[NTLUG:Discuss] Remote Syslog help needed
Michael Barnes
barnmichael at gmail.com
Mon Aug 31 00:55:22 CDT 2009
On Sun, Aug 30, 2009 at 11:45 PM, Leroy Tennison <leroy_tennison at prodigy.net
> wrote:
> Michael Barnes wrote:
> > I have an appliance that can send its logs to a remote log server. I
> have a
> > Centos4 box I am trying to capture the logs with. But, it doesn't work.
> > Here is a section of a tcpdump.
> >
> > 22:19:40.011704 IP (tos 0x0, ttl 47, id 30032, offset 0, flags [none],
> > proto: UDP (17), length: 96) atlas.srn.loc.syslog >
> bridge.srn.loc.syslog:
> > SYSLOG, length: 68
> > Facility local0 (16), Severity notice (5)
> > Msg: ATLAS 830[ADTRAN]:L2-Formatted|5|3|Sent = Sapi:00[|syslog]
> >
> > 22:19:40.011714 IP (tos 0xc0, ttl 64, id 43329, offset 0, flags [none],
> > proto: ICMP (1), length: 124) bridge.srn.loc > atlas.srn.loc: ICMP host
> > bridge.srn.loc unreachable - admin prohibited, length 104
> > IP (tos 0x0, ttl 47, id 30032, offset 0, flags [none], proto:
> UDP
> > (17), length: 96) atlas.srn.loc.syslog > bridge.srn.loc.syslog: SYSLOG,
> > length: 68 Facility local0 (16), Severity notice (5)
> > Msg: ATLAS 830[ADTRAN]:L2-[|syslog]
> >
> > 22:19:40.012375 IP (tos 0x0, ttl 47, id 30033, offset 0, flags [none],
> > proto: UDP (17), length: 86) atlas.srn.loc.syslog >
> bridge.srn.loc.syslog:
> > SYSLOG, length: 58
> > Facility local0 (16), Severity notice (5)
> > Msg: ATLAS 830[ADTRAN]:L2-Formatted|5|3| Ctl:SAB[|syslog]
> >
> > 22:19:40.012382 IP (tos 0xc0, ttl 64, id 43330, offset 0, flags [none],
> > proto: ICMP (1), length: 114) bridge.srn.loc > atlas.srn.loc: ICMP host
> > bridge.srn.loc unreachable - admin prohibited, length 94
> > IP (tos 0x0, ttl 47, id 30033, offset 0, flags [none], proto:
> UDP
> > (17), length: 86) atlas.srn.loc.syslog > bridge.srn.loc.syslog: SYSLOG,
> > length: 58
> > Facility local0 (16), Severity notice (5)
> > Msg: ATLAS 830[ADTRAN]:L2-[|syslog]
> >
> >
> > You can see atlas sending a log entry to bridge. It looks like bridge is
> > rejecting it due to a prohibition of ICMP traffic.
> >
> > Here are the iptables:
> >
> > [root at bridge ~]# iptables -L
> > Chain INPUT (policy ACCEPT)
> > target prot opt source destination
> > RH-Firewall-1-INPUT all -- anywhere anywhere
> >
> > Chain FORWARD (policy ACCEPT)
> > target prot opt source destination
> > RH-Firewall-1-INPUT all -- anywhere anywhere
> >
> > Chain OUTPUT (policy ACCEPT)
> > target prot opt source destination
> >
> > Chain RH-Firewall-1-INPUT (2 references)
> > target prot opt source destination
> > ACCEPT all -- anywhere anywhere
> > ACCEPT all -- anywhere anywhere
> > ACCEPT icmp -- anywhere anywhere icmp any
> > ACCEPT esp -- anywhere anywhere
> > ACCEPT ah -- anywhere anywhere
> > ACCEPT udp -- anywhere 224.0.0.251 udp dpt:mdns
> > ACCEPT udp -- anywhere anywhere udp dpt:ipp
> > ACCEPT tcp -- anywhere anywhere tcp dpt:ipp
> > ACCEPT all -- anywhere anywhere state
> > RELATED,ESTABLISHED
> > ACCEPT udp -- 10.113.35.150 anywhere udp spt:ntp
> > ACCEPT udp -- anywhere anywhere state NEW
> udp
> > dpt:ntp
> > ACCEPT tcp -- anywhere anywhere state NEW
> tcp
> > dpt:ssh
> > REJECT all -- anywhere anywhere reject-with
> > icmp-host-prohibited
> >
> >
> > I have a suspicion that last line about "reject-with
> icmp-host-prohibited"
> > might be part of my problem. But I'm rusty with iptables and don't know
> how
> > to fix it if it needs fixing.
> >
> > Another concern is if it is actually listening for remote logs. Here is
> > netstat results.
