[syslog-ng]Some Boxes Refuse to Write to syslog-ng host

Nate Campi nate@campin.net
Tue, 4 Feb 2003 09:51:08 -0800

On Tue, Feb 04, 2003 at 10:55:22AM -0600, Paul Thomas wrote:
> The loghost is resolving correctly.
> I get the following in tcpdump which tells me that the packets are being 
> set to the syslog-ng loghost.
> root@advil:/tmp# tcpdump dst host plague.anc.net
> tcpdump: listening on eth0
> 10:44:39.856806 advil.anc.net.syslog > plague.anc.net.syslog:  udp 47 (DF)
> 10:45:06.516815 advil.anc.net.syslog > plague.anc.net.syslog:  udp 37 (DF)
> 8 packets received by filter
> 0 packets dropped by kernel
> There is a firewall between the 2 machines but it isn't blocking this 
> port.  I know that because there are other machines are the same subnet 
> that are able to get to the loghost and nothing is showing up in my 
> firewall logs.
> Any more suggestions?

I haven't been following this thread, so sorry if you've covered these:

a) did you make sure any packet filtering on the loghost is totally
   cleared during troubleshooting? ("iptables -F" or equivalent)

b) did you sniff the wire on the loghost itself to see if you see the
   messages (use non-promiscuous mode to make sure you see messages
   really intended for the loghost)?

c) did you strace/truss syslog-ng on the loghost to see if it's reading
   in the messages? (do this after the two above)

d) did you put in a catchall entry in your conf file? 

e) are you sure your clients really send to your loghost? Maybe their
   syslog.conf is wrong or you use split DNS and they see a different 
   IP for your loghost's hostname.

f) I've totally skipped basic stuff like ping/traceroute/etc. If you're
   doing UDP logging you should test UDP reachability with netcat and a
   UDP server on your loghost that *returns* data. You can create your
   own UDP fileserver with netcat if you don't have one handy. You can
   safely skip all this if you see the packets with a sniffer on the

Nate Campi    http://www.campin.net