Re: [syslog-ng]Some Boxes Refuse to Write to syslog-ng host
The loghost is resolving correctly. I get the following in tcpdump which tells me that the packets are being set to the syslog-ng loghost. root@advil:/tmp# tcpdump dst host plague.anc.net tcpdump: listening on eth0 10:44:39.856806 advil.anc.net.syslog > plague.anc.net.syslog: udp 47 (DF) 10:44:39.856851 advil.anc.net.syslog > plague.anc.net.syslog: udp 37 (DF) 10:45:03.885048 advil.anc.net.syslog > plague.anc.net.syslog: udp 47 (DF) 10:45:03.885090 advil.anc.net.syslog > plague.anc.net.syslog: udp 37 (DF) 10:45:05.334610 advil.anc.net.syslog > plague.anc.net.syslog: udp 47 (DF) 10:45:05.334650 advil.anc.net.syslog > plague.anc.net.syslog: udp 37 (DF) 10:45:06.516617 advil.anc.net.syslog > plague.anc.net.syslog: udp 47 (DF) 10:45:06.516815 advil.anc.net.syslog > plague.anc.net.syslog: udp 37 (DF) 8 packets received by filter 0 packets dropped by kernel There is a firewall between the 2 machines but it isn't blocking this port. I know that because there are other machines are the same subnet that are able to get to the loghost and nothing is showing up in my firewall logs. Any more suggestions? Paul At 11:25 PM 2/3/2003, you wrote:
Message: 7 To: syslog-ng@lists.balabit.hu Cc: Leonard_Mills@corpnet.sel.sony.com Subject: Re: [syslog-ng]Some Boxes Refuse to Write to syslog-ng host <5.2.0.9.0.20030203161839.022feaf0@127.0.0.1> Date: Mon, 03 Feb 2003 22:25:54 +0000 From: Leonard Mills <Leonard_Mills@corpnet.sel.sony.com> Reply-To: syslog-ng@lists.balabit.hu
You might get a good idea by using
dig @localhost loghost.domain.com
If that gives you what you need, then try using tcpdump from one of the failing hosts after a kill -HUP on syslogd.
Hope this helps,
Len
On Tue, Feb 04, 2003 at 10:55:22AM -0600, Paul Thomas wrote:
The loghost is resolving correctly.
I get the following in tcpdump which tells me that the packets are being set to the syslog-ng loghost.
root@advil:/tmp# tcpdump dst host plague.anc.net tcpdump: listening on eth0 10:44:39.856806 advil.anc.net.syslog > plague.anc.net.syslog: udp 47 (DF) 10:45:06.516815 advil.anc.net.syslog > plague.anc.net.syslog: udp 37 (DF)
8 packets received by filter 0 packets dropped by kernel
There is a firewall between the 2 machines but it isn't blocking this port. I know that because there are other machines are the same subnet that are able to get to the loghost and nothing is showing up in my firewall logs.
Any more suggestions?
I haven't been following this thread, so sorry if you've covered these: a) did you make sure any packet filtering on the loghost is totally cleared during troubleshooting? ("iptables -F" or equivalent) b) did you sniff the wire on the loghost itself to see if you see the messages (use non-promiscuous mode to make sure you see messages really intended for the loghost)? c) did you strace/truss syslog-ng on the loghost to see if it's reading in the messages? (do this after the two above) d) did you put in a catchall entry in your conf file? <URL:http://www.campin.net/syslog-ng/faq.html#catchall> e) are you sure your clients really send to your loghost? Maybe their syslog.conf is wrong or you use split DNS and they see a different IP for your loghost's hostname. f) I've totally skipped basic stuff like ping/traceroute/etc. If you're doing UDP logging you should test UDP reachability with netcat and a UDP server on your loghost that *returns* data. You can create your own UDP fileserver with netcat if you don't have one handy. You can safely skip all this if you see the packets with a sniffer on the loghost -- Nate Campi http://www.campin.net
participants (2)
-
Nate Campi
-
Paul Thomas