Syslog not logging remote host

Doug Hardie bc979 at lafn.org
Sat Apr 14 07:09:04 UTC 2007 

On Apr 13, 2007, at 22:44, web at 3dresearch.com wrote:

> At 08:48 PM 4/13/2007, you wrote:
>> "Janos Dohanics" <web at 3dresearch.com> wrote:
>> >
>> > I'm trying capture logs from m0n0wall, but the log file is empty.
>> >
>> > Here is my configuration:
>> >
>> > On the logging machine, in /etc/rc.conf:
>> >
>> > syslogd_flags="-a 10.61.70.1"
>> >
>> > In /etc/syslog.conf:
>> >
>> > +10.61.70.1
>> > *.*                                             /var/log/ 
>> m0n0wall.log
>> >
>> > /var/log/m0n0wall.log exists and writable:
>> >
>> > -rw-rw-r--  1 root  network  0 Apr 13 00:32 /var/log/m0n0wall.log
>> >
>> > The m0n0wall is configured to send logs to 10.61.70.100, which  
>> is the
>> > logging machine.
>> >
>> > What am I missing?
>>
>> Start with tcpdump on the receiving machine:
>> tcpdump 'port 514'
>> to see if you're even receiving messages from the monowall machine.
>>
>> If not, then double-check your config on the monowall machine.  If  
>> so,
>> check the receiving machine.
>
> Bill,
>
> looks like 10.61.70.100 is receiving packets:
>
> 00:58:07.203800 IP gww.floco.com.syslog > 10.61.70.100.syslog: UDP,  
> length: 126
> 00:58:33.295297 IP gww.floco.com.syslog > 10.61.70.100.syslog: UDP,  
> length: 44
> 00:58:33.340779 IP gww.floco.com.syslog > 10.61.70.100.syslog: UDP,  
> length: 49
> 00:59:21.436782 IP gww.floco.com.syslog > 10.61.70.100.syslog: UDP,  
> length: 55
> 00:59:21.438125 IP gww.floco.com.syslog > 10.61.70.100.syslog: UDP,  
> length: 71
> 00:59:21.439305 IP gww.floco.com.syslog > 10.61.70.100.syslog: UDP,  
> length: 99
> 00:59:21.440458 IP gww.floco.com.syslog > 10.61.70.100.syslog: UDP,  
> length: 92
>
>> Did you restart syslogd on both systems after making config changes?
>
> I have...
>
> Janos

You might try running ktrace on the syslogd process while log  
messages are being sent.  If you see syslogd receive the messages but  
not writing to a file, then there is an issue with the syslog.conf  
settings.  It could also be logging somewhere you are not expecting.   
If you don't see syslogd receiving the messages then there is  
something blocking it or syslogd is just not listening to that host/ 
port.

More information about the freebsd-questions mailing list