[syslog-ng]Please help with logging remote machines
Daniel Flick
syslog-ng@lists.balabit.hu
Wed, 19 Nov 2003 13:39:13 -0600
On Wed, 2003-11-19 at 12:26, Balazs Scheidler wrote:
> On Wed, Nov 19, 2003 at 08:53:51AM -0600, Daniel Flick wrote:
> > On Tue, 2003-11-18 at 03:06, Balazs Scheidler wrote:
> > > On Mon, Nov 17, 2003 at 02:56:49PM -0600, Daniel Flick wrote:
> > > > I have been beating my head against a wall getting this to work but no
> > > > joy. Syslog-ng is running and logging on the local system but no remote
> > > > logs are being saved. Devices in question are PIX firewalls and
> > > > NetCache proxies.
> > >
> > > Have you checked whether syslog-ng is actually receiving messages ?
> > >
> > > tcpdump and strace would help here.
> > tcpdump shows that the firewalls are contacting the machine.
> >
> > I was not able to get anything of value with "strace syslog-ng" I am
> > new to this tool so I may not be using it right. This is the only error
> > I could find but I don't know what that means.
> >
> > open("/etc/ld.so.preload", O_RDONLY) = -1 ENOENT (No such file or
> > directory)
>
> check the pid of the syslog-ng process as it is running in the background,
> and attach to it using strace
>
> strace -s 256 -o /tmp/syslog-ng.trace -p <syslog-ng pid>
>
> run it for a couple of seconds, to let your firewall send syslog messages.
> Then grep the file /tmp/syslog-ng.trace for the string "recvfrom"
>
> Each received message should have a corresponding recvfrom() call. If you
> can't see anything either syslog-ng is not correctly bound, or your packet
> filter drops syslog traffic
Interesting that I have so many syslog-ng processes. Is this normal?
ps -aux | grep [s]yslog
root 11118 0.0 0.0 1780 808 ? S Nov17 1:31 syslog-ng
root 11994 0.0 0.0 1724 696 ? S 08:31 0:01 syslog-ng
root 11999 0.0 0.0 1712 724 ? S 09:00 0:00 syslog-ng
all all
root 12066 0.0 0.0 1708 680 ? S 09:22 0:00 syslog-ng
root 12071 0.0 0.0 1680 652 ? S 09:23 0:00 syslog-ng
root 12075 0.0 0.0 1688 660 ? S 09:23 0:00 syslog-ng
root 12079 0.0 0.0 1680 652 ? S 09:23 0:00 syslog-ng
root 12083 0.0 0.0 1700 672 ? S 09:24 0:00 syslog-ng
root 12087 0.0 0.0 1688 656 ? S 09:24 0:00 syslog-ng
root 12091 0.0 0.0 1684 656 ? S 09:24 0:00 syslog-ng
root 12095 0.0 0.0 1728 740 ? S 09:25 0:11 syslog-ng
I attached to 11999 and a few others and could not find recvfrom
anywhere. The file is rather small and I posted one here. I also tries
to attach to several other syslog-ng processes with the same results. I
also verified that no filters are running that may be dropping the
packets.
cat /tmp/syslog-ng.trace
time(NULL) = 1069271394
poll([{fd=8, events=0}, {fd=7, events=0}, {fd=6, events=POLLIN}, {fd=5,
events=POLLIN}, {fd=3, events=POLLIN}], 5, 100) = 0
poll([{fd=8, events=0}, {fd=7, events=0}, {fd=6, events=POLLIN}, {fd=5,
events=POLLIN}, {fd=3, events=POLLIN}], 5, 31000) = 0
time(NULL) = 1069271425
poll([{fd=8, events=0}, {fd=7, events=0}, {fd=6, events=POLLIN}, {fd=5,
events=POLLIN}, {fd=3, events=POLLIN}], 5, 100) = 0
poll([{fd=8, events=0}, {fd=7, events=0}, {fd=6, events=POLLIN}, {fd=5,
events=POLLIN}, {fd=3, events=POLLIN}], 5, 0) = 0
getpid() = 11999
time(NULL) = 1069271425
time(NULL) = 1069271425
time(NULL) = 1069271425
poll([{fd=8, events=0}, {fd=7, events=0}, {fd=6, events=POLLIN}, {fd=5,
events=POLLIN}, {fd=3, events=POLLIN}], 5, 100) = 0
poll( <unfinished ...>