redhat 4 and redhat 5 syslog clients sending UDP syslog traffic to an rsyslog server on redhat 6

lolaferrari used Ask the Experts™
What's the best way to monitor for UDP syslog traffic coming in from a redhat 4 and redhat 5 syslog clients if it's not arriving at the syslog server. The syslog server is running on a Redhat 6 server. netstat -taulpe | grep syslog is showing that UDP is listening on all IP's on the server but I'd like to see if there is any other way apart from running  tcpdump -i <nic> port 514. Would watch lsof -a -i:514 show it?
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
David FavorFractional CTO
Distinguished Expert 2018

I prefer tshark + tcpdump will do.

Just because you see a UDP port listener... doesn't mean packets are flowing...

Tip: Do an iptables -F on both machines (sender + receiver) + retest. If syslog (well, really rsyslog is sure what's really in use) works, then this means you have a firewall problem at one end. Just restart your firewall on one machine + retest. Once you figure out where the problem resides, you can open up the correct port on the correct machine.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial