HPE Community
Operating System - HP-UX
1833787 Members
2412 Online
110063 Solutions
New Discussion

ipfilter won't log via syslog

 
SOLVED
Go to solution
Brian McEntire
Frequent Advisor

‎08-08-2003 06:26 PM

‎08-08-2003 06:26 PM

ipfilter won't log via syslog

http://forums.itrc.hp.com/cm/QuestionAnswer/1,,0x7a02449e75f2274cbc1e14ed8799f571,00.html

Hi, sorry to cross post. (Is there a better way than just including the link above?)

I recently upgraded a K100 from HP-UX 10.20 to 11i and I am thrilled with the availability of Bastille and IPFilter. Thanks HP!

I've installed both and both are generally working well.

However, I cannot get ipfilter to log via syslog.

ipmon -sD is running

and, I can see ipf rejecting and loging packets when I run ipmon with no parms (output to stdout.)

But I just can't seem to get it to log via syslog. I'd really like to do that because syslog.conf on the system is already setup to log *.info to a log host.

Any help would be much appreciated!
0 Kudos
Reply
8 REPLIES 8
Steven Sim Kok Leong
Honored Contributor

‎08-09-2003 04:18 PM

‎08-09-2003 04:18 PM

Re: ipfilter won't log via syslog

Hi,

Can you show us your /etc/syslog.conf?

ipmon uses LOG_INFO, LOG_NOTICE, LOG_WARNING, and LOG_ERR levels to log different actions/packets through syslog using the local0 facility.

Check out those lines in your syslog.conf that sends to /dev/console or root.

Hope this helps. Regards.

Steven Sim Kok Leong
Reply
Andrew Cowan
Honored Contributor

‎08-10-2003 09:00 PM

‎08-10-2003 09:00 PM

Re: ipfilter won't log via syslog

Hi,

Are you sure that you used "" between your fields in "/etc/syslog.conf" and not spaces?. Also remember that your logfile must exist and be readable before you (re)start the syslog daemon.

E.g.

local4.debug/var/adm/ipsec.log
Reply
Brian McEntire
Frequent Advisor

‎08-11-2003 09:39 AM

‎08-11-2003 09:39 AM

Re: ipfilter won't log via syslog

Here is my syslog.conf:

[newkf_root]$cat /etc/syslog.conf
# @(#) $Revision: 74.1 $
#
# syslogd configuration file.
#
# See syslogd(1M) for information about the format of this file.
#
mail.debug /var/adm/syslog/mail.log
*.info;mail.none /var/adm/syslog/syslog.log
*.alert /dev/console
*.alert root
*.emerg *
#
#log to a remote host
*.info @watcher

[watcher and its FQDN are specified in /etc/hosts]

I double checked and all white space is tabs-only.

I stopped and restarted syslogd and ipmon -sD. Still no logging. I am completely stumped. Know anymore ideas or troubleshootings steps I can take?

By running ipstat, I can see rejected packets and they the number of rejected packets that are logged (as reported by that command) increments over time. None are recoreded to syslog.log. Syslogd appears to be working fine though, other events are being logged via syslog.
0 Kudos
Reply
Andrew Cowan
Honored Contributor

‎08-12-2003 11:18 PM

‎08-12-2003 11:18 PM

Re: ipfilter won't log via syslog

I have seen this problem before, and crazy though it sounds, you could try moving the "@watcher" line above the "syslog.log" line.

Is the "syslogd" on the "watcher" server configured to allow remote connections. I seem to remember a HP patch that disabled the function. Ensure that you don't have the "-N" option activated. Syslog uses:

syslog 514/udp # remote system logging

This port must be allow by "/etc/hosts.allow" if your using TCP Wrappers, and/or "/var/adm/inetd.sec"?

The only other suggestion I can think of is to kill entirely the "syslogd" daemon and then restart it, and see if any of this helps?

Andrew
Reply
Steven Sim Kok Leong
Honored Contributor

‎08-13-2003 05:22 AM

‎08-13-2003 05:22 AM

Re: ipfilter won't log via syslog

Hi,

Try adding this into /etc/syslog.conf:

local0.* /var/adm/syslog/syslog.log

Hope this helps. Regards.

Steven Sim Kok Leong
Reply
Darren Prior
Honored Contributor

‎08-13-2003 05:46 AM

‎08-13-2003 05:46 AM

Solution

Re: ipfilter won't log via syslog

Hi,

You could try using the logger command to test the various parts of your syslog.conf, ie send unique logger messages at the different priority levels and check they appear in the right place. Also (as someone suggested earlier) the order of the lines in the syslog.conf file are important due to the way that data is filtered through them. See the man pages for syslogd and syslog(3c) for further info.

regards,

Darren.
Calm down. It's only ones and zeros...
Reply
Brian McEntire
Frequent Advisor

‎08-13-2003 06:32 AM

‎08-13-2003 06:32 AM

Re: ipfilter won't log via syslog

Hmmm... I think it is narrowed down to ipmon -sD not working properly.

Thanks for the suggestions Andrew. I tried moving the @watcher line to the top of my syslog.conf file. It didn't help ipmon though.

On the other hand, I tested syslog with 'logger' from the command line and the test message was successfully logged to both the local syslog.log file and to the remote log host. Syslogd seems to be doing it's job.

So why isn't iplog logging via syslogd? When I run iplog at the command line, I do see rejected packets logged to the stdout... so it kind works. But it just won't log via syslog when I run it with -sD.

Any ideas?
0 Kudos
Reply
Brian McEntire
Frequent Advisor

‎08-13-2003 06:35 AM

‎08-13-2003 06:35 AM

Re: ipfilter won't log via syslog

[newkf_root]$logger -p local0.info test log fac - local0, level - info


Test logged message shows up in both local hosts syslog.log file and gets logged properly on the log host.

Seems like this has to be an ipmon problem?
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.