Help with setting up Syslog server


My farm owner configured the F5 load balancer that I am using to send syslog messages to one of my hosts. however, I can't seem to be able to configure my host to properly log the messages, don't know what I am missing.

The only change I know I should do on the host is:
In /etc/sysconfig/syslog added the -r and -x options
But what else is needed? where do I determine the filename? if I understand correctly, the /etc/syslog.conf file is for client logging, and not for server configuration.

don't know if there is any relevant information in the client configuration, but this is what they sent me:

F5 /etc/syslog-ng/syslog-ng.conf Changes:
Also,  this should not be a firewall issue, as I am able to sniff the traffic on my server and see it coming in at udp 514.

Thanks in advance
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

- check wether syslogs actually listens on the port using netstat
- if yes, you should receive the log probably in messages log, you can change tis by editiong syslog.conf. see "man 5 syslog" or "man syslog.conf" in order to determine how to configure the syslog you are using
shootboxAuthor Commented:
1. Yup, forgot to mention that it does.
udp        0      0       *                               off (0.00/0/0)

2. nothing in /var/log/messages.
My question is basically whether or not I should configure anything in syslog.conf in order to get the logs in /var/log/messages, cause if not, then my problem is elsewhere.
yes you should.
- the logs may have a facility or process name set that makes syslog send them elsewhere or discard them
- depending on your syslog version there may also be rules that permit or deny logging from remote hosts
- whatever the version, there is definitely a field in syslog.conf for the host that sends the traffic and the default config may only contain rules for localhost and discard anything else

if you send the syslog version, program name and config file, we may be able to give more precise instructions but the man page will likely be enough. do not forget to restart syslog after changing the config file.
Discover the Answer to Productive IT

Discover app within WatchGuard's Wi-Fi Cloud helps you optimize W-Fi user experience with the most complete set of visibility, troubleshooting, and network health features. Quickly pinpointing network problems will lead to more happy users and most importantly, productive IT.

shootboxAuthor Commented:
I wasn't able to set it up, been working on it for hours, that's why I came here for help with the configuration.
What information do you need? I don't really understand what you mean by syslog version, program name and config file - aside from the version which I don't know how to check, what are program name and config file?
check whether you have iptables running and if so, you would need to add a rule to the input to allow UDP 514 in. and in Forward to forward the UDP 514 requests to the syslog server.

How are you handling local0/local4 events in the syslog.conf/rsyslog.conf file?

Create a local0.* local4.* /var/log/f5_events
reload syslog/rsyslog and see if updates are seen in the f5_events log file.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
syslog version : there should be a number but more importantly a program name : syslogd, sysklogd, rsyslog... there are plenty around and their config files are different although their functionnalities are pretty similar

config file : please copy + paste the existing config file

obvioulsy, since you can sniff the traffic, i'm interected with these on the server that wil gather the logs
shootboxAuthor Commented:
I'm using syslogd

[root@log1 ~]# ps -ef | grep -i syslog
root      4578     1  0 03:02 ?        00:00:00 syslogd -m 0 -r -x

And I've added to syslog.conf as arnold suggested:
local0.* local4.* /var/log/f5_events

But nothing in the logfile.

Still need help here. thanks
given the flags you are using, you probably use sysklogd or syslog-ng, but definitely not syslogd

assuming syslog-ng, you should do something like

# declare the source (please change the ip to the proper one)
source remote_machine {
  udp(ip("") port(514));

# instruct syslog to log messages from that host to "messages" log (obviously you can log somewhere else in a similar way)
log { source(remote_machine); destination(messages); };

other log systems have VERY different configurations so either this works for you or you really need to send the proper syslog version AND your existing config file

good luck
make sure -r is followed by 514 (-r 514 or -r514)
While you are seeing UDP packets going to 514, the question really is whether they are being received by syslogd.

run as root
lsof -i:514
does it report that syslogd is listening on this port UDP?

The formating for multiple entries is should use semi-colons to separate entries.


where [tab] represents a tab when you are entering data.
shootboxAuthor Commented:
yes, syslogd is listening on udp 514

[root@log1 ~]# lsof -i:514
syslogd 4578 root    9u  IPv4 20291971       UDP *:syslog

I'm rather confused by the different syslog daemons - does this mean that I'm using ksyslogd and the correct configuration file is /etc/syslog.conf? and the service is syslogd? I'm using RH5.5.
rpm -qa | grep -i syslog

syslog is the default.
But one can installed any syslog enabled daemon rsyslog, etc.

Did you HUP kill -HUP 4578 after making changes to /etc/syslog.conf?
shootboxAuthor Commented:
No... I ran service syslog restart

This is the contents of the traffic, does it give any clue about the needed configuration in the syslog.conf file?

