[Discuss] Help with destination of syslog messages?

3 views
Skip to first unread message

Scott Ehrlich

unread,
Mar 28, 2012, 5:44:07 PM3/28/12
to blug
I have a test environment consisting of Win 2008 R2 Server and Windows
XP w/SP3, both running the latest Snare Agent for Windows, along with
RHEL 5.6 and RHEL 6.2 servers, all within a VM environment.

I am testing Linux as a central logging option. Snare Agent (free
version) uses UDP, so it is a natural option for standard syslog on
Linux.

I am tailing /var/log/messages and only see host-only traffic, but
another terminal window running tcpdump (or tcpdump -X port 514) DOES
show incoming traffic from the clients. My question is where the
heck is that data going? There are NO error messages on whichever
Linux box I designate as the server (if I were to switch between 5.6
and 6.2).

Traffic is coming in, but I'd love to know where, if anywhere, it is
being written.

Or, is there another step I need to learn to capture the data to a file?

An ls -ltr /var/log doesn't show anything helpful, either.

Thanks for any insights.

Scott
_______________________________________________
Discuss mailing list
Dis...@blu.org
http://lists.blu.org/mailman/listinfo/discuss

Richard Pieri

unread,
Mar 28, 2012, 7:24:41 PM3/28/12
to blug
On Mar 28, 2012, at 5:44 PM, Scott Ehrlich wrote:
>
> Traffic is coming in, but I'd love to know where, if anywhere, it is
> being written.

If it doesn't show up in /var/log/messages or /var/log/syslog then it isn't being written anywhere. The traffic is being dropped. Perhaps your syslog daemon isn't configured for remote access? What syslog daemon are you using?

--Rich P.

Tom Metro

unread,
Mar 28, 2012, 10:47:51 PM3/28/12
to L-blu
Richard Pieri wrote:
> Perhaps your syslog daemon isn't configured for remote access?

That'd be my guess. Debian-universe distributions have remote reception
turned off by default. Other distributions probably do likewise.

netstat should be able to confirm if it is listening on the syslog port.


> If it doesn't show up in /var/log/messages or /var/log/syslog then it
> isn't being written anywhere.

I sometimes create a temporary rule that wildcards all facilities and
priorities and writes them to a file so you can first confirm that
syslog is passing through the messages you expect. Then you can write
specific rules to put the messages where you want.

-Tom

--
Tom Metro
Venture Logic, Newton, MA, USA
"Enterprise solutions through open source."
Professional Profile: http://tmetro.venturelogic.com/

Kevin D. Clark

unread,
Mar 29, 2012, 10:08:05 AM3/29/12
to blug
Scott Ehrlich writes:

> I am tailing /var/log/messages and only see host-only traffic, but
> another terminal window running tcpdump (or tcpdump -X port 514) DOES
> show incoming traffic from the clients. My question is where the
> heck is that data going? There are NO error messages on whichever
> Linux box I designate as the server (if I were to switch between 5.6
> and 6.2).

Can you show us the contents of your /etc/sysconfig/syslog file?

Can you show us your /etc/syslog.conf file?

Can you tell us which syslog facility/priority the incoming messages
are arriving with?

Thanks very much,

--kevin
--
alumni.unh.edu!kdc / http://kdc-blog.blogspot.com/
GnuPG: D87F DAD6 0291 289C EB1E 781C 9BF8 A7D8 B280 F24E

And the Army Ants, they leave nothin' but the bones...
-- Tom Waits

Reply all
Reply to author
Forward
0 new messages