RE: [logs] RedHat, Syslog and Remote Logging

From: Shawn Leard (SLeard@private)
Date: Thu Dec 18 2003 - 15:41:08 PST

  • Next message: Allan Liska: "Re: [logs] RedHat, Syslog and Remote Logging"

    Hi Julio,
    
    
    Here are somethings to check.
    
    1) Make sure the file /etc/sysconfig/syslog exists and is readable by 
    whatever user syslogd will run as.
       If this does not exist than syslogd will run with only the options "-m 
    0". This is of course only
       needed on the syslog server.
    
    2) Make sure the below entry exists in /etc/services
       syslog          514/udp
    
    3) Make sure that  /etc/syslog.conf on both the client and the syslog 
    server agree on
       facility.level and there is an action on both thow will be differant, ie 
    client logs to loghost and
       loghost logs to a file.
    
       Below are examples:
    
    
    user.crit                       ifdef(`LOGHOST', /var/log/syslog, @loghost)
    
       This is an example from the client where loghost should at lest for 
    testing exist in /etc/hosts,
       latter on you can move this to DNS, NIS, or NIS+ if you like.
    
    
    user.crit			/var/log/warn
    
       This is an example from the server.
    
    
    
    If you have to make any changes to these config files do a  KILL -HUP on 
    syslogd.
    
    
    
    After doing all this you can verify by doing a tail /var/log/warn
    
    and or
    
    
    tcpdump udp and host CLIENTNAME
    
    Your output will be something like...
    
    18:37:46.708324 client.xxxx.gov.39646 > syslog-server.xxxx.gov.syslog: udp 
    54 (DF)
    
    
    
    Have fun,
    
    Shawn
    
    
    
    
    --On Thursday, December 18, 2003 05:38:58 PM -0300 Julio Jaime 
    <jjaime@ticket-accor.com.ar> wrote:
    
    > Hi Allan,
    >
    > 	I have running my syslog over Red Hat 9 and 7.3. The command line is
    > :
    >
    > 	syslogd -r -m 0
    >
    > 	In the init.d file the start line is :
    >
    >###########################################################	
    ># Source config
    > if [ -f /etc/sysconfig/syslog ] ; then
    >         . /etc/sysconfig/syslog
    > else
    >         SYSLOGD_OPTIONS="-m 0"
    >         KLOGD_OPTIONS="-2"
    > fi
    >
    > RETVAL=0
    >
    > umask 077
    >
    > start() {
    >         echo -n $"Starting system logger: "
    >         daemon syslogd $SYSLOGD_OPTIONS
    >         RETVAL=$?
    >         echo
    >         echo -n $"Starting kernel logger: "
    >         daemon klogd $KLOGD_OPTIONS
    >         echo
    >         [ $RETVAL -eq 0 ] && touch /var/lock/subsys/syslog
    >         return $RETVAL
    > }
    >
    >###################################################################
    >
    >
    > Bests Regards.
    >
    > =======================================
    > Julio Jaime
    > Americas Zone Security Admin.
    > Accor Services - Servicios Ticket S.A.
    > Av. Díaz Vélez 4367
    > (C1200 AAK) Bs. As. - Argentina
    > Tel.:  (54-11) 4909-1375
    > Fax.: (54-11) 4909-1394
    > jjaime@private
    > =======================================
    > -------------------------------------------------------------------------
    > --- -------------------------------
    > Este mensaje electrónico y todos los archivos adjuntos que contiene son
    > confidenciales y se encuentran destinados, exclusivamente, a la persona a
    > quien han sido dirigidos. Si ha recibido este mensaje por error,
    > agradecemos la inmediata devolución a su emisor. La publicación, el uso,
    > la
    > distribución, la impresión o la copia no autorizada de este mensaje y del
    > contenido de los archivos adjuntos se encuentran estrictamente prohibidos.
    > This e-mail and any files transmitted with it are confidential and
    > intended solely for the use of the individual to whom it is addressed. If
    > you have received this email in error please send it back to the person
    > that sent it to you. Unauthorized publication, use, dissemination,
    > forwarding, printing or copying of this email and its associated
    > attachments is strictly prohibited.
    > Ce message électronique et tous les fichiers attachés qu'il contient sont
    > confidentiels et destinés exclusivement à l'usage de la personne à
    > laquelle ils sont adressés. Si vous avez reçu ce message par erreur,
    > merci de le retourner à son émetteur. La publication, l'usage, la
    > distribution, l'impression ou la copie non autorisée de ce message et des
    > attachements qu'il contient sont strictement interdits.
    > -------------------------------------------------------------------------
    > --- --------------------------------
    >
    >
    >
    > -----Mensaje original-----
    > De: Allan Liska [mailto:allan@private]
    > Enviado el: Jueves, 18 de Diciembre de 2003 04:49 p.m.
    > Para: loganalysis@private
    > Asunto: [logs] RedHat, Syslog and Remote Logging
    >
    >
    > Good Afternoon,
    >
    > I am trying to sert up remote logging on a Redhat box.  Normally, all it
    > would take is adding the -r to syslog, but that does not seem to work.
    > More specifically, if I start syslog from the command line with a -r it
    > works fine, but if I edit the syslog start up file so that syslog starts
    > with the -r the server does not accept any remote connections.
    >
    > Does anyone have any experience with this, and can anyone offer me any
    > suggestions?
    >
    >
    > Thanks!
    >
    >
    > allan
    
    
    
    
    _______________________________________________
    LogAnalysis mailing list
    LogAnalysis@private
    http://lists.shmoo.com/mailman/listinfo/loganalysis
    



    This archive was generated by hypermail 2b30 : Thu Dec 18 2003 - 15:48:46 PST