A Central Syslog Svr Setup-freebsd4.5
pat
I am hope someone out there may want to give me a few pointers on how to set
up a syslog svr. I think I has most of it done but I think I am missing some
thing.
I have 2 boxs set up with freebsd. A gateway box FBSD 4.5 w/3 nic's and a
simple svr FBSD4.6 w/2 nic's of which only one is config'ed.
The 4.6 is my syslog server and 4.5 will be client that sends it's log to
the 4.6 svr.
I have uncommented the line to send the logs and stated the address in the
syslog.conf file. I have checked name resolution and all is fine.
On the 4.6 svr I have added to the rc.conf
syslogd_flag="-a[ip address of 4.5 box] -b[ip address of 4.6 connected to
4.5]"
Do I by adding this flag to this file cancil out the other 2 flag lines (ie.
"-s" and "-ss") from /etc/default/rc.conf ?
I have not altered the rc.conf file inside the defaults folder.
I have netstat -an and I do see the udp port but it is not in LISTEN that
field is blank.
I have nmap -sU from 4.5 box and found port 514 open on the 4.6 box
I have tryed to pass a message from 4.5 with logger
logger -h[ip address of 4.6] -s hello
and can not find it in any of the logs on 4.6 nor are there any log info
from 4.5
I have logged the interface on 4.5 connected to 4.6 in my ipf rule set and
see the logger message enter the wire
Have I missed a setup some where?
Dazzed and confused
---
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.371 / Virus Database: 206 - Release Date: 6/13/2002
pat
"pat" <ho...@speakeasy.net> wrote in message
news:uikbc02...@corp.supernews.com...
pat
1)host file on both your client and log host must match. I was using an
cname for my loghost. That name was not mapped in the host file of my
loghost....only in the client. I dropped using cnames. I seems that the
loghost checks its host file when it recieves logs from other machines. If a
host name is used in syslog.conf of the client it will check that host name
against it's resolution methold...ie hosts-dns in my case. Since I had not
add the cname to the log hosts file nor was it in a zone it decided to
reject the packets from the client. I am not an expert , this explanation is
a guess on my part.
2)Logger do'es not check resolution and authentication (if you will) in the
same manner as syslogd does. You maybe able to pass messages to your loghost
correctly but you might not be able to send your regular logs...just keep
that in mind
3) Watch the switches that your client has for syslogd. It does not like
"-ss" but is ok with "-s"
4)the switch I used on the loghost ,at this time, in the rc.conf is:
syslogd_flags="-4 -a[ip_address_client]:*"
I hope this helps anybody who finds themselves trying to trouble shoot thier
loghost conf's
Happy Computing and good luck
"pat" <ho...@speakeasy.net> wrote in message
news:uips2fb...@corp.supernews.com...
David Malone
>Do I by adding this flag to this file cancil out the other 2 flag lines (ie.
>"-s" and "-ss") from /etc/default/rc.conf ?
Yes - any setting in /etc/rc.conf overrides what is in /etc/defaults/rc.conf.
>I have netstat -an and I do see the udp port but it is not in LISTEN that
>field is blank.
I'm having trouble understanding this sentence. However, udp sockets do
not have a listen state like tcp sockets - they always listen.
>I have tryed to pass a message from 4.5 with logger
>logger -h[ip address of 4.6] -s hello
>and can not find it in any of the logs on 4.6 nor are there any log info
>from 4.5
It may be that these messages are being logged at a level which doesn't
end up in a file on the 4.6 host. I'd suggest either running syslogd
in debugging mode by hand, or adding a line to the top of syslogd.conf
saying:
*.* my_user_name
and then HUPing syslogd. That way all syslog messages will be sent to
your tty, so you'll have a better idea what is going on.
David.