[syslog-ng] Newbie Looking for Help
Brian Candler
B.Candler at pobox.com
Tue May 16 13:05:47 CEST 2006
On Mon, May 15, 2006 at 10:25:41AM -0400, Mark R. White wrote:
> Sandor, Good suggestion but I don't think it will work since syslog is
> UDP traffic.
Packets are packets. Run this on your syslog server:
# tcpdump -i eth0 -n -s1500 -v udp port 514
Then send logs from your PIX. Then see what appears. No packets arriving at
all is one problem; packets arriving with an unexpected source address is
another.
> Also, it appears to be a very specific problem with our
> PIX firewall. This morning, our network engineer and I, set up a half
> dozen other devices, routers and switches, and they are all logging
> without any issue. So for now, I'm going to chalk this up as an
> issue with the PIX IOS, and consider this issue closed.
That's not an obvious conclusion at all. Here we have several PIXes, running
PIXOS 7.0 and 7.1, and we have no problems with syslog at all.
The obvious other problems might be:
(1) The PIX is sending syslog packets, but the source IP address is not what
you expected them to be. tcpdump will show you this.
(2) If tcpdump shows no packets arriving at all, then perhaps the PIX is
sending them but they are being lost in transit (e.g. some other firewall in
between, or the PIX is missing a static route which it would need to reach
the syslog server)
However it could also be PIX misconfiguration.
Regards,
Brian.
More information about the syslog-ng
mailing list