topic Re: ipfilter won't log via syslog in Operating System - HP-UX

ipfilter won't log via syslog

Brian McEntire — Sat, 09 Aug 2003 01:26:12 GMT

http://forums.itrc.hp.com/cm/QuestionAnswer/1,,0x7a02449e75f2274cbc1e14ed8799f571,00.html

Hi, sorry to cross post. (Is there a better way than just including the link above?)

I recently upgraded a K100 from HP-UX 10.20 to 11i and I am thrilled with the availability of Bastille and IPFilter. Thanks HP!

I've installed both and both are generally working well.

However, I cannot get ipfilter to log via syslog.

ipmon -sD is running

and, I can see ipf rejecting and loging packets when I run ipmon with no parms (output to stdout.)

But I just can't seem to get it to log via syslog. I'd really like to do that because syslog.conf on the system is already setup to log *.info to a log host.

Any help would be much appreciated!

Re: ipfilter won't log via syslog

Steven Sim Kok Leong — Sat, 09 Aug 2003 23:18:00 GMT

Hi,

Can you show us your /etc/syslog.conf?

ipmon uses LOG_INFO, LOG_NOTICE, LOG_WARNING, and LOG_ERR levels to log different actions/packets through syslog using the local0 facility.

Check out those lines in your syslog.conf that sends to /dev/console or root.

Hope this helps. Regards.

Steven Sim Kok Leong

Re: ipfilter won't log via syslog

Andrew Cowan — Mon, 11 Aug 2003 04:00:10 GMT

Hi,

Are you sure that you used "" between your fields in "/etc/syslog.conf" and not spaces?. Also remember that your logfile must exist and be readable before you (re)start the syslog daemon.

E.g.

local4.debug/var/adm/ipsec.log

Re: ipfilter won't log via syslog

Brian McEntire — Mon, 11 Aug 2003 16:39:27 GMT

Here is my syslog.conf:

[newkf_root]$cat /etc/syslog.conf
# @(#) $Revision: 74.1 $
#
# syslogd configuration file.
#
# See syslogd(1M) for information about the format of this file.
#
mail.debug /var/adm/syslog/mail.log
*.info;mail.none /var/adm/syslog/syslog.log
*.alert /dev/console
*.alert root
*.emerg *
#
#log to a remote host
*.info @watcher

[watcher and its FQDN are specified in /etc/hosts]

I double checked and all white space is tabs-only.

I stopped and restarted syslogd and ipmon -sD. Still no logging. I am completely stumped. Know anymore ideas or troubleshootings steps I can take?

By running ipstat, I can see rejected packets and they the number of rejected packets that are logged (as reported by that command) increments over time. None are recoreded to syslog.log. Syslogd appears to be working fine though, other events are being logged via syslog.

Re: ipfilter won't log via syslog

Andrew Cowan — Wed, 13 Aug 2003 06:18:44 GMT

I have seen this problem before, and crazy though it sounds, you could try moving the "@watcher" line above the "syslog.log" line.

Is the "syslogd" on the "watcher" server configured to allow remote connections. I seem to remember a HP patch that disabled the function. Ensure that you don't have the "-N" option activated. Syslog uses:

syslog 514/udp # remote system logging

This port must be allow by "/etc/hosts.allow" if your using TCP Wrappers, and/or "/var/adm/inetd.sec"?

The only other suggestion I can think of is to kill entirely the "syslogd" daemon and then restart it, and see if any of this helps?

Andrew

Re: ipfilter won't log via syslog

Steven Sim Kok Leong — Wed, 13 Aug 2003 12:22:36 GMT

Hi,

Try adding this into /etc/syslog.conf:

local0.* /var/adm/syslog/syslog.log

Hope this helps. Regards.

Steven Sim Kok Leong

Re: ipfilter won't log via syslog

Darren Prior — Wed, 13 Aug 2003 12:46:04 GMT

Hi,

You could try using the logger command to test the various parts of your syslog.conf, ie send unique logger messages at the different priority levels and check they appear in the right place. Also (as someone suggested earlier) the order of the lines in the syslog.conf file are important due to the way that data is filtered through them. See the man pages for syslogd and syslog(3c) for further info.

regards,

Darren.

Re: ipfilter won't log via syslog

Brian McEntire — Wed, 13 Aug 2003 13:32:13 GMT

Hmmm... I think it is narrowed down to ipmon -sD not working properly.

Thanks for the suggestions Andrew. I tried moving the @watcher line to the top of my syslog.conf file. It didn't help ipmon though.

On the other hand, I tested syslog with 'logger' from the command line and the test message was successfully logged to both the local syslog.log file and to the remote log host. Syslogd seems to be doing it's job.

So why isn't iplog logging via syslogd? When I run iplog at the command line, I do see rejected packets logged to the stdout... so it kind works. But it just won't log via syslog when I run it with -sD.

Any ideas?

Re: ipfilter won't log via syslog

Brian McEntire — Wed, 13 Aug 2003 13:35:54 GMT

[newkf_root]$logger -p local0.info test log fac - local0, level - info

Test logged message shows up in both local hosts syslog.log file and gets logged properly on the log host.

Seems like this has to be an ipmon problem?