Trouble getting remote syslog to work

Answered Question
Jul 9th, 2007

I have remote syslogging enabled on my 6509 pointing to a Solaris 10 box. The sh log says it is sending log messages, but the solaris box is not getting them.

Here is the config for the 6500 :

logging facility local6

logging trap informational

logging source-interface Loopback0

logging 192.168.210.100

service timestamps debug datetime localtime

service timestamps log datetime localtime

no logging console

ip nat log translations syslog

logging on

Solaris syslog box :

local6.debug /var/log/switches

local6.info /var/log/switches

sh log :

Syslog logging: enabled (0 messages dropped, 0 messages rate-limited, 35 flushes, 0 overruns)

Console logging: disabled

Monitor logging: level debugging, 0 messages logged

Buffer logging: level debugging, 461053 messages logged

Exception Logging: size (4096 bytes)

Count and timestamp logging messages: disabled

Trap logging: level informational, 3762 message lines logged

Logging to 165.112.68.62, 3762 message lines logged

Logging to 165.112.4.62, 3762 message lines logged

Logging to 128.231.210.100, 3758 message lines logged

When I sh log, is says that over 3000 lines were logged to the server, but they don't seem to get there. I have checked the ip and can ping it, port 514 is open on the server, permissions were set by the box admin, ect..... I am kinda at a loss what to do next.

Any suggestions?

Thanss

Poirot

I have this problem too.
0 votes
Correct Answer by Joe Clarke about 9 years 6 months ago

Don't change the facility unless your server is using a different facility. Has the config of the server changed? That is, do you still have local6.debug in syslog.conf? Can you put a sniffer on the device side to see if the messages are actually being sent out?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Joe Clarke Mon, 07/09/2007 - 11:58

Check ps -efl | grep syslogd. Chances are its running with the -t flag which disables network syslog reception. If you modify your syslogd startup settings to remove this flag, syslogd will accept network messages.

If you find that -t is not the case, check your /etc/syslog.conf for the local6 facility. Make sure the messages are going to the correct file, and that there are NO SPACES (tabs only) on the local6 line. Make sure this file exists.

Finally, try restarting syslogd so that it can properly re-open the destination log file.

poirot1967 Mon, 07/09/2007 - 12:14

Thanks for the reply. The admin has tested the syslog server from other networked machines, and they are able to send logs just fine. Looks like a configuration issue on my side.

Thanks

Poirot

Joe Clarke Mon, 07/09/2007 - 12:16

Are they logging to the same file? It's not clear from this output if the syslog.conf file is using spaces or tabs on those lines. Lines with spaces will be silently ignored.

You might also want to try putting a sniffer on the Solaris box to verify that the messages are actually reaching the server, and that they are not being blocked.

poirot1967 Mon, 07/09/2007 - 12:28

They are logging to the same file. I confirmed that there are indeed tabs in the conf file. I will try the sniffer tomorrow. The syslog server is offsite from where the 6500 is located. If worse comes to worse, I will just use Kiwi on a PC box til I can get this settled.

Thanks

Poirot

Richard Burts Mon, 07/09/2007 - 13:05

Poirot

I am a bit confused by what seems to be a mismatch in the material that you posted. The config section shows logging to a single host at address 192.168.210.100. The show log output indicates that there are 3 log servers but none of them are 192.168.210.100 (they are 165.112.68.62, 165.112.4.62, and 128.231.210.100). Can you clarify this?

HTH

Rick

poirot1967 Wed, 07/11/2007 - 06:29

Sorry for the delay. Oops, that was a typo, it was supposed to be 128.

I was able to solve why it was not logging to the server. I had the source interface set to the loopback0. I followed the wrong insructions. I removed it and it started sending log messages, just not the messages I wanted. Looks like I have a bad trap or facility statement. What I am getting :

%IPNAT-4-ADDR_ALLOC_FAILURE: Address a

llocation failed for 192.168.33.101, pool niscpool might be exhausted

Which is fine, bit what I need is more like :

T-6-NAT_CREATED: Created udp 192.168.33.26:3331 137.187.44.106:1078 156.40.70.10:53 156.40.70.10:53

Hre is part of the top of the log on teh 6500 :

NISC_6509#sh log

Syslog logging: enabled (0 messages dropped, 0 messages rate-limited, 310 flushes, 0 overruns)

Console logging: disabled

Monitor logging: level debugging, 0 messages logged

Buffer logging: level debugging, 773601 messages logged

Exception Logging: size (4096 bytes)

Count and timestamp logging messages: disabled

Trap logging: level informational, 17935 message lines logged

Sugestions?

TIA

Poirot

Joe Clarke Wed, 07/11/2007 - 06:39

Actually, these NAT messages are not real syslog messages. They are actually sent using the debugging method, but they are made to look like syslog messages. You will actually need to add:

logging trap debug

To see these messages logged.

poirot1967 Wed, 07/11/2007 - 07:49

Ok. I did the logging trap debug, but I still am not getting the NAT translations logged to the server. Here are my settings as of now:

ip nat log translations syslog

logging trap debugging

logging 128.231.210.100

>sh log

Syslog logging: enabled (0 messages dropped, 0 messages rate-limited, 418 flushes, 0 overruns)

Console logging: disabled

Monitor logging: level debugging, 0 messages logged

Buffer logging: level debugging, 790725 messages logged

Exception Logging: size (4096 bytes)

Count and timestamp logging messages: disabled

Trap logging: level debugging, 32243 message lines logged

Logging to 128.231.210.100, 32239 message lines logged

So all the levels are set to debug on the switch. Should I also change the logging facility back to local7 or syslog?

TIA

Poirot

Correct Answer
Joe Clarke Wed, 07/11/2007 - 08:00

Don't change the facility unless your server is using a different facility. Has the config of the server changed? That is, do you still have local6.debug in syslog.conf? Can you put a sniffer on the device side to see if the messages are actually being sent out?

poirot1967 Wed, 07/11/2007 - 09:43

That was it. I had the admin make the change to the conf file, and the translations started flooding in, literally. Now I just have to find somewhere to store them all!

Thanks for all you help.

Poirot

Actions

This Discussion