credog
asked on
syslog messages on switched network
We have a syslog server on our network that is used by a lot of clients (cisco, linux boxes) for remote logging. I was looking at network traffic and noticed that the syslog traffic was showing up on my desktop interface. This is one way udp traffic from the host to the server. I am on a switched network, so I do not understand how I can see this traffic. The switch should not let this through on all ports. It is like the switch is acting like a hub. Is there any explanation for this? I do not see any other hosts to host traffic only syslog, brodcast and traffic destined for my pc. Also, it seems that the traffic shows up in bursts. It is not there all the time.
Tcpdump output looks like this:
16:05:52.846444 IP 198.XXX.XXX.1.syslog > 198.XXX.XXX.7.syslog: UDP, length 124
Thanks
Tcpdump output looks like this:
16:05:52.846444 IP 198.XXX.XXX.1.syslog > 198.XXX.XXX.7.syslog: UDP, length 124
Thanks
ASKER
The traffic seems to be mostly coming from a pix firewall, however they packets do not appear to be broadcasts. As you can see from the tcpdump sample is seems to be comming from a certain IP and going to a certain IP. I will verify the source IP today. Just don't understand why I am seeing that traffic.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Egads, yes I'm blind. <note to self, more caffeine next time> You're absolutely right, not a broadcast!
I agree w/ chris_calabrese... If the traffic is visible on your box only in bursts, then I'd check utilization on the switch (if it's a managed type), or possible arp problems as mentioned above.
I agree w/ chris_calabrese... If the traffic is visible on your box only in bursts, then I'd check utilization on the switch (if it's a managed type), or possible arp problems as mentioned above.
http://www.codeproject.com/internet/syslog_client.asp
Is the traffic consistently originating from a certain IP(s)? If so, I'd check what OS & what syslog client implementation is running on the sending host.