Summing up of private exchanges
I made a test, and have sent the debug trace to Rainer:
1. look at /proc/kmsg and saw lot of iptables log
2. reload rsyslog: kmsg empty, no logs!!
3. restart rsyslog in debug mode (-c4 -d)
4. send packets with `hping3 -S -p 113 <host-ip>
5. look at /proc/kmsg: saw it filled with some entries, then read (and
empty), then filled again, no logs written when it became empty.
5. C-c to rsyslog in debug mode to kill it: no logs
6. restart rsyslog in normal mode (-c4): no logs. All my iptables logs
are discarded.
The kernel logs I expect are basics iptables logs like this one (my host ip is hidden):
Feb 9 06:25:03 vm1 rsyslogd: [origin software="rsyslogd" swVersion="4.4.2" x-pid="7618" x-info="http://www.rsyslog.com"] rsyslogd was HUPed, type 'restart'.
Feb 9 06:25:03 vm1 kernel: Kernel logging (proc) stopped.
Feb 9 06:25:04 vm1 kernel: imklog 4.4.2, log source = /proc/kmsg started.
Feb 9 06:25:04 vm1 kernel: 92666.219857] LOGDROP : IN=eth0 OUT= MAC=00:16:3e:00:00:01:00:
0b:ab:1c:5c:07:08:00 SRC=133.5.6.10 DST=xxx.xxx.xxx.xxx LEN=48 TOS=0x00 PREC=0x00 TTL=46 ID
=17280 DF PROTO=TCP SPT=56974 DPT=113 WINDOW=49640 RES=0x00 SYN URGP=0
Please note the sequence: first, ryslog caught the HUP signal at 06:25:03. That's the result of cron daily job (/etc/crontab). Then is the first (of 80) lines of iptables logging at loglevel "debug" (-j LOG --log-level debug --log-prefix "LOGDROP : "). All iptables logs (and I suppose all messages with kernel facility if any) are flushed after the rsyslog restart.
One would expect to find the logs in the debug trace. But there were none.
I was able to read the debug log while running rsyslog in debug mode, using the `tee` command, and while running the syn scan with hping3. And I did not see anything written as long as the scan was up. I saw some postfix logs, but nothing about kernel facility.
rsyslog runs as root:
- Code: Select all
VM1:~# ps aux|grep rsyslog
root 7618 0.0 0.1 68464 1736 ? Sl 18:27 0:00
/usr/sbin/rsyslogd -c4
One of the machine which is not logging kernel facility is vm1 (virtual machine).
- Code: Select all
VM1:~# uname -r
2.6.26-2-xen-amd64
This is a Debian Lenny. All my servers, virtuals or not are Lenny boxes. Rsyslog is version 3.18.6 on all machines, except vm1 currently running 4.4.2
My backup server, ael03, is a Debian Lenny, as I said above, with rsyslog 3.18.6. Kernel facility is logged on this machine.
The differences I see between ael03 (the machine logging kernel facility), and other machines (virtuals domU's as vm1 is, and physicals dom0 hosts) are:
kernels : xen-amd64 for virtual machines and dom0's, 686 for the backup server
rsyslog usage : virtual machines and dom0's are sending all their logs to the backup server via stunnel (thanks to rsyslog web site doc!) in addition to recording these log
files on their own filesystem.
/etc/rsyslog.conf is basically the same for all machines (the one that logs kernel facility, and the others that does not). The backup machine load ommail, in addition.
Replying to your previous post: all vm1 logs should be written to log files
and sent to the backup server. That's the way it is for other facilities. eg: I have a /var/log/syslog file in vm1 filesystem, and a /var/log/remote/vm1-syslog file in the ael03 (backup server) filesystem. And remember my first post: the first time I added the logging mode in my iptables rules, the logs where written to syslog (and kern.log)
and sent to the backup server. I am sure of this, because I have a log analyser (fwanalog) running on the backup server. And, for now, I can only read ael03 iptables logs on the ael03 box (which should centralize all firewall logs).
Have you heard of weird things about xen, or amd64 kernels? I can not understand what could be the differences between the box that is properly logging, and the others that does not.
Back to your phpLogCon instance
