you are running tcpdump on borg, right? The >> statement "This is from my Cable Modem:" confuses me a bit. > > Yes, the tcpdump is running on borg, and the source of the syslog packets > is from my Cable Modem at 192.168.200.10. > > /etc/hosts.allow: [Comments elided] > ALL : PARANOID : RFC931 20 : deny > ALL : localhost 127.0.0.1 : allow > ALL : [::1] : allow > exim : localhost : allow > exim : ALL : allow > rpcbind : ALL : deny > ypserv : localhost : allow > ypserv : ALL : deny > ftpd : localhost : allow > ftpd : ALL : allow > fingerd : ALL \ > =A0 =A0 =A0 =A0: spawn (echo Finger. | \ > =A0 =A0 =A0 =A0 /usr/bin/mail -s "tcpd\: %u@%h[%a] fingered me!" root) & = \ > =A0 =A0 =A0 =A0: deny Several superfluous rules, but I can't see anything that would block 514. >> >> Assuming tcpdump is on borg, it is making past any firewall (pf or >> ipfw, at least). What about /etc/hosts.allow? I don't recall if it >> filters before or after pcap see packets. I used to have a diagram >> showing the sequence of processing this, but I can't seem to find it >> now. >> >> What does "netstat -af inet | grep syslog" show? Is syslogd actually >> listening? > > > the netstat output: udp4 =A0 =A0 =A0 0 =A0 =A0 =A00 *.syslog =A0 =A0 =A0 = =A0 =A0 =A0 =A0 *.* > > and sockstat | grep syslog: root =A0 =A0 syslogd =A0 =A065128 4 =A0dgram = =A0/var/run/log > root =A0 =A0 syslogd =A0 =A065128 5 =A0dgram =A0/var/run/logpriv > root =A0 =A0 syslogd =A0 =A065128 6 =A0udp6 =A0 *:514 =A0 =A0 =A0 =A0 =A0= =A0 =A0 =A0 *:* > root =A0 =A0 syslogd =A0 =A065128 7 =A0udp4 =A0 *:514 =A0 =A0 =A0 =A0 =A0= =A0 =A0 =A0 *:* OK. I'm baffled! I can't see anything that looks wrong, but I'll think about it a bit more. --=20 R. Kevin Oberman, Network Engineer E-mail: kob6558@gmail.com
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAN6yY1vZQ2Gbq1e=brjFoic9h2Fbsu4KN5%2B_j0%2B9FuvAHNR3kA>