Link to home
Start Free TrialLog in
Avatar of shootbox
shootboxFlag for Italy

asked on

Help with setting up Syslog server

Hi,

My farm owner configured the F5 load balancer that I am using to send syslog messages to one of my hosts. however, I can't seem to be able to configure my host to properly log the messages, don't know what I am missing.

The only change I know I should do on the host is:
In /etc/sysconfig/syslog added the -r and -x options
But what else is needed? where do I determine the filename? if I understand correctly, the /etc/syslog.conf file is for client logging, and not for server configuration.

don't know if there is any relevant information in the client configuration, but this is what they sent me:

F5 /etc/syslog-ng/syslog-ng.conf Changes:
 
Also,  this should not be a firewall issue, as I am able to sniff the traffic on my server and see it coming in at udp 514.

Thanks in advance
Avatar of skullnobrains
skullnobrains

- check wether syslogs actually listens on the port using netstat
- if yes, you should receive the log probably in messages log, you can change tis by editiong syslog.conf. see "man 5 syslog" or "man syslog.conf" in order to determine how to configure the syslog you are using
Avatar of shootbox

ASKER

1. Yup, forgot to mention that it does.
udp        0      0 0.0.0.0:514                 0.0.0.0:*                               off (0.00/0/0)

2. nothing in /var/log/messages.
My question is basically whether or not I should configure anything in syslog.conf in order to get the logs in /var/log/messages, cause if not, then my problem is elsewhere.
yes you should.
- the logs may have a facility or process name set that makes syslog send them elsewhere or discard them
- depending on your syslog version there may also be rules that permit or deny logging from remote hosts
- whatever the version, there is definitely a field in syslog.conf for the host that sends the traffic and the default config may only contain rules for localhost and discard anything else

if you send the syslog version, program name and config file, we may be able to give more precise instructions but the man page will likely be enough. do not forget to restart syslog after changing the config file.
I wasn't able to set it up, been working on it for hours, that's why I came here for help with the configuration.
What information do you need? I don't really understand what you mean by syslog version, program name and config file - aside from the version which I don't know how to check, what are program name and config file?
ASKER CERTIFIED SOLUTION
Avatar of arnold
arnold
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
syslog version : there should be a number but more importantly a program name : syslogd, sysklogd, rsyslog... there are plenty around and their config files are different although their functionnalities are pretty similar

config file : please copy + paste the existing config file

obvioulsy, since you can sniff the traffic, i'm interected with these on the server that wil gather the logs
I'm using syslogd


[root@log1 ~]# ps -ef | grep -i syslog
root      4578     1  0 03:02 ?        00:00:00 syslogd -m 0 -r -x

And I've added to syslog.conf as arnold suggested:
local0.* local4.* /var/log/f5_events

But nothing in the logfile.

Still need help here. thanks
given the flags you are using, you probably use sysklogd or syslog-ng, but definitely not syslogd

assuming syslog-ng, you should do something like

# declare the source (please change the ip to the proper one)
source remote_machine {
  udp(ip("10.0.5.8") port(514));
}

# instruct syslog to log messages from that host to "messages" log (obviously you can log somewhere else in a similar way)
log { source(remote_machine); destination(messages); };

other log systems have VERY different configurations so either this works for you or you really need to send the proper syslog version AND your existing config file

good luck
make sure -r is followed by 514 (-r 514 or -r514)
While you are seeing UDP packets going to 514, the question really is whether they are being received by syslogd.

run as root
lsof -i:514
does it report that syslogd is listening on this port UDP?

The formating for multiple entries is should use semi-colons to separate entries.

local0.*;local4.*[tab][tab][tab]/var/log/f5_events

where [tab] represents a tab when you are entering data.
yes, syslogd is listening on udp 514


[root@log1 ~]# lsof -i:514
COMMAND  PID USER   FD   TYPE   DEVICE SIZE NODE NAME
syslogd 4578 root    9u  IPv4 20291971       UDP *:syslog


I'm rather confused by the different syslog daemons - does this mean that I'm using ksyslogd and the correct configuration file is /etc/syslog.conf? and the service is syslogd? I'm using RH5.5.
rpm -qa | grep -i syslog

syslog is the default.
But one can installed any syslog enabled daemon rsyslog, etc.

Did you HUP kill -HUP 4578 after making changes to /etc/syslog.conf?
No... I ran service syslog restart

This is the contents of the traffic, does it give any clue about the needed configuration in the syslog.conf file?


