MonitorWare Knowledge Base

i run rsyslog without the -r option, however it seems to listen to udp/syslog port.

from ps:
root 7510 1 0 17:36 pts/1 00:00:00 /sbin/rsyslogd -n -e

and from lsof:
rsyslogd 7510 root cwd DIR 72,18 4096 2 /
rsyslogd 7510 root rtd DIR 72,18 4096 2 /
rsyslogd 7510 root txt REG 72,18 90056 425679 /sbin/rsyslogd
rsyslogd 7510 root mem REG 0,0 0 [heap] (stat: No such file or directory)
rsyslogd 7510 root DEL REG 72,18 828841 /var/run/nscd/dbsrtC4C
rsyslogd 7510 root mem REG 72,18 1491141 81132 /lib/libc-2.5.so
rsyslogd 7510 root mem REG 72,18 121246 81158 /lib/libpthread-2.5.so
rsyslogd 7510 root mem REG 72,18 72020 81189 /lib/libz.so.1.2.3
rsyslogd 7510 root mem REG 72,18 129767 81125 /lib/ld-2.5.so
rsyslogd 7510 root 0r CHR 1,3 3043 /dev/null
rsyslogd 7510 root 1u CHR 136,1 3 /dev/pts/1
rsyslogd 7510 root 2u CHR 136,1 3 /dev/pts/1
rsyslogd 7510 root 3u unix 0xf6d2c580 17919710 /dev/log
rsyslogd 7510 root 4u IPv6 17919715 UDP *:514
rsyslogd 7510 root 5u IPv4 17919716 UDP *:514

Any ideas?

• Custom written rsyslog.conf?
• Maintenance Contract?
• Installation support?

It binds the port if you have any forwarding rules (*.* @remote-host). However, it does not listen then to it. Can you pls run it interactively in debug mode and post me the outcome (press ctl-c to terminate it). Do this by adding -d -n to the command line.

Thanks,
Rainer

yes, i have a remote syslog server where i forward some of the messages

/sbin/rsyslogd -v
rsyslogd 1.16.0, compiled with:
FEATURE_PTHREADS (dual-threading)
FEATURE_REGEXP
FEATURE_LARGEFILE
FEATURE_NETZIP (syslog message compression)
SYSLOG_INET (Internet/remote support)

/sbin/rsyslogd -d -n
Starting.
-1210149184: Called init.
-1210149184: cfline(authpriv.* @a.b.c) - traditional PRI filter
-1210149184: symbolic name: * ==> 255
-1210149184: symbolic name: authpriv ==> 80
-1210149184: leading char in action: @
-1210149184: forwarding host: 'a.b.c:514/udp' template ' StdFwdFmt'
-1210149184: cfline(auth.* @a.b.c) - traditional PRI filter
-1210149184: symbolic name: * ==> 255
-1210149184: symbolic name: auth ==> 32
-1210149184: leading char in action: @
-1210149184: forwarding host: a.b.c:514/udp' template ' StdFwdFmt'
-1210149184: cfline(*.emerg *) - traditional PRI filter
-1210149184: symbolic name: emerg ==> 0
-1210149184: leading char in action: *
-1210149184: write-all template ' WallFmt'
-1210149184: Opened UNIX socket `/dev/log' (fd 3).
-1210149184: Opened 2 syslog UDP port(s).
Active selectors:
X X X X X X X X X X FF X X X X X X X X X X X X X X FORW: a.b.c
X X X X FF X X X X X X X X X X X X X X X X X X X X FORW: a.b.c
1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 WALL:

