syslogd does not log to a remote site on Solaris 11 11/11 X86

[Victor Sudakov]

Colleagues,

After configuring syslogd to log to a remote syslog server, I still
don't see any packets going to the said server.

# m4 < /etc/syslog.conf | grep admin
*.debug @admin
# svcadm restart svc:/system/system-log
# ping admin
admin is alive
# ps -ef | grep sysl
root 18594 16990 0 12:31:09 pts/236 0:00 grep sysl
root 17420 1 0 12:26:40 ? 0:00 /usr/sbin/syslogd
#

However "snoop port 514" shows no outgoing packets.

What am I missing?

--
Victor Sudakov, VAS4-RIPE, VAS47-RIPN
2:5005/49@fidonet http://vas.tomsk.ru/

[Casper H.S. Dik]

Victor Sudakov <v...@mpeks.no-spam-here.tomsk.su> writes:

>Colleagues,

>After configuring syslogd to log to a remote syslog server, I still
>don't see any packets going to the said server.

># m4 < /etc/syslog.conf | grep admin
>*.debug @admin
># svcadm restart svc:/system/system-log
># ping admin
>admin is alive
># ps -ef | grep sysl
> root 18594 16990 0 12:31:09 pts/236 0:00 grep sysl
> root 17420 1 0 12:26:40 ? 0:00 /usr/sbin/syslogd
>#

>However "snoop port 514" shows no outgoing packets.

>What am I missing?

Have you tried syslogd -d?

Did you use spaces instead of tabs? (White space must be tabs
though we're changing that)

Any reason why using an older version of Solaris (instead of
Solaris 11.1 or Solaris 11.2 beta?)

Casper

[Victor Sudakov]

Casper H.S. Dik wrote:

> >After configuring syslogd to log to a remote syslog server, I still
> >don't see any packets going to the said server.

> ># m4 < /etc/syslog.conf | grep admin
> >*.debug @admin
> ># svcadm restart svc:/system/system-log
> ># ping admin
> >admin is alive
> ># ps -ef | grep sysl
> > root 18594 16990 0 12:31:09 pts/236 0:00 grep sysl
> > root 17420 1 0 12:26:40 ? 0:00 /usr/sbin/syslogd
> >#

> >However "snoop port 514" shows no outgoing packets.

> >What am I missing?

> Have you tried syslogd -d?

What specifically should I look for?

> Did you use spaces instead of tabs? (White space must be tabs
> though we're changing that)

Is it still required? FreeBSD does not care.
Let me check to make sure. Yes, I used tabs (old school).

> Any reason why using an older version of Solaris (instead of
> Solaris 11.1 or Solaris 11.2 beta?)

The only reason is "Do not fix what ain't broken". If there is a
known bug in syslogd fixed after Solaris 11 11/11, I might look into
upgrading.

[Casper H.S. Dik]

Victor Sudakov <v...@mpeks.no-spam-here.tomsk.su> writes:

>> Have you tried syslogd -d?

>What specifically should I look for?

It will print a list of what is going to be logged and where
and will show it when a message is seen.

Among others, it will show how your configuration file was
parsed.

For syslog testing you'd need to:
svcadm disable -t system-log
syslogd -d

you will need to stop it when you're done debugging
and restart system-log (svcadm enable system-log)

>> Did you use spaces instead of tabs? (White space must be tabs
>> though we're changing that)

>Is it still required? FreeBSD does not care.
>Let me check to make sure. Yes, I used tabs (old school).

Ok.

>> Any reason why using an older version of Solaris (instead of
>> Solaris 11.1 or Solaris 11.2 beta?)

>The only reason is "Do not fix what ain't broken". If there is a
>known bug in syslogd fixed after Solaris 11 11/11, I might look into
>upgrading.

With the internet, old axioms no longer hold. Not because you
need to the newest features but you'd really want the latest
fixes to security bugs and possibly the latest features such
as the "Extended Policy".

I don't think we changed anything specific in syslogd recently.

It should "just work", but you need to make sure they are all
tabs and no also no trailing spaces.

Casper

[Victor Sudakov]

Casper H.S. Dik wrote:

> >> Have you tried syslogd -d?

> >What specifically should I look for?

> It will print a list of what is going to be logged and where
> and will show it when a message is seen.

> Among others, it will show how your configuration file was
> parsed.

> For syslog testing you'd need to:
> svcadm disable -t system-log
> syslogd -d

> you will need to stop it when you're done debugging
> and restart system-log (svcadm enable system-log)

I'll do this tomorrow when I come to work.