Diagnose LAN syslog receiving

Question

Level 4

3,313 points

Diagnose LAN syslog receiving

I need some help with syslogd. I am receiving messages from a Linux box on port 514 UDP. I use tcpdump to see headers like this in Terminal:

22:31:43.998222 IP 192.168.1.3.dls-monitor > gnarlodious-cube.syslog: UDP, length: 189

where 192.168.1.3 is the addy of the linux box. I am attempting to log the messages to file /var/log/LAN.log

I understand the syslog.conf file needs to be configured to recognize a "Facility Code" like local7.* but don't understand this part.

Can anyone help me figure out why I don't get any text in the designated logfile. Network diagnosis tools?

Mac OS X (10.4.10)

Posted on Jul 2, 2007 10:19 PM

Reply

Answer 1

Camelot

Level 9

58,575 points

Jul 3, 2007 2:33 AM in response to Gnarlodious

Are you asking how to configure syslog.conf to capture the messages? It sounds like you've tried that but it hasn't worked for some reason...?

Showing your syslog.conf changes would be useful.

You have also restarted syslogd, right? (configuration changes are only reflected after syslogd restarts). If not:

<pre class=command>sudo killall -HUP syslogd</pre>

If you're just looking to see what's in the messages without actualy logging them, tcpdump would help there:

<pre class=command>sudo tcpdump -A -i <interface> host 192.168.1.3 and port syslog</pre>

(where <interface> is the interface you want to listen on - typically en0 or en1)

Reply

Answer 2

Camelot

Level 9

58,575 points

Jul 3, 2007 3:11 AM in response to Camelot

oops, for the tcpdump you may need to add '-s 0' to capture the entire packet, otherwise tcpdump only captures the header and may not show you the actual payload.

Reply

Answer 3

Jul 3, 2007 4:13 PM in response to Gnarlodious

For OSX to be a loghost, you need to start syslogd with the -u switch. In Tiger, you can edit /System/Library/LaunchDaemons/com.apple.syslogd.plist and change the second string of ProgramArguments to the -u. Here's mine:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Label</key>
<string>com.apple.syslogd</string>
<key>ServiceDescription</key>
<string>Apple System Log Daemon</string>
<key>OnDemand</key>
<false/>
<key>ProgramArguments</key>
<array>
<string>/usr/sbin/syslogd</string>
<string>-u</string>
</array>
<key>ServiceIPC</key>
<false/>
</dict>
</plist>

Just make sure that the firewall is allowing 514/UDP to pass and you should be good after restarting syslogd.

Separating the Linux boxes messages to another file is something that I don't know how to do/don't think it can be done. AFAIK, syslogd doesn't distinguish between local and remote messages. So if you target one facility, it's going to go to whatever file whether the Linux box sent the message or whether the OSX box sent the message.

U have ~50 machines logging to my server. When I read the file raw, it is a mess. If I want to pick out a machine, I grep the log for the machine's name or address (or both) and I can isolate the machine easily and quickly.

Perhaps the syslogd and syslog.conf man pages have something to customize it more for you.

Roger

Reply

Answer 4

Gnarlodious Author

Level 4

3,313 points

Jul 4, 2007 7:50 PM in response to Camelot

OK, first I enabled receiving UDP network messages with this command:

sudo defaults write /System/Library/LaunchDaemons/com.apple.syslogd ProgramArguments -array-add -u

After restarting syslogd, I use this command:

sudo tcpdump -s 0 -A -i en1 host 192.168.1.4 and port syslog

Here is what is coming in:<hr>..m..@.@.."....... .....Y..<30>Dec 31 17:00:18 dnsmasq[223]: using local addresses only for domain localnet.
20:31:19.597554 IP wi-fi.dls-monitor > gnarlodious-pb.syslog: UDP, length: 82<hr>
So that part is working OK. With the file /etc/syslog.conf in default condition, shouldn't the incoming lines be written to the system.log file?

Reply