MonitorWare Knowledge Base

I need some help understanding how to go about troubleshooting my configuration from where I am, I am running rsyslog-3.18.1-2.fc9.x86_64 on Fedora Core 9 (Which you can probably tell from the version )

I confirmed the daemon is running and listening on port 514(UDP) with a netstat, I am relatively sure it is working.

I have a Pix 515 firewall I am trying to configure, I have logging configured to go to this server, but I don't see anything in any log file. I confirmed from the pix that the messages are leaving the Queue, the Syslog server just isnt processing anything.

What I need to know is how to troubleshoot this, is there any way to do any type of loopback testing on a syslog server? Or is there a flat simple config I could run on a second server running this same version of Rsyslog to try and confirm the host server is in fact listening and processing messages correctly? I simply have no knowledge base on this yet so I am having a hard time trying to figure out 'where' to start troubleshooting, as soon as I have a place to start I am sure I can figure this out.

Any additional information that would help I can post.. Thanks.

• Custom written rsyslog.conf?
• Maintenance Contract?
• Installation support?

while not a direct reply to your question, this sounds like a firewall issue. did you open the port?

It's actually on the inside port, but that's ironically 'why' I am setting the syslog server up, I know my firewall configuration is wrong in a lot of areas.. Technically it 'works' but it's configured completely wrong. The firewall being the problem is entirely possible that is why I am looking for some way to test the syslog server, because honestly I have followed all the documentation I can find and either it's my firewall or something stupid I have overlooked.. I just don't know enough about how syslog works to intelligently troubleshoot the problem.

From the PIX I did a show logging and confirmed messages were logging, and a show logging queue and confirmed the messages were leaving the queue.. But where they are going who knows lol.

Hi,

I suggest you to stop the firewall once and then run rsyslog. If you find the logs in the file to which you are redirecting then we can finalize that the issue is in firewall.

If it did not happen then you have an error in configuring rsyslog.

Regards,
Prakash.

I'm not clear on what youa re saying to do.. Stop the firewall syslog? I did that but I am unclear on how that helps me isolate the problem..

Does anyone have a sample rsyslog.conf from a working server logging PIX traffic?

I think the problem is we are talking about different firewalls We talk about the firewall that (usually) is installed on the Linux box where you run rsyslog.

rgerhards wrote:I think the problem is we are talking about different firewalls We talk about the firewall that (usually) is installed on the Linux box where you run rsyslog.

I just figured that out when I read your other post lol.. I'm 99% sure you are right and that is what the problem is.. It's ALWAYS 1 simple thing that screws you isn't it? lol.

Yep! It was the port on the Linux firewall, I am getting all my events now

Now for the even more fun task of using this data to troubleshoot my PIX.. Thanks for all the help!

sonds good, so it seems to work

BTW: if you run vmware somewhere, you could get hold of a preconfigured syslog appliance from http://www.syslogappliance.de - this is the project I am currently working on

Rainer