Re: Syslog problem
nevermind, I realize that's not the source origination port, but it's destination port. There I go replying again I'll quit while I'm behind... Chuck On Sun, 9 Mar 2003, Dean Strik wrote: > Chuck Rock wrote: > > On Sat, 8 Mar 2003, Michael K. Smith wrote: > > > This might be your issue, because you haven't specified the service after > > > you subnet. Try the following: > > > > > > /usr/sbin/syslogd -a 207.206.185.1/27:* -a 209.83.132.1/27:* > > > > Accordifn to the man page, that just specifies what port to listen on. By > > default it's 514 syslog port. > > No, that's not what it says. I quote: > > ipaddr/masklen[:service] > [...] > If specified, _service_ is the name or number of an UDP service (see > services(5)) the source packet must belong to. > > In other words, it's the port the remote syslog is sending from, not the > port the local syslogd is listening on. > > -- > Dean C. Strik Eindhoven University of Technology > [EMAIL PROTECTED] | [EMAIL PROTECTED] | http://www.ipnet6.org/ > "This isn't right. This isn't even wrong." -- Wolfgang Pauli > > To Unsubscribe: send mail to [EMAIL PROTECTED] > with "unsubscribe freebsd-questions" in the body of the message > To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-questions" in the body of the message
Re: Syslog problem
OK, this does make some sense reading it a few more times. I did include the output of snort which clearly shows the packets coming from port 514 (syslog) which this also says is the default accept port from the source address. This should have worked anyway, shouldn't it? I appreciate the help from everyone. Thanks, Chuck On Sun, 9 Mar 2003, Dean Strik wrote: > Chuck Rock wrote: > > On Sat, 8 Mar 2003, Michael K. Smith wrote: > > > This might be your issue, because you haven't specified the service after > > > you subnet. Try the following: > > > > > > /usr/sbin/syslogd -a 207.206.185.1/27:* -a 209.83.132.1/27:* > > > > Accordifn to the man page, that just specifies what port to listen on. By > > default it's 514 syslog port. > > No, that's not what it says. I quote: > > ipaddr/masklen[:service] > [...] > If specified, _service_ is the name or number of an UDP service (see > services(5)) the source packet must belong to. > > In other words, it's the port the remote syslog is sending from, not the > port the local syslogd is listening on. > > -- > Dean C. Strik Eindhoven University of Technology > [EMAIL PROTECTED] | [EMAIL PROTECTED] | http://www.ipnet6.org/ > "This isn't right. This isn't even wrong." -- Wolfgang Pauli > > To Unsubscribe: send mail to [EMAIL PROTECTED] > with "unsubscribe freebsd-questions" in the body of the message > To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-questions" in the body of the message
Re: Syslog problem
Chuck Rock wrote: > On Sat, 8 Mar 2003, Michael K. Smith wrote: > > This might be your issue, because you haven't specified the service after > > you subnet. Try the following: > > > > /usr/sbin/syslogd -a 207.206.185.1/27:* -a 209.83.132.1/27:* > > Accordifn to the man page, that just specifies what port to listen on. By > default it's 514 syslog port. No, that's not what it says. I quote: ipaddr/masklen[:service] [...] If specified, _service_ is the name or number of an UDP service (see services(5)) the source packet must belong to. In other words, it's the port the remote syslog is sending from, not the port the local syslogd is listening on. -- Dean C. Strik Eindhoven University of Technology [EMAIL PROTECTED] | [EMAIL PROTECTED] | http://www.ipnet6.org/ "This isn't right. This isn't even wrong." -- Wolfgang Pauli To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-questions" in the body of the message
Re: Syslog problem
Well, that seemed to work. I don't know why, but it did. Thank you! Chuck On Sat, 8 Mar 2003, Michael K. Smith wrote: > Hello Chuck: > > On Sat, 8 Mar 2003, Chuck Rock wrote: > > > For the last few versions of FreeBSD, I have not been able to get my syslog > > to log my dial-up pool from my Cisco router. > > > > I changed the syslog startup flags in rc.conf. > > > > I'm running it now as /usr/sbin/syslogd -a 207.206.185.1/27 -a > > 209.83.132.1/27 > > > > This might be your issue, because you haven't specified the service after > you subnet. Try the following: > > /usr/sbin/syslogd -a 207.206.185.1/27:* -a 209.83.132.1/27:* > > Mike > > > To Unsubscribe: send mail to [EMAIL PROTECTED] > with "unsubscribe freebsd-questions" in the body of the message > To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-questions" in the body of the message
