Link to home
Start Free TrialLog in
Avatar of credog
credog

asked on

syslog messages on switched network

We have a syslog server on our network that is used by a lot of clients (cisco, linux boxes) for remote logging.  I was looking at network traffic and noticed that the syslog traffic was showing up on my desktop interface.  This is one way udp traffic from the host to the server.  I am on a switched network, so I do not understand how I can see this traffic.  The switch should not let this through on all ports.  It is like the switch is acting like a hub.  Is there any explanation for this?  I do not see any other hosts to host traffic only syslog, brodcast and traffic destined for my pc.  Also, it seems that the traffic shows up in bursts.  It is not there all the time.

Tcpdump output looks like this:

16:05:52.846444 IP 198.XXX.XXX.1.syslog > 198.XXX.XXX.7.syslog: UDP, length 124

Thanks
Avatar of calvinetter
calvinetter
Flag of United States of America image
Sounds like you have a syslog client (most likely on one of the Linux boxes) that is configured to broadcast.  Here's an implementation for a Unix/Linux platform that allows broadcasts:
http://www.codeproject.com/internet/syslog_client.asp

Is the traffic consistently originating from a certain IP(s)? If so, I'd check what OS & what syslog client implementation is running on the sending host.
Avatar of credog
credog

ASKER

The traffic seems to be mostly coming from a pix firewall, however they packets do not appear to be broadcasts.  As you can see from the tcpdump sample is seems to be comming from a certain IP and going to a certain IP.  I will verify the source IP today.  Just don't understand why I am seeing that traffic.
ASKER CERTIFIED SOLUTION
Avatar of chris_calabrese
chris_calabrese
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of calvinetter
calvinetter
Flag of United States of America image
Egads, yes I'm blind. <note to self, more caffeine next time>  You're absolutely right, not a broadcast!  

I agree w/ chris_calabrese... If the traffic is visible on your box only in bursts, then I'd check utilization on the switch (if it's a managed type), or possible arp problems as mentioned above.