[syslog-ng]receiving udp from remote servers

Nate Campi syslog-ng@lists.balabit.hu
Fri, 23 Jan 2004 09:24:01 -0800 

On Fri, Jan 23, 2004 at 11:00:32AM -0500, Wang, Philip R. wrote:
> 
> I am new to syslog-ng.  I used the following config file to test it out under Solaris.
> Then I used a pc application to generate udp message to port 514.
> 
> I started the process using "syslog-ng -f filename".
> 
> I can see log message in "messages" indicating the process started.
> 
> However, when I send the simulated message from my PC app.  It does not show up in the log file.
> 
> I was reading some Linux syslog-ng document: an chapter from a book.  It mentioned using the '-r' option to allow accepting remote
> message.  I have syslog 1.6.1 and it does not have this option.  Not sure if I missed anything?
> 
> Philip
> 
> ---------------------------------------------------------------------
> source local { internal(); udp();};
> 
> destination all { file("/opt/syslog-ng/messages"); };
> 
> log { source(local); destination(all); };
> -----------------------------------------------------------------------


You don't need the -r option with syslog-ng, your udp() source is what
you do for accepting remote messages.

Now you need to do some basic troubleshooting:
 
 1) Is syslog-ng still running?
   
   # ps -ef|grep syslog
   
   This ps will show if you shut down the stock syslogd, if it's running
   it isn't bad *for now with the config you posted above*, as long is 
   it's not listening on the same UDP socket as syslog-ng. Solaris syslogd
   has the -t flag to turn off listening on the UDP port, not sure what 
   version introduced this but it's certainly there in 8 and up. Your two 
   syslog processes can coexist as long as they're not contending for the 
   system messages (the syslog door) and for any TCP/IP ports.

   As soon as you're done testing, though, shut down one or the other
   permanently to avoid issues later.
 
 2) If syslog-ng is running, is it listening on the UDP socket?
    Install lsof (www.sunfreeware.com), I know of no way to force 
    Solaris netstat to give you the process name of listening sockets

   # lsof |grep LISTEN|grep 514

   The first column is the process listening on that socket, if any.

 3) Did your message even make it to your syslog server? Send it again,
    and watch the network:

   # snoop port 514

 4) if you don't see it, there's a number of reasons why, too many in
    fact for me to be much help (could be packet filtering on the
    solaris box, on the network between the two hosts, asycronous
    routing, errors sending on the PC side, etc, etc)

Good luck.
-- 
Nate

"If you give someone a program, you will frustrate them for a day; if
you teach them how to program, you will frustrate them for a lifetime."