07:04:01.167077 IP <LBIP>.49037 > <my-server>.syslog: SYSLOG, length: 126
07:04:01.168105 IP <LBIP>.49037 > <my-server>.syslog: SYSLOG, length: 99
07:04:01.184934 IP <LBIP>.49037 > <my-server>.syslog: SYSLOG, length: 115
07:04:01.647878 IP <LBIP>.34345 > <my-server>.syslog: SYSLOG, length: 126
07:04:01.649461 IP <LBIP>.34345 > <my-server>.syslog: SYSLOG, length: 99
07:04:01.668200 IP <LBIP>.34345 > <my-server>.syslog: SYSLOG, length: 115
07:04:07.126196 IP <LBIP>.49037 > <my-server>.syslog: SYSLOG daemon.debug, length: 102
07:04:08.077930 IP <LBIP>.34345 > <my-server>.syslog: SYSLOG daemon.debug, length: 102

I mean the "" etc
for compatibility reasons, many syslog daemons use the legacy config file and most of them try to be compatible with it's format
they also often use the same init files and sometimes even rename the daemon to syslogd (which is foolish at best)

if you want to make sure which config file is in use, you can start it through "strace -d", use lsof, or much simpler stick an error in the config file, start it in debug mode, and check wether it complains or possibly crashes.

RH5.5 probably uses sysklogd or possibly rsyslog but i do not know for sure as they switched roughly at that time, and i do not know how to check which one runs appart from the obvious which i guess you already tried

in sysklogd there should not be anything to configure appart from the switches you already used

maybe you should check wether the facility in used is logged by your conf at the given priority level.
possibly add a temporary line that logs *.* in syslog.conf just to make sure

running syslog which the -d switch for debug (possibly multiple times) may also be of some help as you may see the messages coming and being dropped
you have lots of info and debug and nothing else in your example. maybe your config does only log higher priority messages
The content of the info is similar to tell me that there are 10 chevys, 30 mercedes, 20 BMws and 1 susita.  It does not give me the information in which direction each was traveling.

how does your syslog.conf handle authpriv.*, cron.* etc. events do you have an entry authpriv.none?

please run as rpm -qa | grep -i syslog

This will tell you the installed package and its version

I'm going that you did not compile and install syslog from source.

try the following:
logger -t "testing_local" -p "This is a test"
then check whether you have the entry in /var/log/messages as well as in /var/log/f5_events.
Does the /var/log/f5_events exist in the /var/log/ folder?
shootboxAuthor Commented:
ok, for some reason I do not have the RPM package installed, I had it installed out of the box, but I don't know why it doesn't show up in the packages list.

However this might give a clue?

[root@log1 ~]# chkconfig --list | grep -i sysl
syslog          0:off   1:off   2:on    3:on    4:on    5:on    6:off
[root@log1 ~]# service --status-all | grep sys
syslogd (pid  28313) is running...

Regarding the test, yes it does appear in the f5_events file:
Dec 26 07:40:47 log1 testing_local: This is a test

Umm, I think that in the initial message I quoted the configuration that was given to me by the Load balancer owner, but I don't see it now. it should shed some light on the facilities being used, shouldn't it?

F5 /etc/syslog-ng/syslog-ng.conf Changes:
destination d_log_manager {
udp("<My server's IP>" port(514));

log {

log {

log {

this config is the one that SENDS to information to a remote server, and not the one that stands on the remote and instructs it to do something with what it RECEIVES.

if you can trace the syslog messages, the issue is on the reception side

you should find something similar to the config i posted in #37337210 in the config file of host referred to as <My server's IP>
We need the log from the server to which the events are being sent and not the source of the events.
try rpm -qa | grep -i sys
just incase you have sysklogd which would not match the sysl pattern in my example.

What about the logger test on the local system?  Did the entry appear in /var/log/messages and/or in /var/log/f5_events?
shootboxAuthor Commented:
I know that's the configuration from the sending side, but shouldn't the facilities that it is using instruct me on what configuration I should run on my server? filter(f_local0); etc'?

The event appears in the /var/log/f5_events file...
send us the relevant config file, or possibly both of them and we will be able to help
shootboxAuthor Commented:
/etc/syslog.conf:. pretty much default stuff I think.

# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.*                                                 /dev/console

# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none                /var/log/messages

# The authpriv file has restricted access.
authpriv.*                                              /var/log/secure

# Log all the mail messages in one place.
mail.*                                                  -/var/log/maillog

# Log cron stuff
cron.*                                                  /var/log/cron

# Everybody gets emergency messages
*.emerg                                                 *

# Save news errors of level crit and higher in a special file.
uucp,news.crit                                          /var/log/spooler

# Save boot messages also to boot.log
local7.*                                                /var/log/boot.log

local0.*;local4.*                       /var/log/f5_events

Ok, so if the any event local.* makes its way to your syslog server, it should be added.

In your capture event, there were no local0.* nor local4.* events.

Can you ask the person who has control of the F5 to generate events while you are capturing them?

If the person on the remote side has a linux/unix system, have them try the logger option
they would need to an an entry to their local syslog.conf to forward events to a remote

local0.* @<your_server_ip>
local4.* @<your_server_ip>

And see whether events sent into their system are received by your system.
logger --p "" -t "remote_site_test" "test message"
you should find authpriv and cron stuff in respectively the secure and cron logs.
the daemon.debug should be ignored.
givent the capture file you provided, nothing should ever end up in f5_events
... that is at least if all the discussion regarding the fact that the server actually listens for stuff and the capture were performed on the server that is supposed to gather messages.

can you please confirm this, and then try the logger command arnold gave you ?
possibly try it locally using or better your host's own address as the remote host
shootboxAuthor Commented:
All working in the f5_events file with

local0.*;local4.*                       /var/log/f5_events

Thanks all!!
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.