[syslog-ng]Please help with logging remote machines

Balazs Scheidler syslog-ng@lists.balabit.hu
Wed, 19 Nov 2003 21:50:59 +0100 

On Wed, Nov 19, 2003 at 01:39:13PM -0600, Daniel Flick wrote:
> On Wed, 2003-11-19 at 12:26, Balazs Scheidler wrote:
> > check the pid of the syslog-ng process as it is running in the background,
> > and attach to it using strace
> > 
> > strace -s 256 -o /tmp/syslog-ng.trace -p <syslog-ng pid>
> > 
> > run it for a couple of seconds, to let your firewall send syslog messages.
> > Then grep the file /tmp/syslog-ng.trace for the string "recvfrom"
> > 
> > Each received message should have a corresponding recvfrom() call. If you
> > can't see anything either syslog-ng is not correctly bound, or your packet
> > filter drops syslog traffic
> Interesting that I have so many syslog-ng processes.  Is this normal?
> ps -aux | grep [s]yslog
> root     11118  0.0  0.0  1780  808 ?        S    Nov17   1:31 syslog-ng
> root     11994  0.0  0.0  1724  696 ?        S    08:31   0:01 syslog-ng
> root     11999  0.0  0.0  1712  724 ?        S    09:00   0:00 syslog-ng
> all all
> root     12066  0.0  0.0  1708  680 ?        S    09:22   0:00 syslog-ng
> root     12071  0.0  0.0  1680  652 ?        S    09:23   0:00 syslog-ng
> root     12075  0.0  0.0  1688  660 ?        S    09:23   0:00 syslog-ng
> root     12079  0.0  0.0  1680  652 ?        S    09:23   0:00 syslog-ng
> root     12083  0.0  0.0  1700  672 ?        S    09:24   0:00 syslog-ng
> root     12087  0.0  0.0  1688  656 ?        S    09:24   0:00 syslog-ng
> root     12091  0.0  0.0  1684  656 ?        S    09:24   0:00 syslog-ng
> root     12095  0.0  0.0  1728  740 ?        S    09:25   0:11 syslog-ng

To my best knowledge syslog-ng forks only when it starts another program
(program destination). So it is not normal that you have this number of
syslog-ng processes.

> I attached to 11999 and a few others and could not find recvfrom
> anywhere.  The file is rather small and I posted one here.  I also tries
> to attach to several other syslog-ng processes with the same results.  I
> also verified that no filters are running that may be dropping the
> packets.
> cat /tmp/syslog-ng.trace
> time(NULL)                              = 1069271394
> poll([{fd=8, events=0}, {fd=7, events=0}, {fd=6, events=POLLIN}, {fd=5,
> events=POLLIN}, {fd=3, events=POLLIN}], 5, 100) = 0
> poll([{fd=8, events=0}, {fd=7, events=0}, {fd=6, events=POLLIN}, {fd=5,
> events=POLLIN}, {fd=3, events=POLLIN}], 5, 31000) = 0
> time(NULL)                              = 1069271425
> poll([{fd=8, events=0}, {fd=7, events=0}, {fd=6, events=POLLIN}, {fd=5,
> events=POLLIN}, {fd=3, events=POLLIN}], 5, 100) = 0
> poll([{fd=8, events=0}, {fd=7, events=0}, {fd=6, events=POLLIN}, {fd=5,
> events=POLLIN}, {fd=3, events=POLLIN}], 5, 0) = 0
> getpid()                                = 11999

the output of "lsof" might reveal the nature of those polled
filedescriptors, but in general if you can't see recvfrom() lines and
syslog-ng is bound to the correct ports there is really something wrong
outside syslog-ng.

-- 
Bazsi
PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1