Re: Syslog problem
Accordifn to the man page, that just specifies what port to listen on. By default it's 514 syslog port. I'll try it anyway. I'm up for anything at this point ;-) Chuck On Sat, 8 Mar 2003, Michael K. Smith wrote: > Hello Chuck: > > On Sat, 8 Mar 2003, Chuck Rock wrote: > > > For the last few versions of FreeBSD, I have not been able to get my syslog > > to log my dial-up pool from my Cisco router. > > > > I changed the syslog startup flags in rc.conf. > > > > I'm running it now as /usr/sbin/syslogd -a 207.206.185.1/27 -a > > 209.83.132.1/27 > > > > This might be your issue, because you haven't specified the service after > you subnet. Try the following: > > /usr/sbin/syslogd -a 207.206.185.1/27:* -a 209.83.132.1/27:* > > Mike > > > To Unsubscribe: send mail to [EMAIL PROTECTED] > with "unsubscribe freebsd-questions" in the body of the message > To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-questions" in the body of the message
Re: Syslog problem
Hello Chuck: On Sat, 8 Mar 2003, Chuck Rock wrote: > For the last few versions of FreeBSD, I have not been able to get my syslog > to log my dial-up pool from my Cisco router. > > I changed the syslog startup flags in rc.conf. > > I'm running it now as /usr/sbin/syslogd -a 207.206.185.1/27 -a > 209.83.132.1/27 > This might be your issue, because you haven't specified the service after you subnet. Try the following: /usr/sbin/syslogd -a 207.206.185.1/27:* -a 209.83.132.1/27:* Mike To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-questions" in the body of the message
RE: Syslog problem
I also ran snort and found these packets coming into my FreeBSD box... 03/08-14:11:42.239335 207.206.185.1:54139 -> 207.206.185.2:514 UDP TTL:255 TOS:0x0 ID:15618 IpLen:20 DgmLen:131 Len: 111 3C 31 38 37 3E 36 30 35 34 38 38 3A 20 4D 61 72 <187>605488: Mar 20 20 38 20 31 34 3A 31 31 3A 34 32 2E 30 37 338 14:11:42.073 20 43 53 54 3A 20 25 4C 49 4E 4B 2D 33 2D 55 50 CST: %LINK-3-UP 44 4F 57 4E 3A 20 49 6E 74 65 72 66 61 63 65 20 DOWN: Interface 56 69 72 74 75 61 6C 2D 41 63 63 65 73 73 34 36 Virtual-Access46 2C 20 63 68 61 6E 67 65 64 20 73 74 61 74 65 20 , changed state 74 6F 20 64 6F 77 6E to down =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 03/08-14:11:42.239755 207.206.185.1:54139 -> 207.206.185.2:514 UDP TTL:255 TOS:0x0 ID:15619 IpLen:20 DgmLen:153 Len: 133 3C 31 38 39 3E 36 30 35 34 38 39 3A 20 4D 61 72 <189>605489: Mar 20 20 38 20 31 34 3A 31 31 3A 34 33 2E 30 37 338 14:11:43.073 20 43 53 54 3A 20 25 4C 49 4E 45 50 52 4F 54 4F CST: %LINEPROTO 2D 35 2D 55 50 44 4F 57 4E 3A 20 4C 69 6E 65 20 -5-UPDOWN: Line 70 72 6F 74 6F 63 6F 6C 20 6F 6E 20 49 6E 74 65 protocol on Inte 72 66 61 63 65 20 56 69 72 74 75 61 6C 2D 41 63 rface Virtual-Ac 63 65 73 73 34 36 2C 20 63 68 61 6E 67 65 64 20 cess46, changed 73 74 61 74 65 20 74 6F 20 64 6F 77 6E state to down =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ You can see I got the packets with local7 facility and one at Severity 3 and one at Severity 5 The log files are still zero bytes. Chuck -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Chuck Rock Sent: Saturday, March 08, 2003 1:24 PM To: [EMAIL PROTECTED] Subject: Syslog problem For the last few versions of FreeBSD, I have not been able to get my syslog to log my dial-up pool from my Cisco router. I changed the syslog startup flags in rc.conf. I'm running it now as /usr/sbin/syslogd -a 207.206.185.1/27 -a 209.83.132.1/27 The router is at .1 and configured to send it's logging messages to local7 syslog.conf is configured like this. *.notice;kern.debug;lpr.info;mail.crit;news.err /var/log/messages security.* /var/log/security auth.info;authpriv.info /var/log/auth.log mail.info /var/log/maillog lpr.info/var/log/lpd-errs cron.* /var/log/cron local0.*/var/log/local-0 local1.*/var/log/local-1 local2.*/var/log/local-2 local3.*/var/log/local-3 local4.*/var/log/local-4 local5.*/var/log/local-5 local6.*/var/log/local-6 local7.