HPE Community
Operating System - HP-UX
1753792 Members
7081 Online
108799 Solutions
New Discussion юеВ

Need to forward syslog messages

 
Robert C. Dunavent
Advisor

тАО01-03-2005 02:39 AM

тАО01-03-2005 02:39 AM

Need to forward syslog messages

Here is my box info:

msphnyc0:uname -a
HP-UX msphnyc0 B.10.20 B 9000/889 1609445731 16-user license


Here is my /etc/syslog.conf file:

# @(#) $Revision: 74.1 $
#
# syslogd configuration file.
#
# See syslogd(1M) for information about the format of this file.
#
#This line added 23DEC04 by bkjb830 for Micromuse
*.emerg;*.alert;*.crit;*.warning @156.145.231.144
#
mail.debug /var/adm/syslog/mail.log
*.info;mail.none /var/adm/syslog/syslog.log
*.alert /dev/console
*.alert root
*.emerg *


After I added the 156.145.231.144 line to the syslog.conf file, I did a kill -HUP on the PID for the syslogd daemon. However, the syslog messages are not being forwarded to 156.145.231.144.

Any ideas why??

Thanks..

-cd
0 Kudos
Reply
11 REPLIES 11
RAC_1
Honored Contributor

тАО01-03-2005 02:43 AM

тАО01-03-2005 02:43 AM

Re: Need to forward syslog messages

There must be tab betwwen your entries. (Between first column and the second column.) Alo divide your entry as follows.

*.emerg;*.alert;*.crit;*.warning @156.145.231.144

*.emerg @xx.yy.xx.xx.x

Also make sure that port (514) udp is open. this port is used for remote syslogs.

Anil
There is no substitute to HARDWORK
0 Kudos
Reply
Robert C. Dunavent
Advisor

тАО01-03-2005 03:00 AM

тАО01-03-2005 03:00 AM

Re: Need to forward syslog messages

RAC:

The is there...it simply did not show up when I copied/pasted the file into this forum.

Any other ideas??


-cd
0 Kudos
Reply
Sanjay_6
Honored Contributor

тАО01-03-2005 03:59 AM

тАО01-03-2005 03:59 AM

Re: Need to forward syslog messages

Hi robert,

why don't you try the logging to both your local system and to the remote syslog server. If it logs to your local host and doesn't to your syslog host, we'll know that the problem is with logging to the remote host. Else the problem might be with the stuff you are logging, syntax or things like that.

Try
*.emerg;*.alert;*.crit;*.warning/var/adm/syslog/syslog.log
*.emerg;*.alert;*.crit;*.warning@156.145.231.144

Restart syslogd. Now check the syslog log on localhost as well as the remote host. Check and see if it is logging at one place only or at both the places.
Hope this helps.

Regds
0 Kudos
Reply
Robert C. Dunavent
Advisor

тАО01-03-2005 04:42 AM

тАО01-03-2005 04:42 AM

Re: Need to forward syslog messages

The system is logging successfully to /var/adm/syslog/syslog.log. It does not, however, get sent to the remote syslog server.

I did a netstat -a | grep 514 and found no udp processes running on that port. I checked for port 514 in several other Solaris boxes which are logging syslog successfully, and they did not have anything running on udp 514 either.

-cd
0 Kudos
Reply
Sanjay_6
Honored Contributor

тАО01-03-2005 04:47 AM

тАО01-03-2005 04:47 AM

Re: Need to forward syslog messages

Hi Robert,

Check and see if port 540 is not disbaled on both the servers, server that is sending syslog alert and the syslog server.

Take a look at this thread from itrc. This is about how to prevent remote syslog logging, but it may be useful in your case too.

http://www1.itrc.hp.com/service/cki/docDisplay.do?docLocale=en_US&docId=200000065680032

The itrc doc id is KBRC00002007.

Hope this helps.

Regds
0 Kudos
Reply
Sanjay_6
Honored Contributor

тАО01-03-2005 04:59 AM

тАО01-03-2005 04:59 AM

Re: Need to forward syslog messages

Hi,

Typo mistake,

It should be port 514 and not 540.

Sorry abt that.

Thanks
Sanjay
0 Kudos
Reply
Robert C. Dunavent
Advisor

тАО01-03-2005 05:14 AM

тАО01-03-2005 05:14 AM

Re: Need to forward syslog messages

Further investigation into this looks like some messages ARE making it to the syslog server, but not "su" messages. In other words, I kept tryting to su - root, then I would give it a bogus root password hoping that the syslog message would be created then sent to the syslog server. Since the su messages were not showing up, I just assumed that it was not working. Now I see that a couple of other messages did make it to the syslog server. But...why won't the su messages get sent??

-cd

0 Kudos
Reply
Sanjay_6
Honored Contributor

тАО01-03-2005 05:21 AM

тАО01-03-2005 05:21 AM

Re: Need to forward syslog messages

Hi,

You need to log auth.info to the remote syslog server for this "su" info to be logged to the remote server.

Hope this helps.

Regds
0 Kudos
Reply
Robert C. Dunavent
Advisor

тАО01-03-2005 05:47 AM

тАО01-03-2005 05:47 AM

Re: Need to forward syslog messages

I changed syslog.conf to include *.info, then I restarted the syslog daemon. I then tried su - root again with bogus password. It still will not log to the remote syslog server.

-cd

0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.