Re: syslog port issue (770 Views)
Reply
Super Advisor
himacs
Posts: 611
Registered: ‎01-27-2009
Message 1 of 7 (823 Views)
Accepted Solution

syslog port issue

Hi Admins,


HPUX 11.31


Syslog server is not discovering hpux systems as cleints. When checked in hpux servers found below comment.


#cat /etc/services|grep 514
shell        514/tcp  cmd            # remote command, no passwd used
syslog       514/udp                 # remote system logging#


#netstat -an|grep 514
tcp        0      0  *.514                  *.*                     LISTEN

 

/etc/services shows port 514 for syslog is UDP and same port is used for shell by TCP.
And netstat shows TCP is the listening the port 514.
Because of this syslog server not able to communicate with client.

 

I think we can disable (remshd) service, so TCP stops using 514 and UDP can use it.My second option is to map different port to syslog.

Please guide me to how to make UDP to listen the port 514 instead TCP.

 

Regards

himacs

 

 

 

 

Super Advisor
himacs
Posts: 611
Registered: ‎01-27-2009
Message 2 of 7 (811 Views)

Re: syslog port issue

I tried with stoopin shell service and commented in /etc/services also.But still syslogd not using the port.

Honored Contributor
Patrick Wallek
Posts: 13,774
Registered: ‎06-21-2000
Message 3 of 7 (796 Views)

Re: syslog port issue

>>Syslog server is not discovering hpux systems as cleints

 

I'm not sure what you  mean by this.

 

Typically a syslog server receives information from other servers and really does nothing else.  Basically all of your HP-UX servers must have syslog configured so that  it sends it syslog messages to your syslog server.  This is done via the /etc/syslogd.conf file.

 

In order to send emergency level and higher messages to a remote server (IP 1.2.3.4 for example), you must put the following in your syslog.conf file:

*.emerg		@1.2.3.4

 NOTE: The syslog.conf file can only have TAB between fields, NOT spaces.

 

There are numerous threads in the forums regarding syslog configuration.

 

Also, as far as TCP vs. UDP ports go they are completely separate ports.  You can have port 514 running on both TCP and UDP at the same time without any problems whatsoever.  While it is a good idea to disable the shell service, it is not required in order for remote syslog to work.

 

Super Advisor
himacs
Posts: 611
Registered: ‎01-27-2009
Message 4 of 7 (786 Views)

Re: syslog port issue

Hi Patrick,

 

THanks for the response.

 

>>Syslog server is not discovering hpux systems as cleints

 

Syslog server(Linux) not able to communicate with hpux server.So that logs from hpux  not forawarding to syslog server.

 

Actual issue was udp port is not communicating with 514 port.When i modified the SYSLOGD_OPTS="-D -N" in  /etc/rc.config.d/syslogd file, UDP started listening to 514. Actually i removed -N parameter.It was blocking the system

with listening UDP to 514 port.

 

#netstat -an|grep 514
udp        0      0  *.514                  *.*

 

 

Is it necessary to configure syslog-ng in hpux 11.31 client , to forward logs to syslog server.

 

Regards

himacs

 

Honored Contributor
Matti_Kurkela
Posts: 6,271
Registered: ‎12-02-2001
Message 5 of 7 (779 Views)

Re: syslog port issue

It is not necessary for the HP-UX system to listen on UDP port 514 in order to send logs to the remote syslog server.

 

When you removed the -N parameter, you effectively made the HP-UX system into *another* syslog server. But if there are no syslog clients configured to send logs to the HP-UX, then the HP-UX will receive no logs from any remote clients.

 

The syslog protocol does not include any mechanism for the syslog server to actively "discover" clients nor to "pull" logs from the syslog clients - the server can only passively wait & accept what is "pushed" to it by the clients.

 

If you need the HP-UX to send logs to a syslog server in another host, you must configure /etc/syslog.conf on the HP-UX host as described by Patrick.


When a remote syslog server is listed in /etc/syslog.conf in HP-UX, the syslog daemon will "push" the logs to the remote server if the facility/severity of the log message is included in the selector specification on the /etc/syslog.conf line. The syslog daemon will not hold a port open constantly for sending - whenever it needs to send a log message, it will instantly open an UDP port, send the message, and then close it. This will happen so fast that you're unlikely to catch it in a "netstat" listing unless you configure your system to send a very large number of log messages. (Remember that UDP ports do not have _WAIT states like TCP ports have.)

MK
Super Advisor
himacs
Posts: 611
Registered: ‎01-27-2009
Message 6 of 7 (775 Views)

Re: syslog port issue

 

Thanks MK and Patrick for solving my doubts.

 

I was thinking due to -N option, in hpux server,UDP is not able to communicate with port 514.its not pushing logs to syslog server.

 

Now i have reconfigured the syslog.conf and it worked.

 

I think Issue was with space used in syslog.conf file instead of tab(not sure).

 

Old conf file :

 

mail.debug              /var/adm/syslog/mail.log
*.info;mail.none        /var/adm/syslog/syslog.log
*.alert                 /dev/console
*.alert                 root
*.emerg                 *
*.alert;*.info;*.emerg;mail.none  @1.2.3.4

 

New conf file :

 

mail.debug      /var/adm/syslog/mail.log
*.info;mail.none        /var/adm/syslog/syslog.log
*.alert /dev/console
*.alert root
*.emerg *
*.notice;*.info        @1.2.3.4

*.debug        @1.2.3.4

 

 

Is there any mismatch in old conf file..other than space issue...?

 

Regards

himacs

Honored Contributor
Matti_Kurkela
Posts: 6,271
Registered: ‎12-02-2001
Message 7 of 7 (770 Views)

Re: syslog port issue

Your new configuration looks workable, but remember that all the priority specifier automatically include the higher priorities as well. If you specify *.info, there will be no point to specify *.notice too, as *.info will automatically include *.notice.

 

And *.debug will include absolutely everything, since "debug" is the lowest priority specifier.

 

So, if you want to forward everything to the syslog server, the "*.debug        @1.2.3.4" line does that. If you use that line, you don't need the previous "*.notice;*.info        @1.2.3.4" line at all.

MK
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.