Results 1 to 2 of 2

Thread: Syslog issue

  1. #1
    Join Date
    May 2008
    Beans
    3

    Syslog issue

    Hello

    im trying to use syslog to relay messages from network devices such as juniper ssg and fortinet firewall and im having this odd problem
    when writing the logs locally everything get written both local events and device events (juniper fortinet) now when im configuring the syslog server to relay the messages to a seim system
    (*.debug @ipaddress ) where the ip address is my seim system i only receive the local Linux events of the syslog server all the events from my juniper and fortinet are gone nothing from those devices gets relayed i used tcpdump (my syslog machine has only one NIC) and i cant see the events coming to my syslog server
    if i change back the configuration of the syslog server to write the logs locally (*.debug /var/log/all.log) everything gets written to the log file including the events from my juniper and fortinet i dont know what to do if anyone has ANY idea ill be most thankful

  2. #2
    Join Date
    May 2008
    Location
    Eugene, OR, USA
    Beans
    435

    Re: Syslog issue

    From the syslogd manual page:

    Code:
           -h     By  default  syslogd  will not forward messages it receives from
                  remote hosts.  Specifying this switch on the command  line  will
                  cause  the log daemon to forward any remote messages it receives
                  to forwarding hosts which have been  defined.   This  can  cause
                  syslog  loops  that fill up hard disks quite fast and thus needs
                  to be used with caution.
    So edit /etc/default/syslogd and add the "-h" option to the SYSLOGD variable. The configuration on your box will probably end up looking something like:

    Code:
    SYSLOGD="-r -h"
    Is there a reason why you don't have the Juniper and Fortinet devices log directly to your SEIM server? It seems weird to relay the events through your Linux box.

    Also, you might want to check out Syslog-NG (http://www.balabit.com/network-security/syslog-ng/). If you're looking at turning a Linux box into a central syslog server for your network, Syslog-NG is definitely the right way to go.
    Hal Pomeranz, Deer Run Associates
    [[ Various Linux/Unix related documents ]]
    [[ Command-Line Kung Fu blog ]]

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •