From owner-freebsd-questions@FreeBSD.ORG Fri May 1 03:16:47 2015 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 84D0F8EC for ; Fri, 1 May 2015 03:16:47 +0000 (UTC) Received: from fly.hiwaay.net (fly.hiwaay.net [216.180.54.1]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4BC411318 for ; Fri, 1 May 2015 03:16:46 +0000 (UTC) Received: from kabini1.local (rbn1-216-180-76-245.adsl.hiwaay.net [216.180.76.245]) (authenticated bits=0) by fly.hiwaay.net (8.13.8/8.13.8/fly) with ESMTP id t413Gj5j017519 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NO) for ; Thu, 30 Apr 2015 22:16:45 -0500 Message-ID: <5542F01C.6010206@hiwaay.net> Date: Thu, 30 Apr 2015 22:22:59 -0453 From: "William A. Mahaffey III" User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:31.0) Gecko/20100101 Thunderbird/31.6.0 MIME-Version: 1.0 To: "freebsd-questions@freebsd.org" Subject: Re: minor syslog issue References: <55422366.8060000@hiwaay.net> <554229CE.30009@infracaninophile.co.uk> <55422E43.8090206@hiwaay.net> <5542348D.8000109@infracaninophile.co.uk> <5542BC7F.7050602@hiwaay.net> <5542BEBA.5080207@hiwaay.net> In-Reply-To: Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 8bit X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 01 May 2015 03:16:47 -0000 On 04/30/15 22:08, John Howie wrote: > Hi William, > > Why not just "/etc/rc.d/syslogd restart²? > > Regards, > > John > > > On 4/30/15, 7:45 PM, "William A. Mahaffey III" wrote: > >> On 04/30/15 18:42, William A. Mahaffey III wrote: >>> On 04/30/15 09:02, Matthew Seaman wrote: >>>> On 04/30/15 14:28, William A. Mahaffey III wrote: >>>>> 08:23:28.496828 IP RPiB+.59735 > kabini1.local.syslog: SYSLOG >>>>> syslog.error, length: 59 >>>>> 08:23:28.497229 IP RPiB+.59735 > kabini1.local.syslog: SYSLOG >>>>> syslog.error, length: 59 >>>> This is the only relevant bit out of your tcpdump output -- it usually >>>> helps if you filter out as much of the irrelevant stuff that you >>>> can[*]. >>>> >>>> Anyhow, as you can see, your RPiB+ is logging *from* an arbitrary >>>> high-numbered port. This time it happens to be using 59735 but that >>>> would probably change with each restart of syslogd. Basically use the >>>> '-a 192.168.0.0/16:*' form in this case. >>>> >>>> Cheers, >>>> >>>> Matthew >>>> >>>> [*] ie. 'tcpdump port syslog' should work as the packets are being sent >>>> to the syslog port on your server. >>>> >>> An update here, I kicked off the above command on both the RPi & >>> kabini1. It took a while, but the RPi did its daily 'syslogd restart': >>> >>> >>> Apr 27 22:00:01 rpi syslogd[603]: restart >>> Apr 28 08:00:00 rpi syslogd[603]: restart >>> Apr 28 22:00:00 rpi syslogd[603]: restart >>> Apr 29 14:54:44 rpi syslogd[603]: Exiting on signal 15 >>> Apr 29 10:01:01 rpi syslogd[25366]: restart >>> Apr 29 17:06:15 rpi syslogd[25366]: restart >>> Apr 30 07:28:32 rpi syslogd[25366]: Exiting on signal 15 >>> Apr 30 07:28:34 rpi syslogd[27124]: restart >>> Apr 30 08:20:34 rpi syslogd[27124]: Exiting on signal 15 >>> Apr 30 08:20:34 rpi syslogd[27124]: Exiting on signal 15 >>> Apr 30 08:20:37 rpi syslogd[2779]: restart >>> Apr 30 08:23:43 rpi syslogd[2779]: Exiting on signal 15 >>> Apr 30 08:23:43 rpi syslogd[2779]: Exiting on signal 15 >>> Apr 30 08:23:45 rpi syslogd[14885]: restart >>> Apr 30 08:41:03 rpi syslogd[14885]: Exiting on signal 15 >>> Apr 30 08:41:03 rpi syslogd[14885]: Exiting on signal 15 >>> Apr 30 08:41:05 rpi syslogd[27342]: restart >>> Apr 30 09:25:16 rpi syslogd[27342]: Exiting on signal 15 >>> Apr 30 09:25:16 rpi syslogd[27342]: Exiting on signal 15 >>> Apr 30 09:25:18 rpi syslogd[11087]: restart >>> Apr 30 09:26:03 rpi timed[6547]: This machine is master >>> Apr 30 17:06:15 rpi syslogd[11087]: restart >>> Thu Apr 30 18:32:45 