07:04:01.167077 IP <LBIP>.49037 > <my-server>.syslog: SYSLOG authpriv.info, length: 126
07:04:01.168105 IP <LBIP>.49037 > <my-server>.syslog: SYSLOG cron.info, length: 99
07:04:01.184934 IP <LBIP>.49037 > <my-server>.syslog: SYSLOG authpriv.info, length: 115
07:04:01.647878 IP <LBIP>.34345 > <my-server>.syslog: SYSLOG authpriv.info, length: 126
07:04:01.649461 IP <LBIP>.34345 > <my-server>.syslog: SYSLOG cron.info, length: 99
07:04:01.668200 IP <LBIP>.34345 > <my-server>.syslog: SYSLOG authpriv.info, length: 115
07:04:07.126196 IP <LBIP>.49037 > <my-server>.syslog: SYSLOG daemon.debug, length: 102
07:04:08.077930 IP <LBIP>.34345 > <my-server>.syslog: SYSLOG daemon.debug, length: 102


I mean the "authpriv.info" etc
for compatibility reasons, many syslog daemons use the legacy config file and most of them try to be compatible with it's format
they also often use the same init files and sometimes even rename the daemon to syslogd (which is foolish at best)

if you want to make sure which config file is in use, you can start it through "strace -d", use lsof, or much simpler stick an error in the config file, start it in debug mode, and check wether it complains or possibly crashes.

RH5.5 probably uses sysklogd or possibly rsyslog but i do not know for sure as they switched roughly at that time, and i do not know how to check which one runs appart from the obvious which i guess you already tried

http://rsyslog.com/receiving-messages-from-a-remote-system/

in sysklogd there should not be anything to configure appart from the switches you already used

maybe you should check wether the facility in used is logged by your conf at the given priority level.
possibly add a temporary line that logs *.* in syslog.conf just to make sure

running syslog which the -d switch for debug (possibly multiple times) may also be of some help as you may see the messages coming and being dropped
you have lots of info and debug and nothing else in your example. maybe your config does only log higher priority messages
The content of the info is similar to tell me that there are 10 chevys, 30 mercedes, 20 BMws and 1 susita.  It does not give me the information in which direction each was traveling.

how does your syslog.conf handle authpriv.*, cron.* etc. events do you have an entry authpriv.none?

please run as rpm -qa | grep -i syslog

This will tell you the installed package and its version

I'm going that you did not compile and install syslog from source.

try the following:
logger -t "testing_local" -p local0.info "This is a test"
then check whether you have the entry in /var/log/messages as well as in /var/log/f5_events.
Does the /var/log/f5_events exist in the /var/log/ folder?
ok, for some reason I do not have the RPM package installed, I had it installed out of the box, but I don't know why it doesn't show up in the packages list.

However this might give a clue?

[root@log1 ~]# chkconfig --list | grep -i sysl
syslog          0:off   1:off   2:on    3:on    4:on    5:on    6:off
[root@log1 ~]# service --status-all | grep sys
syslogd (pid  28313) is running...

Regarding the test, yes it does appear in the f5_events file:
Dec 26 07:40:47 log1 testing_local: This is a test


Umm, I think that in the initial message I quoted the configuration that was given to me by the Load balancer owner, but I don't see it now. it should shed some light on the facilities being used, shouldn't it?

F5 /etc/syslog-ng/syslog-ng.conf Changes:
destination d_log_manager {
udp("<My server's IP>" port(514));
};

log {
source(s_syslog_pipe);
filter(f_local0);
filter(f_no_audit);
destination(d_log_manager);
};

log {
source(s_syslog_pipe);
filter(f_local4);
destination(d_log_manager);
};

log {
source(s_tmm);
destination(d_log_manager);
};

thanks
this config is the one that SENDS to information to a remote server, and not the one that stands on the remote and instructs it to do something with what it RECEIVES.

if you can trace the syslog messages, the issue is on the reception side

you should find something similar to the config i posted in #37337210 in the config file of host referred to as <My server's IP>
We need the log from the server to which the events are being sent and not the source of the events.
try rpm -qa | grep -i sys
just incase you have sysklogd which would not match the sysl pattern in my example.

What about the logger test on the local system?  Did the entry appear in /var/log/messages and/or in /var/log/f5_events?
I know that's the configuration from the sending side, but shouldn't the facilities that it is using instruct me on what configuration I should run on my server? filter(f_local0); etc'?

The event appears in the /var/log/f5_events file...
send us the relevant config file, or possibly both of them and we will be able to help
/etc/syslog.conf:. pretty much default stuff I think.

# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.*                                                 /dev/console

# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none                /var/log/messages

# The authpriv file has restricted access.
authpriv.*                                              /var/log/secure

# Log all the mail messages in one place.
mail.*                                                  -/var/log/maillog


# Log cron stuff
cron.*                                                  /var/log/cron

# Everybody gets emergency messages
*.emerg                                                 *

# Save news errors of level crit and higher in a special file.
uucp,news.crit                                          /var/log/spooler

# Save boot messages also to boot.log
local7.*                                                /var/log/boot.log

local0.*;local4.*                       /var/log/f5_events

Ok, so if the any event local.* makes its way to your syslog server, it should be added.



In your capture event, there were no local0.* nor local4.* events.

Can you ask the person who has control of the F5 to generate events while you are capturing them?

If the person on the remote side has a linux/unix system, have them try the logger option
they would need to an an entry to their local syslog.conf to forward events to a remote

local0.* @<your_server_ip>
local4.* @<your_server_ip>

And see whether events sent into their system are received by your system.
logger --p "local0.info" -t "remote_site_test" "test message"
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
All working in the f5_events file with

local0.*;local4.*                       /var/log/f5_events

Thanks all!!