*/var/log/cisco etc... None of the syslg files for local facilities gets data. -rw-rw-r-- 1 root wheel 0 Mar 8 11:45 local-0 -rw-rw-r-- 1 root wheel 0 Mar 8 11:45 local-1 -rw-rw-r-- 1 root wheel 0 Mar 8 11:45 local-2 -rw-rw-r-- 1 root wheel 0 Mar 8 11:43 local-3 -rw-rw-r-- 1 root wheel 0 Mar 8 11:43 local-4 -rw-rw-r-- 1 root wheel 0 Mar 8 11:43 local-5 -rw-rw-r-- 1 root wheel 0 Mar 8 11:45 local-6 -rw-rw-r-- 1 root wheel 0 Mar 8 11:35 cisco Yet I do see data coming into this machine on the syslog port using tcpdump. tcpdump -w dumpfile1 -vvv port 514 kira(403):[/var/log]-#tcpdump -r dumpfile1 12:23:05.378296 gw.54139 > kira.epconline.net.syslog: udp 103 12:23:05.378540 gw.54139 > kira.epconline.net.syslog: udp 125 12:23:23.597642 gw.54139 > kira.epconline.net.syslog: udp 101 12:23:24.629645 gw.54139 > kira.epconline.net.syslog: udp 123 12:23:38.321355 gw.54139 > kira.epconline.net.syslog: udp 101 12:23:39.349425 gw.54139 > kira.epconline.net.syslog: udp 123 12:23:43.137243 gw.54139 > kira.epconline.net.syslog: udp 125 12:24:06.577077 gw.54139 > kira.epconline.net.syslog: udp 103 12:24:06.577266 gw.54139 > kira.epconline.net.syslog: udp 125 Cisco config... ! logging 207.206.185.2 gw(config)#logging facility local7 I did notice though while I was messing around with this stuff, this was logged on one of my ssh sessions... kira(416):[/etc]-#Mar 8 12:48:39.517 radiusd[6916] /usr/local/sbin/radiusd:users testing and DEFAULT not found Mar 8 12:48:39.519 radiusd[6916] Authenticate: gw1645, id=54: Neither User Nor Default Name: testing This is the logging information from the router which should be going to a file in /var/log I grep'd for radiusd from /var/log/* and go no results. Does anyone have any ideas? Any suggestions? I really need to get my Cisco logging working. Thanks, Chuck Rock Internet Services Manager EPC, Inc. http://www.epcu
Syslog problem
For the last few versions of FreeBSD, I have not been able to get my syslog to log my dial-up pool from my Cisco router. I changed the syslog startup flags in rc.conf. I'm running it now as /usr/sbin/syslogd -a 207.206.185.1/27 -a 209.83.132.1/27 The router is at .1 and configured to send it's logging messages to local7 syslog.conf is configured like this. *.notice;kern.debug;lpr.info;mail.crit;news.err /var/log/messages security.* /var/log/security auth.info;authpriv.info /var/log/auth.log mail.info /var/log/maillog lpr.info/var/log/lpd-errs cron.* /var/log/cron local0.*/var/log/local-0 local1.*/var/log/local-1 local2.*/var/log/local-2 local3.*/var/log/local-3 local4.*/var/log/local-4 local5.*/var/log/local-5 local6.*/var/log/local-6 local7.*/var/log/cisco etc... None of the syslg files for local facilities gets data. -rw-rw-r-- 1 root wheel 0 Mar 8 11:45 local-0 -rw-rw-r-- 1 root wheel 0 Mar 8 11:45 local-1 -rw-rw-r-- 1 root wheel 0 Mar 8 11:45 local-2 -rw-rw-r-- 1 root wheel 0 Mar 8 11:43 local-3 -rw-rw-r-- 1 root wheel 0 Mar 8 11:43 local-4 -rw-rw-r-- 1 root wheel 0 Mar 8 11:43 local-5 -rw-rw-r-- 1 root wheel 0 Mar 8 11:45 local-6 -rw-rw-r-- 1 root wheel 0 Mar 8 11:35 cisco Yet I do see data coming into this machine on the syslog port using tcpdump. tcpdump -w dumpfile1 -vvv port 514 kira(403):[/var/log]-#tcpdump -r dumpfile1 12:23:05.378296 gw.54139 > kira.epconline.net.syslog: udp 103 12:23:05.378540 gw.54139 > kira.epconline.net.syslog: udp 125 12:23:23.597642 gw.54139 > kira.epconline.net.syslog: udp 101 12:23:24.629645 gw.54139 > kira.epconline.net.syslog: udp 123 12:23:38.321355 gw.54139 > kira.epconline.net.syslog: udp 101 12:23:39.349425 gw.54139 > kira.epconline.net.syslog: udp 123 12:23:43.137243 gw.54139 > kira.epconline.net.syslog: udp 125 12:24:06.577077 gw.54139 > kira.epconline.net.syslog: udp 103 12:24:06.577266 gw.54139 > kira.epconline.net.syslog: udp 125 Cisco config... ! logging 207.206.185.2 gw(config)#logging facility local7 I did notice though while I was messing around with this stuff, this was logged on one of my ssh sessions... kira(416):[/etc]-#Mar 8 12:48:39.517 radiusd[6916] /usr/local/sbin/radiusd:users testing and DEFAULT not found Mar 8 12:48:39.519 radiusd[6916] Authenticate: gw1645, id=54: Neither User Nor Default Name: testing This is the logging information from the router which should be going to a file in /var/log I grep'd for radiusd from /var/log/* and go no results. Does anyone have any ideas? Any suggestions? I really need to get my Cisco logging working. Thanks, Chuck Rock Internet Services Manager EPC, Inc. http://www.epcusa.com To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-questions" in the body of the message