[NTLUG:Discuss] Remote Syslog help needed
Leroy Tennison
leroy_tennison at prodigy.net
Sun Aug 30 23:45:12 CDT 2009
Michael Barnes wrote:
> I have an appliance that can send its logs to a remote log server. I have a
> Centos4 box I am trying to capture the logs with. But, it doesn't work.
> Here is a section of a tcpdump.
>
> 22:19:40.011704 IP (tos 0x0, ttl 47, id 30032, offset 0, flags [none],
> proto: UDP (17), length: 96) atlas.srn.loc.syslog > bridge.srn.loc.syslog:
> SYSLOG, length: 68
> Facility local0 (16), Severity notice (5)
> Msg: ATLAS 830[ADTRAN]:L2-Formatted|5|3|Sent = Sapi:00[|syslog]
>
> 22:19:40.011714 IP (tos 0xc0, ttl 64, id 43329, offset 0, flags [none],
> proto: ICMP (1), length: 124) bridge.srn.loc > atlas.srn.loc: ICMP host
> bridge.srn.loc unreachable - admin prohibited, length 104
> IP (tos 0x0, ttl 47, id 30032, offset 0, flags [none], proto: UDP
> (17), length: 96) atlas.srn.loc.syslog > bridge.srn.loc.syslog: SYSLOG,
> length: 68 Facility local0 (16), Severity notice (5)
> Msg: ATLAS 830[ADTRAN]:L2-[|syslog]
>
> 22:19:40.012375 IP (tos 0x0, ttl 47, id 30033, offset 0, flags [none],
> proto: UDP (17), length: 86) atlas.srn.loc.syslog > bridge.srn.loc.syslog:
> SYSLOG, length: 58
> Facility local0 (16), Severity notice (5)
> Msg: ATLAS 830[ADTRAN]:L2-Formatted|5|3| Ctl:SAB[|syslog]
>
> 22:19:40.012382 IP (tos 0xc0, ttl 64, id 43330, offset 0, flags [none],
> proto: ICMP (1), length: 114) bridge.srn.loc > atlas.srn.loc: ICMP host
> bridge.srn.loc unreachable - admin prohibited, length 94
> IP (tos 0x0, ttl 47, id 30033, offset 0, flags [none], proto: UDP
> (17), length: 86) atlas.srn.loc.syslog > bridge.srn.loc.syslog: SYSLOG,
> length: 58
> Facility local0 (16), Severity notice (5)
> Msg: ATLAS 830[ADTRAN]:L2-[|syslog]
>
>
> You can see atlas sending a log entry to bridge. It looks like bridge is
> rejecting it due to a prohibition of ICMP traffic.
>
> Here are the iptables:
>
> [root at bridge ~]# iptables -L
> Chain INPUT (policy ACCEPT)
> target prot opt source destination
> RH-Firewall-1-INPUT all -- anywhere anywhere
>
> Chain FORWARD (policy ACCEPT)
> target prot opt source destination
> RH-Firewall-1-INPUT all -- anywhere anywhere
>
> Chain OUTPUT (policy ACCEPT)
> target prot opt source destination
>
> Chain RH-Firewall-1-INPUT (2 references)
> target prot opt source destination
> ACCEPT all -- anywhere anywhere
> ACCEPT all -- anywhere anywhere
> ACCEPT icmp -- anywhere anywhere icmp any
> ACCEPT esp -- anywhere anywhere
> ACCEPT ah -- anywhere anywhere
> ACCEPT udp -- anywhere 224.0.0.251 udp dpt:mdns
> ACCEPT udp -- anywhere anywhere udp dpt:ipp
> ACCEPT tcp -- anywhere anywhere tcp dpt:ipp
> ACCEPT all -- anywhere anywhere state
> RELATED,ESTABLISHED
> ACCEPT udp -- 10.113.35.150 anywhere udp spt:ntp
> ACCEPT udp -- anywhere anywhere state NEW udp
> dpt:ntp
> ACCEPT tcp -- anywhere anywhere state NEW tcp
> dpt:ssh
> REJECT all -- anywhere anywhere reject-with
> icmp-host-prohibited
>
>
> I have a suspicion that last line about "reject-with icmp-host-prohibited"
> might be part of my problem. But I'm rusty with iptables and don't know how
> to fix it if it needs fixing.
>
> Another concern is if it is actually listening for remote logs. Here is
> netstat results.
