Re: [logs] Ref: Syslog Remote Logging

From: Troy Johnson (taj@private)
Date: Thu Mar 31 2005 - 10:21:51 PST

On 27 Mar 2005, Sujit wrote:
However we have already made that change. Also the iptables command used  are:
At the server side:

iptables -A INPUT -s <client ip> -d <server ip> -j ACCEPT  
iptables -t filter -A INPUT -j LOG


Hi Sujit,

Since the log message packets are appearing in iptables logs on the 
server, I assume the client iptables is letting the packets pass.

If the iptables rules on the server are in the above order, the first rule 
is not 'ACCEPT'-ing the packets. If it were, the packets would not make it 
down to the second rule, and so they would not be logged. I think there is 
a problem with the first iptables rule on the server.

You could do a number of things to troubleshoot the problem. If it is not 
risky to do so, you could drop the firewall for a short time:

  $ service iptables stop

and cause some logging to occur and see if it shows up on the server. Make 
sure you restart iptables when you confirm that it does or does not work:

  $ service iptables start

Maybe there are some other iptables rules you could try instead. This one 
accepts syslog messages from anywhere:

  $ iptables -t filter -A INPUT -p udp -m upd --dport 514 -j ACCEPT

where this one make it accept only those from the client host:

  $ iptables -t filter -A INPUT -p udp -m upd -s <clientIP> --dport 514 -j ACCEPT

If you want something close to your original rule, perhaps eliminating the 
'-d' command switch and it's argument might fix things for you:

  $ iptables -A INPUT -s <clientIP> -j ACCEPT

If none of these options are ok with you, check out the presentation of 
the IP address is the iptables log messages on the server and make sure 
they are exactly the same as those present in the iptables rule.

Hope this helps, and good luck.


LogAnalysis mailing list

This archive was generated by hypermail 2.1.3 : Thu Mar 31 2005 - 12:01:58 PST