[syslog-ng]Please help with logging remote machines

Daniel Flick syslog-ng@lists.balabit.hu
Wed, 19 Nov 2003 15:51:47 -0600 

On Wed, 2003-11-19 at 14:50, Balazs Scheidler wrote:
> On Wed, Nov 19, 2003 at 01:39:13PM -0600, Daniel Flick wrote:
> > On Wed, 2003-11-19 at 12:26, Balazs Scheidler wrote:
> > > check the pid of the syslog-ng process as it is running in the background,
> > > and attach to it using strace
> > > 
> > > strace -s 256 -o /tmp/syslog-ng.trace -p <syslog-ng pid>
> > > 
> > > run it for a couple of seconds, to let your firewall send syslog messages.
> > > Then grep the file /tmp/syslog-ng.trace for the string "recvfrom"
> > > 
> > > Each received message should have a corresponding recvfrom() call. If you
> > > can't see anything either syslog-ng is not correctly bound, or your packet
> > > filter drops syslog traffic
> > Interesting that I have so many syslog-ng processes.  Is this normal?
> > ps -aux | grep [s]yslog
> > root     11118  0.0  0.0  1780  808 ?        S    Nov17   1:31 syslog-ng
> > root     11994  0.0  0.0  1724  696 ?        S    08:31   0:01 syslog-ng
> > root     11999  0.0  0.0  1712  724 ?        S    09:00   0:00 syslog-ng
> > all all
> > root     12066  0.0  0.0  1708  680 ?        S    09:22   0:00 syslog-ng
> > root     12071  0.0  0.0  1680  652 ?        S    09:23   0:00 syslog-ng
> > root     12075  0.0  0.0  1688  660 ?        S    09:23   0:00 syslog-ng
> > root     12079  0.0  0.0  1680  652 ?        S    09:23   0:00 syslog-ng
> > root     12083  0.0  0.0  1700  672 ?        S    09:24   0:00 syslog-ng
> > root     12087  0.0  0.0  1688  656 ?        S    09:24   0:00 syslog-ng
> > root     12091  0.0  0.0  1684  656 ?        S    09:24   0:00 syslog-ng
> > root     12095  0.0  0.0  1728  740 ?        S    09:25   0:11 syslog-ng
> 
> To my best knowledge syslog-ng forks only when it starts another program
> (program destination). So it is not normal that you have this number of
> syslog-ng processes.
Would this make sense due to the fact that my destination creates a new
file based on the host source?  If so, that is encouraging.  
destination rlog { file("/var/log/$HOST/$MONTH.$DAY.log"
create_dirs(yes)      owner("log") group("log") perm(0600)); };
> 
> > I attached to 11999 and a few others and could not find recvfrom
> > anywhere.  The file is rather small and I posted one here.  I also tries
> > to attach to several other syslog-ng processes with the same results.  I
> > also verified that no filters are running that may be dropping the
> > packets.
> > cat /tmp/syslog-ng.trace
> > time(NULL)                              = 1069271394
> > poll([{fd=8, events=0}, {fd=7, events=0}, {fd=6, events=POLLIN}, {fd=5,
> > events=POLLIN}, {fd=3, events=POLLIN}], 5, 100) = 0
> > poll([{fd=8, events=0}, {fd=7, events=0}, {fd=6, events=POLLIN}, {fd=5,
> > events=POLLIN}, {fd=3, events=POLLIN}], 5, 31000) = 0
> > time(NULL)                              = 1069271425
> > poll([{fd=8, events=0}, {fd=7, events=0}, {fd=6, events=POLLIN}, {fd=5,
> > events=POLLIN}, {fd=3, events=POLLIN}], 5, 100) = 0
> > poll([{fd=8, events=0}, {fd=7, events=0}, {fd=6, events=POLLIN}, {fd=5,
> > events=POLLIN}, {fd=3, events=POLLIN}], 5, 0) = 0
> > getpid()                                = 11999
> 
> the output of "lsof" might reveal the nature of those polled
> filedescriptors, but in general if you can't see recvfrom() lines and
> syslog-ng is bound to the correct ports there is really something wrong
> outside syslog-ng.
If the config looks good then I might just do a rebuild to Gentoo and
try again.  Did you see any obvious errors in my syslog-ng.conf?  Thanks
very much for the assistance.  I learned quite a bit!