-1210149184: Template: Name=' TradFmt'
-1210149184: Entry(8060050): type 2, (FIELD), value: 'TIMESTAMP'
-1210149184: Entry(80600c8): type 1, (CONSTANT), value: ' '
-1210149184: Entry(8060138): type 2, (FIELD), value: 'HOSTNAME'
-1210149184: Entry(8060188): type 1, (CONSTANT), value: ' '
-1210149184: Entry(8060220): type 2, (FIELD), value: 'syslogtag'
-1210149184: Entry(8060270): type 2, (FIELD), value: 'msg' [drop last LF in msg]
-1210149184: Entry(80602c0): type 1, (CONSTANT), value: '
'
-1210149184: Template: Name=' WallFmt'
-1210149184: Entry(8060350): type 1, (CONSTANT), value: '
Message from syslogd@'
-1210149184: Entry(80603c0): type 2, (FIELD), value: 'HOSTNAME'
-1210149184: Entry(8060410): type 1, (CONSTANT), value: ' at '
-1210149184: Entry(80604a8): type 2, (FIELD), value: 'timegenerated'
-1210149184: Entry(80604f8): type 1, (CONSTANT), value: ' ...
'
-1210149184: Entry(8060548): type 2, (FIELD), value: 'syslogtag'
-1210149184: Entry(8060598): type 2, (FIELD), value: 'msg'
-1210149184: Entry(8060630): type 1, (CONSTANT), value: '
'
-1210149184: Template: Name=' StdFwdFmt'
-1210149184: Entry(80606a0): type 1, (CONSTANT), value: '<'
-1210149184: Entry(8060700): type 2, (FIELD), value: 'PRI'
-1210149184: Entry(8060750): type 1, (CONSTANT), value: '>'
-1210149184: Entry(80607e8): type 2, (FIELD), value: 'TIMESTAMP'
-1210149184: Entry(8060838): type 1, (CONSTANT), value: ' '
-1210149184: Entry(8060888): type 2, (FIELD), value: 'HOSTNAME'
-1210149184: Entry(80608d8): type 1, (CONSTANT), value: ' '
-1210149184: Entry(8060970): type 2, (FIELD), value: 'syslogtag'
-1210149184: Entry(80609c0): type 2, (FIELD), value: 'msg'
-1210149184: Template: Name=' StdUsrMsgFmt'
-1210149184: Entry(8060a50): type 1, (CONSTANT), value: ' '
-1210149184: Entry(8060ab0): type 2, (FIELD), value: 'syslogtag'
-1210149184: Entry(8060b00): type 2, (FIELD), value: 'msg'
-1210149184: Entry(8060b98): type 1, (CONSTANT), value: '
'
-1210149184: Template: Name=' StdDBFmt' [SQL-Format (MySQL)]
-1210149184: Entry(8060c50): type 1, (CONSTANT), value: 'insert into SystemEvents (Message, Facility, FromHost, Priority, DeviceReportedTime, ReceivedAt, InfoUnitID, SysLogTag) values (''
-1210149184: Entry(8060d28): type 2, (FIELD), value: 'msg'
-1210149184: Entry(8060d78): type 1, (CONSTANT), value: '', '
-1210149184: Entry(8060dc8): type 2, (FIELD), value: 'syslogfacility'
-1210149184: Entry(8060e18): type 1, (CONSTANT), value: ', ''
-1210149184: Entry(8060e78): type 2, (FIELD), value: 'HOSTNAME'
-1210149184: Entry(8060ec8): type 1, (CONSTANT), value: '', '
-1210149184: Entry(8060f60): type 2, (FIELD), value: 'syslogpriority'
-1210149184: Entry(8060fb0): type 1, (CONSTANT), value: ', ''
-1210149184: Entry(8061000): type 2, (FIELD), value: 'timereported' [Format as MySQL-Date]
-1210149184: Entry(8061050): type 1, (CONSTANT), value: '', ''
-1210149184: Entry(80610f0): type 2, (FIELD), value: 'timegenerated' [Format as MySQL-Date]
-1210149184: Entry(8061140): type 1, (CONSTANT), value: '', '
-1210149184: Entry(8061190): type 2, (FIELD), value: 'iut'
-1210149184: Entry(80611e0): type 1, (CONSTANT), value: ', ''
-1210149184: Entry(8061278): type 2, (FIELD), value: 'syslogtag'
-1210149184: Entry(80612c8): type 1, (CONSTANT), value: '')'

Allowed UDP Senders:
No restrictions set.

Allowed TCP Senders:
No restrictions set.
-1210149184: logmsg: syslog.info<46>, flags 5, from '', msg [origin software="rsyslogd" swVersion="1.16.0" x-pid="8015"][x-configInfo udpReception="No" udpPort="514" tcpReception="No" tcpPort="0"] restart
-1210149184: Message has legacy syslog format.
-1210149184: enqueueMsg: not yet running on multiple threads
-1210149184: restarted.
-1210149184: Debugging enabled, SIGUSR1 to turn off debugging.
-1210149184: Worker thread started with state 0.
-1210149184: ----------------------------------------
-1210149184: Calling select, active file descriptors (max 3): 3
-1210369136: singleWorker: queue EMPTY, waiting for next message.
-1210149184: DoDie called.
-1210149184: Select interrupted.
-1210149184: exiting on signal 2
-1210149184: logmsg: syslog.info<46>, flags 5, from '', msg [origin software="rsyslogd" swVersion="1.16.0" x-pid="8015"] exiting on signal 2.
-1210149184: Message has legacy syslog format.
-1210149184: EnqueueMsg signaled condition (0)
-1210149184: Initiating worker thread shutdown sequence...
-1210369136: Lone worker is running...
-1210369136: Worker thread terminates
-1210149184: Worker thread terminated.
-1210149184: Clean shutdown completed, bye.


(remote syslog host has been replaced with 'a.b.c' for privacy/security reasons)

This is the important line:

-1210149184: Calling select, active file descriptors (max 3): 3

It tells you that it is listening on just one socket (/dev/log, I guess). So even though the UDP socket is bound, it is not used for listening. This is compatible with what stock syslogd does. Also, RFC 3164 recommends that syslog messages are emitted *from* port 514, and the only way to do that is by binding to that port.

I have to admit that I do not like all that very much. However, for the time being, rsyslog will follow these guidelines. But I think it will become a configurable option in post 2.0 releases.

HTH
Rainer

okie
thanx a lot for the whole clarification