From owner-freebsd-questions@FreeBSD.ORG Sat Apr 14 07:09:04 2007 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 903D416A403 for ; Sat, 14 Apr 2007 07:09:04 +0000 (UTC) (envelope-from bc979@lafn.org) Received: from zoot.lafn.org (zoot.lafn.ORG [206.117.18.6]) by mx1.freebsd.org (Postfix) with ESMTP id 4C7AE13C469 for ; Sat, 14 Apr 2007 07:09:04 +0000 (UTC) (envelope-from bc979@lafn.org) Received: from [10.0.1.2] (pool-71-109-158-80.lsanca.dsl-w.verizon.net [71.109.158.80]) (authenticated bits=0) by zoot.lafn.org (8.13.6/8.13.4) with ESMTP id l3E792wq037967 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO) for ; Sat, 14 Apr 2007 00:09:03 -0700 (PDT) (envelope-from bc979@lafn.org) Mime-Version: 1.0 (Apple Message framework v752.3) In-Reply-To: <6.2.1.2.0.20070414013537.03c00920@imap.telissant.com> References: <20070413204810.7f79d9fe.wmoran@potentialtech.com> <6.2.1.2.0.20070414013537.03c00920@imap.telissant.com> Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed Message-Id: Content-Transfer-Encoding: 7bit From: Doug Hardie Date: Sat, 14 Apr 2007 00:09:01 -0700 To: freebsd-questions X-Mailer: Apple Mail (2.752.3) X-Virus-Scanned: ClamAV 0.88.7/3090/Fri Apr 13 05:18:38 2007 on zoot.lafn.org X-Virus-Status: Clean Subject: Re: Syslog not logging remote host X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 14 Apr 2007 07:09:04 -0000 On Apr 13, 2007, at 22:44, web@3dresearch.com wrote: > At 08:48 PM 4/13/2007, you wrote: >> "Janos Dohanics" wrote: >> > >> > I'm trying capture logs from m0n0wall, but the log file is empty. >> > >> > Here is my configuration: >> > >> > On the logging machine, in /etc/rc.conf: >> > >> > syslogd_flags="-a 10.61.70.1" >> > >> > In /etc/syslog.conf: >> > >> > +10.61.70.1 >> > *.* /var/log/ >> m0n0wall.log >> > >> > /var/log/m0n0wall.log exists and writable: >> > >> > -rw-rw-r-- 1 root network 0 Apr 13 00:32 /var/log/m0n0wall.log >> > >> > The m0n0wall is configured to send logs to 10.61.70.100, which >> is the >> > logging machine. >> > >> > What am I missing? >> >> Start with tcpdump on the receiving machine: >> tcpdump 'port 514' >> to see if you're even receiving messages from the monowall machine. >> >> If not, then double-check your config on the monowall machine. If >> so, >> check the receiving machine. > > Bill, > > looks like 10.61.70.100 is receiving packets: > > 00:58:07.203800 IP gww.floco.com.syslog > 10.61.70.100.syslog: UDP, > length: 126 > 00:58:33.295297 IP gww.floco.com.syslog > 10.61.70.100.syslog: UDP, > length: 44 > 00:58:33.340779 IP gww.floco.com.syslog > 10.61.70.100.syslog: UDP, > length: 49 > 00:59:21.436782 IP gww.floco.com.syslog > 10.61.70.100.syslog: UDP, > length: 55 > 00:59:21.438125 IP gww.floco.com.syslog > 10.61.70.100.syslog: UDP, > length: 71 > 00:59:21.439305 IP gww.floco.com.syslog > 10.61.70.100.syslog: UDP, > length: 99 > 00:59:21.440458 IP gww.floco.com.syslog > 10.61.70.100.syslog: UDP, > length: 92 > >> Did you restart syslogd on both systems after making config changes? > > I have... > > Janos You might try running ktrace on the syslogd process while log messages are being sent. If you see syslogd receive the messages but not writing to a file, then there is an issue with the syslog.conf settings. It could also be logging somewhere you are not expecting. If you don't see syslogd receiving the messages then there is something blocking it or syslogd is just not listening to that host/ port.