[syslog-ng]Please help with logging remote machines
Balazs Scheidler
syslog-ng@lists.balabit.hu
Wed, 19 Nov 2003 19:26:20 +0100
On Wed, Nov 19, 2003 at 08:53:51AM -0600, Daniel Flick wrote:
> On Tue, 2003-11-18 at 03:06, Balazs Scheidler wrote:
> > On Mon, Nov 17, 2003 at 02:56:49PM -0600, Daniel Flick wrote:
> > > I have been beating my head against a wall getting this to work but no
> > > joy. Syslog-ng is running and logging on the local system but no remote
> > > logs are being saved. Devices in question are PIX firewalls and
> > > NetCache proxies.
> >
> > Have you checked whether syslog-ng is actually receiving messages ?
> >
> > tcpdump and strace would help here.
> tcpdump shows that the firewalls are contacting the machine.
>
> I was not able to get anything of value with "strace syslog-ng" I am
> new to this tool so I may not be using it right. This is the only error
> I could find but I don't know what that means.
>
> open("/etc/ld.so.preload", O_RDONLY) = -1 ENOENT (No such file or
> directory)
check the pid of the syslog-ng process as it is running in the background,
and attach to it using strace
strace -s 256 -o /tmp/syslog-ng.trace -p <syslog-ng pid>
run it for a couple of seconds, to let your firewall send syslog messages.
Then grep the file /tmp/syslog-ng.trace for the string "recvfrom"
Each received message should have a corresponding recvfrom() call. If you
can't see anything either syslog-ng is not correctly bound, or your packet
filter drops syslog traffic.
--
Bazsi
PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1