[syslog-ng] Syslog-ng beginners guide

Dave Edelman dedelman at iname.com
Sat Jul 4 02:04:40 CEST 2009 

The problem might be in this line: " Actually i don't know yet how to
configure iptables"

They might be enabled by default so you might want to try this:

# iptables -L

If it shows anything but a bunch of lines saying policy accept and some
header lines, then you (at your own risk) need to tell it to stop by issuing
the magical incantation

# iptables -F

To keep the pesky safe guards off on a full time basis, you might want to do
something like:

# chkconfig iptables off
# service iptables stop

You need to do this with root access so sudo is your friend unless you are
really brave and are logging on as root directly :)


--Dave

"I insist that my car has good brakes, they allow me to go faster"


-----Original Message-----
From: syslog-ng-bounces at lists.balabit.hu
[mailto:syslog-ng-bounces at lists.balabit.hu] On Behalf Of Balazs Scheidler
Sent: Friday, July 03, 2009 10:03 AM
To: Syslog-ng users' and developers' mailing list
Subject: Re: [syslog-ng] Syslog-ng beginners guide

On Thu, 2009-07-02 at 17:50 +0300, Cosmin Neagu wrote:
> I have tryed like this:
> 
>     On a remote linux host (Ubuntu 9.04) i have configured syslog-ng
> like this:
> 
> source s_internal {internal();};
> source s_local {
> file ("/proc/kmsg" log_prefix("kernel: "));
> unix-stream ("/dev/log");
> };
> 
> destination d_localfile { file ("/home/cosmin/syslog.log"); };
> destination d_remote {tcp ("192.168.53.248" port(514)); };         //i
> have tried with udp also
> 
> log { source(s_local);          destination(d_localfile); };
> log { source(s_internal);       destination(d_localfile); };
> log { source(s_local);          destination(d_remote);    };
> 
>     On the syslog server (Fedora c10), the configuration is:
> 
> source s_remote_tcp {tcp (ip (0.0.0.0) port(514)); };
>    //i have tried with udp also.
> destination d_localfile {file ("/root/syslog.log"); };
> log {   source (s_remote_tcp);          destination (d_localfile); }; 
> 
>     After a few tests, i have noticed (with the help of wireshark) the
> folowing:
> 1. In UDP case, it sends the logs, i can see the packets arriving on
> the server with tcpdump, but the the server returns an icmp error
> Destination Unreachable, with a code "Host Administrately Prohibited"
> 2. The same thing in TCP case, only that the message is not send, only
> the first syn pachet trying to establish the tcp connection and it
> receives the same icmp error from the server.
> 
> 
> On the server i have fedora core 10, with selinux disabled. No
> firewall at all. Actually i don't know yet how to configure iptables.
> 
> I have noticed that on the server, if i try to define a source like
> this:
> source s_remote_tcp {tcp (ip (192.168.53.151) port(514)); };
> it will give an error:
> Starting syslog-ng: Error binding socket;
> addr='AF_INET(192.168.53.151:514)', error='Cannot assign requested
> address (99)'
> Error initializing source driver; source='s_remote_tcp'
> 
> Pls, can someone help me with this problem? I dont know what could be
> blocking the packets, if it is because of the OS or because of
> syslog-ng configuration.

ICMP admin prohibited is probably generated by the packet filter. It
cannot be generated by an application (unless it'd be injecting ICMP
packets of its own, which syslog-ng doesn't do).

Also, I wanted to point out that starting with 2.1, syslog-ng has its
own SQL destination, no need to mess with named pipes. But if you decide
to use a newer version, I would recommend 3.0.3, the current stable
version.

-- 
Bazsi


____________________________________________________________________________
__
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation:
http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.campin.net/syslog-ng/faq.html

More information about the syslog-ng mailing list