Looks to me like you are using some flavor of linux. My process table on Redhat only has one entry for syslog-ng. I think you should probably stop the syslog-ng process via your usual startup/shutdown method to see what process it thinks it is running. Then look to see what processes are still alive. Kill those via the kill command then restart syslog-ng via your normal startup procedure. That might clear up some of your issues. Regards, Drew -----Original Message----- From: Daniel Flick [mailto:dflick@pdq.net] Sent: Wednesday, November 19, 2003 2:39 PM To: syslog-ng@lists.balabit.hu Subject: Re: [syslog-ng]Please help with logging remote machines On Wed, 2003-11-19 at 12:26, Balazs Scheidler wrote:

On Wed, Nov 19, 2003 at 08:53:51AM -0600, Daniel Flick wrote:

...

On Tue, 2003-11-18 at 03:06, Balazs Scheidler wrote:

...

On Mon, Nov 17, 2003 at 02:56:49PM -0600, Daniel Flick wrote:

...

I have been beating my head against a wall getting this to work but no joy. Syslog-ng is running and logging on the local system but no remote logs are being saved. Devices in question are PIX firewalls and NetCache proxies.

Have you checked whether syslog-ng is actually receiving messages ?

tcpdump and strace would help here. tcpdump shows that the firewalls are contacting the machine.

I was not able to get anything of value with "strace syslog-ng" I am new to this tool so I may not be using it right. This is the only error I could find but I don't know what that means.

open("/etc/ld.so.preload", O_RDONLY) = -1 ENOENT (No such file or directory)

check the pid of the syslog-ng process as it is running in the background, and attach to it using strace

strace -s 256 -o /tmp/syslog-ng.trace -p <syslog-ng pid>

run it for a couple of seconds, to let your firewall send syslog messages. Then grep the file /tmp/syslog-ng.trace for the string "recvfrom"

Each received message should have a corresponding recvfrom() call. If you can't see anything either syslog-ng is not correctly bound, or your packet filter drops syslog traffic Interesting that I have so many syslog-ng processes. Is this normal? ps -aux | grep [s]yslog root 11118 0.0 0.0 1780 808 ? S Nov17 1:31 syslog-ng root 11994 0.0 0.0 1724 696 ? S 08:31 0:01 syslog-ng root 11999 0.0 0.0 1712 724 ? S 09:00 0:00 syslog-ng all all root 12066 0.0 0.0 1708 680 ? S 09:22 0:00 syslog-ng root 12071 0.0 0.0 1680 652 ? S 09:23 0:00 syslog-ng root 12075 0.0 0.0 1688 660 ? S 09:23 0:00 syslog-ng root 12079 0.0 0.0 1680 652 ? S 09:23 0:00 syslog-ng root 12083 0.0 0.0 1700 672 ? S 09:24 0:00 syslog-ng root 12087 0.0 0.0 1688 656 ? S 09:24 0:00 syslog-ng root 12091 0.0 0.0 1684 656 ? S 09:24 0:00 syslog-ng root 12095 0.0 0.0 1728 740 ? S 09:25 0:11 syslog-ng I attached to 11999 and a few others and could not find recvfrom anywhere. The file is rather small and I posted one here. I also tries to attach to several other syslog-ng processes with the same results. I also verified that no filters are running that may be dropping the packets. cat /tmp/syslog-ng.trace time(NULL) = 1069271394 poll([{fd=8, events=0}, {fd=7, events=0}, {fd=6, events=POLLIN}, {fd=5, events=POLLIN}, {fd=3, events=POLLIN}], 5, 100) = 0 poll([{fd=8, events=0}, {fd=7, events=0}, {fd=6, events=POLLIN}, {fd=5, events=POLLIN}, {fd=3, events=POLLIN}], 5, 31000) = 0 time(NULL) = 1069271425 poll([{fd=8, events=0}, {fd=7, events=0}, {fd=6, events=POLLIN}, {fd=5, events=POLLIN}, {fd=3, events=POLLIN}], 5, 100) = 0 poll([{fd=8, events=0}, {fd=7, events=0}, {fd=6, events=POLLIN}, {fd=5, events=POLLIN}, {fd=3, events=POLLIN}], 5, 0) = 0 getpid() = 11999 time(NULL) = 1069271425 time(NULL) = 1069271425 time(NULL) = 1069271425 poll([{fd=8, events=0}, {fd=7, events=0}, {fd=6, events=POLLIN}, {fd=5, events=POLLIN}, {fd=3, events=POLLIN}], 5, 100) = 0 poll( <unfinished ...>

_______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html