> >
> > [root at bridge ~]# netstat -ln
> > Active Internet connections (only servers)
> > Proto Recv-Q Send-Q Local Address Foreign Address
> > State
> > tcp 0 0 0.0.0.0:908 0.0.0.0:*
> > LISTEN
> > tcp 0 0 0.0.0.0:111 0.0.0.0:*
> > LISTEN
> > tcp 0 0 127.0.0.1:631 0.0.0.0:*
> > LISTEN
> > tcp 0 0 127.0.0.1:25 0.0.0.0:*
> > LISTEN
> > tcp 0 0 :::22 :::*
> > LISTEN
> > udp 0 0 0.0.0.0:32768 0.0.0.0:*
> > udp 0 0 0.0.0.0:514 0.0.0.0:*
> > udp 0 0 0.0.0.0:902 0.0.0.0:*
> > udp 0 0 0.0.0.0:905 0.0.0.0:*
> > udp 0 0 0.0.0.0:67 0.0.0.0:*
> > udp 0 0 0.0.0.0:5353 0.0.0.0:*
> > udp 0 0 0.0.0.0:111 0.0.0.0:*
> > udp 0 0 0.0.0.0:631 0.0.0.0:*
> > udp 0 0 10.113.35.100:123 0.0.0.0:*
> > udp 0 0 10.33.8.22:123 0.0.0.0:*
> > udp 0 0 127.0.0.1:123 0.0.0.0:*
> > udp 0 0 0.0.0.0:123 0.0.0.0:*
> > udp 0 0 :::32769 :::*
> > udp 0 0 :::5353 :::*
> > udp 0 0 fe80::20e:cff:fedc:f479:123 :::*
> > udp 0 0 fe80::211:11ff:fe6f:123 :::*
> > udp 0 0 ::1:123 :::*
> > udp 0 0 :::123 :::*
> > raw 0 0 0.0.0.0:1 0.0.0.0:*
> > 7
> > Active UNIX domain sockets (only servers)
> > Proto RefCnt Flags Type State I-Node Path
> > unix 2 [ ACC ] STREAM LISTENING 7538
> > @/var/run/hald/dbus-Eb2j7rE2qL
> > unix 2 [ ACC ] STREAM LISTENING 6203
> > /var/run/audit_events
> > unix 2 [ ACC ] STREAM LISTENING 6571
> > /var/run/dbus/system_bus_socket
> > unix 2 [ ACC ] STREAM LISTENING 6798
> /var/run/pcscd.comm
> > unix 2 [ ACC ] STREAM LISTENING 6951
> > /var/run/acpid.socket
> > unix 2 [ ACC ] STREAM LISTENING 6994
> > /var/run/cups/cups.sock
> > unix 2 [ ACC ] STREAM LISTENING 7496
> > /var/run/avahi-daemon/socket
> > unix 2 [ ACC ] STREAM LISTENING 7345 /dev/gpmctl
> > unix 2 [ ACC ] STREAM LISTENING 7537
> > @/var/run/hald/dbus-4rWrcHMzPP
> >
> >
> > I notice the state is not set to listen for port 514, for syslog. Could
> I
> > not have syslog configured correctly?
> >
> > [root at bridge ~]# cat /etc/syslog.conf
> > # Log all kernel messages to the console.
> > # Logging much else clutters up the screen.
> > #kern.* /dev/console
> >
> > # Log anything (except mail) of level info or higher.
> > # Don't log private authentication messages!
> > *.info;mail.none;news.none;authpriv.none;cron.none
> > /var/log/messages
> >
> > # The authpriv file has restricted access.
> > authpriv.* /var/log/secure
> >
> > # Log all the mail messages in one place.
> > mail.* -/var/log/maillog
> >
> >
> > # Log cron stuff
> > cron.* /var/log/cron
> >
> > # Everybody gets emergency messages
> > *.emerg *
> >
> > # Save news errors of level crit and higher in a special file.
> > uucp,news.crit /var/log/spooler
> >
> > # Save boot messages also to boot.log
> > local7.* /var/log/boot.log
> >
> > # If they show up, save Atlas log
> > local0.* /var/log/atlas
> >
> > #
> > # INN
> > #
> > news.=crit /var/log/news/news.crit
> > news.=err /var/log/news/news.err
> > news.notice
> /var/log/news/news.notice
> > [root at bridge ~]#
> >
> >
> > Any ideas appreciated.
> >
> > Michael
> > _______________________________________________
> > http://www.ntlug.org/mailman/listinfo/discuss
> >
> I don't know what your situation is but, if it's reasonable, stop
> iptables and see what happens. That will at least narrow down your
> focus. Without having the IP addresses of the two machines (unless I
> missed it) evaluating iptables is impossible.
>
bridge 10.33.8.22
atlas 10.33.5.170
I stopped iptables and it works. But I would rather fix iptables.
Thanks,
Michael
More information about the Discuss
mailing list