From owner-freebsd-questions@FreeBSD.ORG  Sat Apr 14 05:44:18 2007
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
X-Original-To: freebsd-questions@freebsd.org
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id D17E916A404
	for <freebsd-questions@freebsd.org>;
	Sat, 14 Apr 2007 05:44:18 +0000 (UTC)
	(envelope-from web@3dresearch.com)
Received: from smtp.3dresearch.com (dorabella.3dresearch.com [66.167.251.2])
	by mx1.freebsd.org (Postfix) with ESMTP id A989413C458
	for <freebsd-questions@freebsd.org>;
	Sat, 14 Apr 2007 05:44:18 +0000 (UTC)
	(envelope-from web@3dresearch.com)
Received: from doncurzio.3dresearch.com (27.mars6.xdsl.nauticom.net
	[209.195.153.252])
	by vmail.3dresearch.com (Postfix) with ESMTP id DFDCE8568E;
	Sat, 14 Apr 2007 01:44:17 -0400 (EDT)
Message-Id: <6.2.1.2.0.20070414013537.03c00920@imap.telissant.com>
X-Mailer: QUALCOMM Windows Eudora Version 6.2.1.2
Date: Sat, 14 Apr 2007 01:44:36 -0400
To: Bill Moran <wmoran@potentialtech.com>
From: web@3dresearch.com
In-Reply-To: <20070413204810.7f79d9fe.wmoran@potentialtech.com>
References: <f3FBuLwP.1176475224.6331340.janos@imap.3dresearch.com>
	<20070413204810.7f79d9fe.wmoran@potentialtech.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
Cc: freebsd-questions@freebsd.org
Subject: Re: Syslog not logging remote host
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 14 Apr 2007 05:44:18 -0000

At 08:48 PM 4/13/2007, you wrote:
>"Janos Dohanics" <web@3dresearch.com> wrote:
> >
> > I'm trying capture logs from m0n0wall, but the log file is empty.
> >
> > Here is my configuration:
> >
> > On the logging machine, in /etc/rc.conf:
> >
> > syslogd_flags="-a 10.61.70.1"
> >
> > In /etc/syslog.conf:
> >
> > +10.61.70.1
> > *.*                                             /var/log/m0n0wall.log
> >
> > /var/log/m0n0wall.log exists and writable:
> >
> > -rw-rw-r--  1 root  network  0 Apr 13 00:32 /var/log/m0n0wall.log
> >
> > The m0n0wall is configured to send logs to 10.61.70.100, which is the
> > logging machine.
> >
> > What am I missing?
>
>Start with tcpdump on the receiving machine:
>tcpdump 'port 514'
>to see if you're even receiving messages from the monowall machine.
>
>If not, then double-check your config on the monowall machine.  If so,
>check the receiving machine.

Bill,

looks like 10.61.70.100 is receiving packets:

00:58:07.203800 IP gww.floco.com.syslog > 10.61.70.100.syslog: UDP, length: 126
00:58:33.295297 IP gww.floco.com.syslog > 10.61.70.100.syslog: UDP, length: 44
00:58:33.340779 IP gww.floco.com.syslog > 10.61.70.100.syslog: UDP, length: 49
00:59:21.436782 IP gww.floco.com.syslog > 10.61.70.100.syslog: UDP, length: 55
00:59:21.438125 IP gww.floco.com.syslog > 10.61.70.100.syslog: UDP, length: 71
00:59:21.439305 IP gww.floco.com.syslog > 10.61.70.100.syslog: UDP, length: 99
00:59:21.440458 IP gww.floco.com.syslog > 10.61.70.100.syslog: UDP, length: 92

>Did you restart syslogd on both systems after making config changes?

I have...

Janos

--
Janos Dohanics