Try any of the following: http://www.loganalysis.org/ (look in the library section) http://www.cisco.com/warp/public/477/RME/rme_syslog.html http://www.linuxhomenetworking.com/linux-hn/logging.htm Sujit wrote: >Hi, > >Thanks for replying to my earlier mail. All the replies I got suggested using the -r argument in the SYSLOG_OPTIONS in the /etc/sysconfig/syslog file. > >However we have already made that change. Also the iptables command used are: > >At the server side: > >iptables -A INPUT -s <client ip> -d <server ip> -j ACCEPT >iptables -t filter -A INPUT -j LOG > >At the client side: > >iptables -A OUTPUT -s <client ip> -d <server ip> -j ACCEPT > >No other iptables rule is present as shown by the iptables --list command. > >Still the problem persists, i.e.packets from client to server only are getting logged but not the actual log messages from the client, for e.g. the authorization messages and other messages. > >Just a question have any changes to be made in the client/server's hosts.allow file? If yes, what? > >Are there any other changes to be made in any of the linux files, apart from the ones previously mentioned? > >Can you please suggest a comprehensive online tutorial for syslog remote logging, which covers even the trivial aspects and also all linux file modifications that are required for successful remote logging? > >I'm sending the syslog.conf files again for your convenience. > >Thanks in advance, > >Sujit. > > ># client's syslog.conf > ># Log all kernel messages to the console. ># Logging much else clutters up the screen. >#kern.* /var/log/kern.txt > ># Log anything (except mail) of level info or higher. ># Don't log private authentication messages! > >*.info;mail.none;authpriv.none;cron.none /var/log/messages >*.info;mail.none;authpriv.none;cron.none @192.168.7.142 #This is the server ip address > > ># The authpriv file has restricted access. >authpriv.* /var/log/secure > ># Log all the mail messages in one place. >mail.* /var/log/maillog > > ># Log cron stuff >cron.* /var/log/cron > ># Everybody gets emergency messages >*.emerg * > ># Save news errors of level crit and higher in a special file. >uucp,news.crit /var/log/spooler > ># Save boot messages also to boot.log >local7.* /var/log/boot.log > >#server's syslog.conf > ># Log all kernel messages to the console. ># Logging much else clutters up the screen. >#kern.* /dev/console ># Log anything (except mail) of level info or higher.# Don't log private authentication messages! > >*.info;mail.none;authpriv.none;cron.none /var/log/messages > > ># The authpriv file has restricted access. >authpriv.* /var/log/secure ># Log all the mail messages in one place. >mail.* /var/log/maillog ># Log cron stuff >cron.* /var/log/cron ># Everybody gets emergency messages >*.emerg * ># Save news errors of level crit and higher in a special file. >uucp,news.crit /var/log/spooler ># Save boot messages also to boot.log >local7.* /var/log/boot.log > ># the packets getting logged, received at port 514 of the server ># server ip address 192.168.7.142 ># cient ip address 192.168.7.141 > >Mar 24 12:54:26 linuxws142 kernel: IN=eth0 OUT= MAC=00:10:dc:f0:b5:55:00:10:dc:f0:b4:cc:08:00 SRC=192.168.7.141 DST=192.168.7.142 LEN=56 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=514 DPT=514 LEN=36 > >Mar 24 12:54:26 linuxws142 kernel: IN=eth0 OUT= MAC=00:10:dc:f0:b5:55:00:10:dc:f0:b4:cc:08:00 SRC=192.168.7.141 DST=192.168.7.142 LEN=85 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=514 DPT=514 LEN=65 > >Mar 24 12:55:33 linuxws142 kernel: IN=eth0 OUT= MAC=00:10:dc:f0:b5:55:00:10:dc:f0:b4:cc:08:00 SRC=192.168.7.141 DST=192.168.7.142 LEN=100 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=514 DPT=514 LEN=80 > >Mar 24 12:56:24 linuxws142 kernel: IN=eth0 OUT= MAC=00:10:dc:f0:b5:55:00:10:dc:f0:b4:cc:08:00 SRC=192.168.7.141 DST=192.168.7.142 LEN=81 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=514 DPT=514 LEN=61 > >Mar 24 12:59:10 linuxws142 kernel: device eth0 entered promiscuous mode >Mar 24 13:00:00 linuxws142 kernel: IN=eth0 OUT= MAC=00:10:dc:f0:b5:55:00:10:dc:f0:b4:cc:08:00 SRC=192.168.7.141 DST=192.168.7.142 LEN=76 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=514 DPT=514 LEN=56 > >Mar 24 13:00:32 linuxws142 kernel: IN=eth0 OUT= MAC=00:10:dc:f0:b5:55:00:10:dc:f0:b4:cc:08:00 SRC=192.168.7.141 DST=192.168.7.142 LEN=73 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=514 DPT=514 LEN=53 > >Mar 24 13:00:46 linuxws142 kernel: IN=eth0 OUT= MAC=00:10:dc:f0:b5:55:00:10:dc:f0:b4:cc:08:00 SRC=192.168.7.141 DST=192.168.7.142 LEN=100 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=514 DPT=514 LEN=80 > >Mar 24 13:00:55 linuxws142 kernel: IN=eth0 OUT= MAC=00:10:dc:f0:b5:55:00:10:dc:f0:b4:cc:08:00 SRC=192.168.7.141 DST=192.168.7.142 LEN=81 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=514 DPT=514 LEN=61 > >Mar 24 13:05:12 linuxws142 kernel: IN=eth0 OUT= MAC=00:10:dc:f0:b5:55:00:10:dc:f0:b4:cc:08:00 SRC=192.168.7.141 DST=192.168.7.142 LEN=100 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=514 DPT=514 LEN=80 > >Mar 24 13:05:15 linuxws142 kernel: IN=eth0 OUT= MAC=00:10:dc:f0:b5:55:00:10:dc:f0:b4:cc:08:00 SRC=192.168.7.141 DST=192.168.7.142 LEN=81 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=514 DPT=514 LEN=61 > > >------------------------------------------------------------------------ > >_______________________________________________ >LogAnalysis mailing list >LogAnalysis@private >http://lists.shmoo.com/mailman/listinfo/loganalysis > > _______________________________________________ LogAnalysis mailing list LogAnalysis@private http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2.1.3 : Sun Mar 27 2005 - 10:38:21 PST