[NTLUG:Discuss] Remote Syslog help needed
Michael Barnes
barnmichael at gmail.com
Sun Aug 30 22:32:57 CDT 2009
I have an appliance that can send its logs to a remote log server. I have a
Centos4 box I am trying to capture the logs with. But, it doesn't work.
Here is a section of a tcpdump.
22:19:40.011704 IP (tos 0x0, ttl 47, id 30032, offset 0, flags [none],
proto: UDP (17), length: 96) atlas.srn.loc.syslog > bridge.srn.loc.syslog:
SYSLOG, length: 68
Facility local0 (16), Severity notice (5)
Msg: ATLAS 830[ADTRAN]:L2-Formatted|5|3|Sent = Sapi:00[|syslog]
22:19:40.011714 IP (tos 0xc0, ttl 64, id 43329, offset 0, flags [none],
proto: ICMP (1), length: 124) bridge.srn.loc > atlas.srn.loc: ICMP host
bridge.srn.loc unreachable - admin prohibited, length 104
IP (tos 0x0, ttl 47, id 30032, offset 0, flags [none], proto: UDP
(17), length: 96) atlas.srn.loc.syslog > bridge.srn.loc.syslog: SYSLOG,
length: 68 Facility local0 (16), Severity notice (5)
Msg: ATLAS 830[ADTRAN]:L2-[|syslog]
22:19:40.012375 IP (tos 0x0, ttl 47, id 30033, offset 0, flags [none],
proto: UDP (17), length: 86) atlas.srn.loc.syslog > bridge.srn.loc.syslog:
SYSLOG, length: 58
Facility local0 (16), Severity notice (5)
Msg: ATLAS 830[ADTRAN]:L2-Formatted|5|3| Ctl:SAB[|syslog]
22:19:40.012382 IP (tos 0xc0, ttl 64, id 43330, offset 0, flags [none],
proto: ICMP (1), length: 114) bridge.srn.loc > atlas.srn.loc: ICMP host
bridge.srn.loc unreachable - admin prohibited, length 94
IP (tos 0x0, ttl 47, id 30033, offset 0, flags [none], proto: UDP
(17), length: 86) atlas.srn.loc.syslog > bridge.srn.loc.syslog: SYSLOG,
length: 58
Facility local0 (16), Severity notice (5)
Msg: ATLAS 830[ADTRAN]:L2-[|syslog]
You can see atlas sending a log entry to bridge. It looks like bridge is
rejecting it due to a prohibition of ICMP traffic.
Here are the iptables:
[root at bridge ~]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain RH-Firewall-1-INPUT (2 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere icmp any
ACCEPT esp -- anywhere anywhere
ACCEPT ah -- anywhere anywhere
ACCEPT udp -- anywhere 224.0.0.251 udp dpt:mdns
ACCEPT udp -- anywhere anywhere udp dpt:ipp
ACCEPT tcp -- anywhere anywhere tcp dpt:ipp
ACCEPT all -- anywhere anywhere state
RELATED,ESTABLISHED
ACCEPT udp -- 10.113.35.150 anywhere udp spt:ntp
ACCEPT udp -- anywhere anywhere state NEW udp
dpt:ntp
ACCEPT tcp -- anywhere anywhere state NEW tcp
dpt:ssh
REJECT all -- anywhere anywhere reject-with
icmp-host-prohibited
I have a suspicion that last line about "reject-with icmp-host-prohibited"
might be part of my problem. But I'm rusty with iptables and don't know how
to fix it if it needs fixing.
Another concern is if it is actually listening for remote logs. Here is
netstat results.
[root at bridge ~]# netstat -ln
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address
State
tcp 0 0 0.0.0.0:908 0.0.0.0:*
LISTEN
tcp 0 0 0.0.0.0:111 0.0.0.0:*
LISTEN
tcp 0 0 127.0.0.1:631 0.0.0.0:*
LISTEN
tcp 0 0 127.0.0.1:25 0.0.0.0:*
LISTEN
tcp 0 0 :::22 :::*
LISTEN
udp 0 0 0.0.0.0:32768 0.0.0.0:*
udp 0 0 0.0.0.0:514 0.0.0.0:*
udp 0 0 0.0.0.0:902 0.0.0.0:*
udp 0 0 0.0.0.0:905 0.0.0.0:*
udp 0 0 0.0.0.0:67 0.0.0.0:*
udp 0 0 0.0.0.0:5353 0.0.0.0:*
udp 0 0 0.0.0.0:111 0.0.0.0:*
udp 0 0 0.0.0.0:631 0.0.0.0:*
udp 0 0 10.113.35.100:123 0.0.0.0:*
udp 0 0 10.33.8.22:123 0.0.0.0:*
udp 0 0 127.0.0.1:123 0.0.0.0:*
udp 0 0 0.0.0.0:123 0.0.0.0:*
udp 0 0 :::32769 :::*
udp 0 0 :::5353 :::*
udp 0 0 fe80::20e:cff:fedc:f479:123 :::*
udp 0 0 fe80::211:11ff:fe6f:123 :::*
udp 0 0 ::1:123 :::*
udp 0 0 :::123 :::*
raw 0 0 0.0.0.0:1 0.0.0.0:*
7
Active UNIX domain sockets (only servers)
Proto RefCnt Flags Type State I-Node Path
unix 2 [ ACC ] STREAM LISTENING 7538
@/var/run/hald/dbus-Eb2j7rE2qL
unix 2 [ ACC ] STREAM LISTENING 6203
/var/run/audit_events
unix 2 [ ACC ] STREAM LISTENING 6571
/var/run/dbus/system_bus_socket
unix 2 [ ACC ] STREAM LISTENING 6798 /var/run/pcscd.comm
unix 2 [ ACC ] STREAM LISTENING 6951
/var/run/acpid.socket
unix 2 [ ACC ] STREAM LISTENING 6994
/var/run/cups/cups.sock
unix 2 [ ACC ] STREAM LISTENING 7496
/var/run/avahi-daemon/socket
unix 2 [ ACC ] STREAM LISTENING 7345 /dev/gpmctl
unix 2 [ ACC ] STREAM LISTENING 7537
@/var/run/hald/dbus-4rWrcHMzPP
I notice the state is not set to listen for port 514, for syslog. Could I
not have syslog configured correctly?
[root at bridge ~]# cat /etc/syslog.conf
# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.* /dev/console
# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;news.none;authpriv.none;cron.none
/var/log/messages
# The authpriv file has restricted access.
authpriv.* /var/log/secure
# Log all the mail messages in one place.
mail.* -/var/log/maillog
# Log cron stuff
cron.* /var/log/cron
# Everybody gets emergency messages
*.emerg *
# Save news errors of level crit and higher in a special file.
uucp,news.crit /var/log/spooler
# Save boot messages also to boot.log
local7.* /var/log/boot.log
# If they show up, save Atlas log
local0.* /var/log/atlas
#
# INN
#
news.=crit /var/log/news/news.crit
news.=err /var/log/news/news.err
news.notice /var/log/news/news.notice
[root at bridge ~]#
Any ideas appreciated.
Michael
More information about the Discuss
mailing list