Date: Fri, 28 Oct 2011 21:16:28 -0700 From: Kevin Oberman <kob6558@gmail.com> To: Larry Rosenman <ler@lerctr.org> Cc: freebsd-current@freebsd.org Subject: Re: syslogd: Remote Logging busted? Message-ID: <CAN6yY1vZQ2Gbq1e=brjFoic9h2Fbsu4KN5%2B_j0%2B9FuvAHNR3kA@mail.gmail.com> In-Reply-To: <alpine.BSF.2.00.1110282234550.70536@borg> References: <0dcf638e123d2161d0e9d3c77386a8e7.squirrel@webmail.lerctr.org> <CAN6yY1sKd_hZ3baTfcjUjBm-RmSuxUJQ2XOWT9HACwcXu%2B8xBg@mail.gmail.com> <alpine.BSF.2.00.1110282234550.70536@borg>
index | next in thread | previous in thread | raw e-mail
On Fri, Oct 28, 2011 at 8:37 PM, Larry Rosenman <ler@lerctr.org> wrote: > On Fri, 28 Oct 2011, Kevin Oberman wrote: > >> On Fri, Oct 28, 2011 at 7:22 PM, Larry Rosenman <ler@lerctr.org> wrote: >>> >>> I enabled remote logging for my home subnet, and syslogd doesn't seem(!) >>> to >>> be logging the messages. >>> >>> They ARE making it to the system. >>> >>> Can someone look at bin/162135 which has all the details, including >>> tcpdump to show that the messages are making it to the system. >> >> Just to be clear, you are running tcpdump on borg, right? The >> statement "This is from my Cable Modem:" confuses me a bit. > > Yes, the tcpdump is running on borg, and the source of the syslog packets > is from my Cable Modem at 192.168.200.10. > > /etc/hosts.allow: [Comments elided] > ALL : PARANOID : RFC931 20 : deny > ALL : localhost 127.0.0.1 : allow > ALL : [::1] : allow > exim : localhost : allow > exim : ALL : allow > rpcbind : ALL : deny > ypserv : localhost : allow > ypserv : ALL : deny > ftpd : localhost : allow > ftpd : ALL : allow > fingerd : ALL \ > : spawn (echo Finger. | \ > /usr/bin/mail -s "tcpd\: %u@%h[%a] fingered me!" root) & \ > : deny Several superfluous rules, but I can't see anything that would block 514. >> >> Assuming tcpdump is on borg, it is making past any firewall (pf or >> ipfw, at least). What about /etc/hosts.allow? I don't recall if it >> filters before or after pcap see packets. I used to have a diagram >> showing the sequence of processing this, but I can't seem to find it >> now. >> >> What does "netstat -af inet | grep syslog" show? Is syslogd actually >> listening? > > > the netstat output: udp4 0 0 *.syslog *.* > > and sockstat | grep syslog: root syslogd 65128 4 dgram /var/run/log > root syslogd 65128 5 dgram /var/run/logpriv > root syslogd 65128 6 udp6 *:514 *:* > root syslogd 65128 7 udp4 *:514 *:* OK. I'm baffled! I can't see anything that looks wrong, but I'll think about it a bit more. -- R. Kevin Oberman, Network Engineer E-mail: kob6558@gmail.comhelp
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAN6yY1vZQ2Gbq1e=brjFoic9h2Fbsu4KN5%2B_j0%2B9FuvAHNR3kA>