HPE Community
Operating System - HP-UX
1830360 Members
2687 Online
110001 Solutions
New Discussion

Re: syslog - loghost

 
SOLVED
Go to solution
Nobody's Hero
Valued Contributor

‎09-21-2009 08:25 AM

‎09-21-2009 08:25 AM

syslog - loghost

I am trying to get my system to talk on 514 so the loghost setup will work.
I get this:

#telnet localhost 514
Trying 127.0.0.1...
telnet: Unable to connect to remote host: Connection refused

/etc/services looks good.
/etc/syslog.conf looks good.

not sure what else to check. I am using tcp wrappers....
UNIX IS GOOD
0 Kudos
Reply
4 REPLIES 4
Nobody's Hero
Valued Contributor

‎09-21-2009 08:40 AM

‎09-21-2009 08:40 AM

Re: syslog - loghost

cant get 514 to listen:

#netstat -anf inet | grep 514
*.514 Idle
UNIX IS GOOD
0 Kudos
Reply
Matti_Kurkela
Honored Contributor

‎09-21-2009 09:52 AM

‎09-21-2009 09:52 AM

Re: syslog - loghost

Syslog uses UDP, not TCP.

Only TCP services can be tested with telnet.

Use the "logger" command to test syslog transmission over the network.

MK
MK
0 Kudos
Reply
Nobody's Hero
Valued Contributor

‎09-21-2009 09:56 AM

‎09-21-2009 09:56 AM

Re: syslog - loghost

I guess I am more concerned why I cant telnet to localhost 514.

I've been working on this all day.
On one box Iget this:

#telnet localhost 514
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
Connection to localhost closed by foreign host.

on the problem box, I get this:
# telnet localhost 514
Trying 127.0.0.1...
telnet: Unable to connect to remote host: Connection refused

I just cant figure it out, whats stopping it.

UNIX IS GOOD
0 Kudos
Reply
Matti_Kurkela
Honored Contributor

‎09-22-2009 01:07 AM

‎09-22-2009 01:07 AM

Solution

Re: syslog - loghost

514/UDP is syslog, while 514/TCP is remshd service. See "grep 514 /etc/services" and cross-reference to /etc/inetd.conf.

Apparently your problem host has remshd service completely disabled, while the other has it enabled (although possibly protected with a tcpwrapper: a connection that closes immediately after opening is the signature of tcpwrapper rejecting a connection).

The (in-)ability to telnet to port 514/TCP is completely unrelated to the functioning of syslog at 514/UDP.

The TCP and UDP protocols don't share a port number space: both protocols have completely independent sets of 65535 port numbers, although some protocols have been assigned both types of ports for historical reasons (see /etc/services for examples).

The most critical log messages are often something like "HELP! I'm crashing because of X". In a situation like that, the most important thing is to get the message out as quickly as possible, while the system still can do it.

TCP requires a three-way handshake for establishing a connection, which is less than ideal for logging. Syslog is a connectionless "fire-and-forget" protocol, which requires the use of UDP.

MK
MK
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.