[syslog-ng]Some Boxes Refuse to Write to syslog-ng host
Nate Campi
nate@campin.net
Tue, 4 Feb 2003 09:51:08 -0800
On Tue, Feb 04, 2003 at 10:55:22AM -0600, Paul Thomas wrote:
> The loghost is resolving correctly.
>
> I get the following in tcpdump which tells me that the packets are being
> set to the syslog-ng loghost.
>
> root@advil:/tmp# tcpdump dst host plague.anc.net
> tcpdump: listening on eth0
> 10:44:39.856806 advil.anc.net.syslog > plague.anc.net.syslog: udp 47 (DF)
> 10:45:06.516815 advil.anc.net.syslog > plague.anc.net.syslog: udp 37 (DF)
>
> 8 packets received by filter
> 0 packets dropped by kernel
>
> There is a firewall between the 2 machines but it isn't blocking this
> port. I know that because there are other machines are the same subnet
> that are able to get to the loghost and nothing is showing up in my
> firewall logs.
>
> Any more suggestions?
I haven't been following this thread, so sorry if you've covered these:
a) did you make sure any packet filtering on the loghost is totally
cleared during troubleshooting? ("iptables -F" or equivalent)
b) did you sniff the wire on the loghost itself to see if you see the
messages (use non-promiscuous mode to make sure you see messages
really intended for the loghost)?
c) did you strace/truss syslog-ng on the loghost to see if it's reading
in the messages? (do this after the two above)
d) did you put in a catchall entry in your conf file?
<URL:http://www.campin.net/syslog-ng/faq.html#catchall>
e) are you sure your clients really send to your loghost? Maybe their
syslog.conf is wrong or you use split DNS and they see a different
IP for your loghost's hostname.
f) I've totally skipped basic stuff like ping/traceroute/etc. If you're
doing UDP logging you should test UDP reachability with netcat and a
UDP server on your loghost that *returns* data. You can create your
own UDP fileserver with netcat if you don't have one handy. You can
safely skip all this if you see the packets with a sniffer on the
loghost
--
Nate Campi http://www.campin.net