<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#0050d0">
<font size="-1"><font face="Helvetica, Arial, sans-serif">With the
first one (the s_tcp/s_udp), try putting an explicit IP address, just
for gits and shiggles.<br>
As for the second one, that expects the incoming data to be in the new
IETF syslog format, so if its not, it puts the entire message into the
message body with default headers (forget what the default is though).
So you wont see these messages if that default facility/level doesnt go
anywhere. You can either use the 'syslog-protocol' flag for the sending
side on the tcp()/udp() destination, or use the syslog() destination
driver.<br>
</font></font><br>
Sent: Wednesday, July 21, 2010 2:48:02 PM<br>
From: Chuck <a class="moz-txt-link-rfc2396E" href="mailto:chuck.carson@gmail.com"><chuck.carson@gmail.com></a><br>
To: Syslog-ng users' and developers' mailing list
<a class="moz-txt-link-rfc2396E" href="mailto:syslog-ng@lists.balabit.hu"><syslog-ng@lists.balabit.hu></a> <br>
Subject: [syslog-ng] More Solaris 10 Woes - tcp/udp issues
<blockquote
cite="mid:AANLkTikqs0qXca8NMLdP5IvWHz6S-yQyF39i_keRVwVM@mail.gmail.com"
type="cite"><br>
<span style="font-family: courier new,monospace;">I can't get
syslog-ng to listen on port 514 using the tcp or udp sources. First, I
have defined entries in /etc/services as follows:</span><br
style="font-family: courier new,monospace;">
<span style="font-family: courier new,monospace;">syslog-ng-udp
514/udp syslog</span><br
style="font-family: courier new,monospace;">
<span style="font-family: courier new,monospace;">syslog-ng-tcp
514/tcp syslog</span><br
style="font-family: courier new,monospace;">
<br style="font-family: courier new,monospace;">
<br style="font-family: courier new,monospace;">
<span style="font-family: courier new,monospace;">I have of course
disabled the default system-log service.</span><br
style="font-family: courier new,monospace;">
<br style="font-family: courier new,monospace;">
<span style="font-family: courier new,monospace;">The following two I
can't get to work/listen: (Verifying this with netstat -a)</span><br
style="font-family: courier new,monospace;">
<span style="font-family: courier new,monospace;">source
s_udp { udp(port(514)); };</span><br
style="font-family: courier new,monospace;">
<span style="font-family: courier new,monospace;"><span
style="font-family: courier new,monospace;">source s_tcp {
tcp(port(514)); };</span><br style="font-family: courier new,monospace;">
<br style="font-family: courier new,monospace;">
<span style="font-family: courier new,monospace;">I can get it to
listen with the following:</span><br
style="font-family: courier new,monospace;">
<span style="font-family: courier new,monospace;">source
s_syslog { syslog( transport("udp") port(514) ); };<br>
OR<br>
</span></span><span style="font-family: courier new,monospace;"><span
style="font-family: courier new,monospace;">source
s_syslog { syslog( transport("tcp") port(514) ); };</span></span><br
style="font-family: courier new,monospace;">
<span style="font-family: courier new,monospace;"><span
style="font-family: courier new,monospace;"></span><br>
# netstat -a<br>
UDP: IPv4<br>
Local Address Remote Address State<br>
-------------------- -------------------- ----------<br>
*.syslog-ng-udp Idle<br>
<br style="font-family: courier new,monospace;">
<span style="font-family: courier new,monospace;">However, syslog-ng
doesn't seem to be doing anything with this. I can see the syslog
message when snooping the interface on my syslog-ng server:</span><br
style="font-family: courier new,monospace;">
<span style="font-family: courier new,monospace;">root@log01:~# snoop
-d nge0 udp port 514 </span><br
style="font-family: courier new,monospace;">
<span style="font-family: courier new,monospace;">Using device nge0
(promiscuous mode)</span><br style="font-family: courier new,monospace;">
<span style="font-family: courier new,monospace;"> ds01 -> log01
SYSLOG C port=32947 daemon.crit: <26>Jul 21 13:22:08 </span><br
style="font-family: courier new,monospace;">
<span style="font-family: courier new,monospace;"> ds01 -> log01
SYSLOG C port=32947 daemon.crit: <26>Jul 21 13:23:11 </span><br
style="font-family: courier new,monospace;">
<span style="font-family: courier new,monospace;"> ds01 -> log01
SYSLOG C port=32947 daemon.crit: <26>Jul 21 13:23:17 </span><br
style="font-family: courier new,monospace;">
<br>
Here is the catch all log statement I am using:<br>
destination r_messages { file ("/var/adm/messages_test"); };<br>
log { source (s_syslog); destination (r_messages); };<br>
<br>
Anyone have any ideas?<br>
<br>
Thx,<br>
CC<br>
</span><br>
<br>
<pre wrap="">
<hr size="4" width="90%">
______________________________________________________________________________
Member info: <a class="moz-txt-link-freetext" href="https://lists.balabit.hu/mailman/listinfo/syslog-ng">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a>
Documentation: <a class="moz-txt-link-freetext" href="http://www.balabit.com/support/documentation/?product=syslog-ng">http://www.balabit.com/support/documentation/?product=syslog-ng</a>
FAQ: <a class="moz-txt-link-freetext" href="http://www.campin.net/syslog-ng/faq.html">http://www.campin.net/syslog-ng/faq.html</a>
</pre>
</blockquote>
</body>
</html>