MCDT 2015 >>> rpi # >>> >>> >>> & I got packets both from the RPi & to kabini1, but nothing in >>> kabini1's logfile: >>> >>> rpi # tcpdump port syslog >>> tcpdump: verbose output suppressed, use -v or -vv for full protocol >>> decode >>> listening on usmsc0, link-type EN10MB (Ethernet), capture size 65535 >>> bytes >>> 17:06:00.980239 IP 192.168.0.1.59623 > 192.168.0.27.syslog: SYSLOG >>> syslog.info, length: 47 >>> >>> [root@kabini1, /etc, 9:26:24am] 503 % tcpdump port syslog >>> tcpdump: verbose output suppressed, use -v or -vv for full protocol >>> decode >>> listening on re0, link-type EN10MB (Ethernet), capture size 65535 bytes >>> 17:07:00.976242 IP RPiB+.59623 > kabini1.local.syslog: SYSLOG >>> syslog.info, length: 47 >>> >>> [root@kabini1, /etc, 6:31:31pm] 364 % tail -15 /var/log/messages ; >>> hwclock -r ; date >>> Apr 28 09:30:12 kabini1 kernel: Limiting closed port RST response from >>> 276 to 200 packets/sec >>> Apr 28 09:30:13 kabini1 kernel: Limiting closed port RST response from >>> 239 to 200 packets/sec >>> Apr 28 09:30:14 kabini1 kernel: Limiting closed port RST response from >>> 280 to 200 packets/sec >>> Apr 28 09:30:16 kabini1 kernel: Limiting closed port RST response from >>> 319 to 200 packets/sec >>> Apr 30 08:13:49 kabini1 syslogd: exiting on signal 15 >>> Apr 30 08:13:49 kabini1 syslogd: kernel boot file is /boot/kernel/kernel >>> Apr 30 08:16:36 kabini1 kernel: re0: promiscuous mode enabled >>> Apr 30 08:17:53 kabini1 kernel: re0: promiscuous mode disabled >>> Apr 30 08:33:43 kabini1 kernel: re0: promiscuous mode enabled >>> Apr 30 08:41:19 kabini1 kernel: re0: promiscuous mode disabled >>> Apr 30 08:52:53 kabini1 kernel: re0: promiscuous mode enabled >>> Apr 30 09:07:57 kabini1 kernel: re0: promiscuous mode disabled >>> Apr 30 09:18:45 kabini1 syslogd: exiting on signal 15 >>> Apr 30 09:18:45 kabini1 syslogd: kernel boot file is /boot/kernel/kernel >>> Apr 30 09:20:47 kabini1 kernel: re0: promiscuous mode enabled >>> hwclock: Command not found. >>> Thu Apr 30 18:39:25 MCDT 2015 >>> [root@kabini1, /etc, 6:39:25pm] 365 % >>> >>> syslogd on kabini1 should be accepting traffic from all ports: >>> >>> [root@kabini1, /etc, 6:40:19pm] 366 % ps -ax | grep syslog >>> 783 ?? Is 0:39.07 /usr/sbin/amd -p -a /.amd_mnt -l syslog >>> /host /etc/amd.map /net /etc/amd.map >>> 73506 ?? Is 0:00.10 /usr/sbin/syslogd -a 192.168.0.0/16:* -C -T >>> 8622 4 S+ 0:00.00 grep syslog >>> 73648 7 S+ 0:00.93 tcpdump port >>> >>> i.e. looks like the traffic is there, but syslogd isn't recording it >>> (?) .... Any clues appreciated. >>> >> *Aaaaaaaaaaaaack* !!!! Looks like ipfw was catching it, I had changed my >> rules to allow *some* udp traffic a few days ago, but didn't open it up >> enough. Just changed that & we'll see either later today or tomorrow at >> the next 'syslogd restart' .... Sorry for the noise :-/ .... >> >> -- >> >> William A. Mahaffey III >> >> ---------------------------------------------------------------------- >> >> "The M1 Garand is without doubt the finest implement of war >> ever devised by man." >> -- Gen. George S. Patton Jr. >> >> _______________________________________________ >> freebsd-questions@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-questions >> To unsubscribe, send any mail to >> "freebsd-questions-unsubscribe@freebsd.org" > I did that some, wasn't sure if my manual restart might be operating differently than its internal restart (you can see several random restarts logged, those were me) .... No problema, I can be patient .... -- William A. Mahaffey III ---------------------------------------------------------------------- "The M1 Garand is without doubt the finest implement of war ever devised by man." -- Gen. George S. Patton Jr.