Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 14 Apr 2007 00:09:01 -0700
From:      Doug Hardie <bc979@lafn.org>
To:        freebsd-questions <freebsd-questions@freebsd.org>
Subject:   Re: Syslog not logging remote host
Message-ID:  <EB3D70B0-D77D-472C-BD9A-EBC236CBFB1A@lafn.org>
In-Reply-To: <6.2.1.2.0.20070414013537.03c00920@imap.telissant.com>
References:  <f3FBuLwP.1176475224.6331340.janos@imap.3dresearch.com> <20070413204810.7f79d9fe.wmoran@potentialtech.com> <6.2.1.2.0.20070414013537.03c00920@imap.telissant.com>

next in thread | previous in thread | raw e-mail | index | archive | help

On Apr 13, 2007, at 22:44, web@3dresearch.com wrote:

> At 08:48 PM 4/13/2007, you wrote:
>> "Janos Dohanics" <web@3dresearch.com> wrote:
>> >
>> > I'm trying capture logs from m0n0wall, but the log file is empty.
>> >
>> > Here is my configuration:
>> >
>> > On the logging machine, in /etc/rc.conf:
>> >
>> > syslogd_flags="-a 10.61.70.1"
>> >
>> > In /etc/syslog.conf:
>> >
>> > +10.61.70.1
>> > *.*                                             /var/log/ 
>> m0n0wall.log
>> >
>> > /var/log/m0n0wall.log exists and writable:
>> >
>> > -rw-rw-r--  1 root  network  0 Apr 13 00:32 /var/log/m0n0wall.log
>> >
>> > The m0n0wall is configured to send logs to 10.61.70.100, which  
>> is the
>> > logging machine.
>> >
>> > What am I missing?
>>
>> Start with tcpdump on the receiving machine:
>> tcpdump 'port 514'
>> to see if you're even receiving messages from the monowall machine.
>>
>> If not, then double-check your config on the monowall machine.  If  
>> so,
>> check the receiving machine.
>
> Bill,
>
> looks like 10.61.70.100 is receiving packets:
>
> 00:58:07.203800 IP gww.floco.com.syslog > 10.61.70.100.syslog: UDP,  
> length: 126
> 00:58:33.295297 IP gww.floco.com.syslog > 10.61.70.100.syslog: UDP,  
> length: 44
> 00:58:33.340779 IP gww.floco.com.syslog > 10.61.70.100.syslog: UDP,  
> length: 49
> 00:59:21.436782 IP gww.floco.com.syslog > 10.61.70.100.syslog: UDP,  
> length: 55
> 00:59:21.438125 IP gww.floco.com.syslog > 10.61.70.100.syslog: UDP,  
> length: 71
> 00:59:21.439305 IP gww.floco.com.syslog > 10.61.70.100.syslog: UDP,  
> length: 99
> 00:59:21.440458 IP gww.floco.com.syslog > 10.61.70.100.syslog: UDP,  
> length: 92
>
>> Did you restart syslogd on both systems after making config changes?
>
> I have...
>
> Janos

You might try running ktrace on the syslogd process while log  
messages are being sent.  If you see syslogd receive the messages but  
not writing to a file, then there is an issue with the syslog.conf  
settings.  It could also be logging somewhere you are not expecting.   
If you don't see syslogd receiving the messages then there is  
something blocking it or syslogd is just not listening to that host/ 
port.




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?EB3D70B0-D77D-472C-BD9A-EBC236CBFB1A>