>
> [root at bridge ~]# netstat -ln
> Active Internet connections (only servers)
> Proto Recv-Q Send-Q Local Address Foreign Address
> State
> tcp 0 0 0.0.0.0:908 0.0.0.0:*
> LISTEN
> tcp 0 0 0.0.0.0:111 0.0.0.0:*
> LISTEN
> tcp 0 0 127.0.0.1:631 0.0.0.0:*
> LISTEN
> tcp 0 0 127.0.0.1:25 0.0.0.0:*
> LISTEN
> tcp 0 0 :::22 :::*
> LISTEN
> udp 0 0 0.0.0.0:32768 0.0.0.0:*
> udp 0 0 0.0.0.0:514 0.0.0.0:*
> udp 0 0 0.0.0.0:902 0.0.0.0:*
> udp 0 0 0.0.0.0:905 0.0.0.0:*
> udp 0 0 0.0.0.0:67 0.0.0.0:*
> udp 0 0 0.0.0.0:5353 0.0.0.0:*
> udp 0 0 0.0.0.0:111 0.0.0.0:*
> udp 0 0 0.0.0.0:631 0.0.0.0:*
> udp 0 0 10.113.35.100:123 0.0.0.0:*
> udp 0 0 10.33.8.22:123 0.0.0.0:*
> udp 0 0 127.0.0.1:123 0.0.0.0:*
> udp 0 0 0.0.0.0:123 0.0.0.0:*
> udp 0 0 :::32769 :::*
> udp 0 0 :::5353 :::*
> udp 0 0 fe80::20e:cff:fedc:f479:123 :::*
> udp 0 0 fe80::211:11ff:fe6f:123 :::*
> udp 0 0 ::1:123 :::*
> udp 0 0 :::123 :::*
> raw 0 0 0.0.0.0:1 0.0.0.0:*
> 7
> Active UNIX domain sockets (only servers)
> Proto RefCnt Flags Type State I-Node Path
> unix 2 [ ACC ] STREAM LISTENING 7538
> @/var/run/hald/dbus-Eb2j7rE2qL
> unix 2 [ ACC ] STREAM LISTENING 6203
> /var/run/audit_events
> unix 2 [ ACC ] STREAM LISTENING 6571
> /var/run/dbus/system_bus_socket
> unix 2 [ ACC ] STREAM LISTENING 6798 /var/run/pcscd.comm
> unix 2 [ ACC ] STREAM LISTENING 6951
> /var/run/acpid.socket
> unix 2 [ ACC ] STREAM LISTENING 6994
> /var/run/cups/cups.sock
> unix 2 [ ACC ] STREAM LISTENING 7496
> /var/run/avahi-daemon/socket
> unix 2 [ ACC ] STREAM LISTENING 7345 /dev/gpmctl
> unix 2 [ ACC ] STREAM LISTENING 7537
> @/var/run/hald/dbus-4rWrcHMzPP
>
>
> I notice the state is not set to listen for port 514, for syslog. Could I
> not have syslog configured correctly?
>
> [root at bridge ~]# cat /etc/syslog.conf
> # Log all kernel messages to the console.
> # Logging much else clutters up the screen.
> #kern.* /dev/console
>
> # Log anything (except mail) of level info or higher.
> # Don't log private authentication messages!
> *.info;mail.none;news.none;authpriv.none;cron.none
> /var/log/messages
>
> # The authpriv file has restricted access.
> authpriv.* /var/log/secure
>
> # Log all the mail messages in one place.
> mail.* -/var/log/maillog
>
>
> # Log cron stuff
> cron.* /var/log/cron
>
> # Everybody gets emergency messages
> *.emerg *
>
> # Save news errors of level crit and higher in a special file.
> uucp,news.crit /var/log/spooler
>
> # Save boot messages also to boot.log
> local7.* /var/log/boot.log
>
> # If they show up, save Atlas log
> local0.* /var/log/atlas
>
> #
> # INN
> #
> news.=crit /var/log/news/news.crit
> news.=err /var/log/news/news.err
> news.notice /var/log/news/news.notice
> [root at bridge ~]#
>
>
> Any ideas appreciated.
>
> Michael
> _______________________________________________
> http://www.ntlug.org/mailman/listinfo/discuss
>
I don't know what your situation is but, if it's reasonable, stop
iptables and see what happens. That will at least narrow down your
focus. Without having the IP addresses of the two machines (unless I
missed it) evaluating iptables is impossible.
More information about the Discuss
mailing list