Are you sure you restarted syslogd after modifying your config files?<br><br><span style="font-style: italic;">Yep. Several times. Ran syslog -d as well. It doesn't show as writing to a file.</span><br><br>Do you have a local local firewall on your receiving server? I use
<br>shorewall so I had to add an explicit rule to allow udp 514 packets.<br><br><span style="font-style: italic;">Took iptables down. SELinux isn't even installed. I can see the UDP traffic coming in, but I can't get it to write to file.
<br></span><br><div><span class="gmail_quote">On 4/2/07, <b class="gmail_sendername">Claude Felizardo</b> <<a href="mailto:cafelizardo@gmail.com">cafelizardo@gmail.com</a>> wrote:</span><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
On 3/30/07, Joel Witherspoon <<a href="mailto:joel.witherspoon@gmail.com">joel.witherspoon@gmail.com</a>> wrote:<br>> Hey all, I need some help.<br>><br>> I have a Pix FW using Local4.warning on UDP 514 and I want to send it to a
<br>> log file on my CentOS Linux server using Splunk. Syslog starts with the<br>> options -m 0 -r. I've config'd the syslog to send Local4.* to<br>> /var/log/pix.log. The Pix sends the syslog to the server and it shows in
<br>> Splunk as a UDP source, but I can't log the info to the file. I've tried<br>> debug using syslogd -d with no errors or traffic on, or to, that file.<br>><br>> Here's the file information and rights.
<br>> -rw-r--r-- 1 root root 0 Mar 29 15:52 pix.log<br>><br>> and the line from syslog.conf<br>><br>> # Log messages from the Pix Firewall<br>> local4.*<br>> /var/log/pix.log<br>><br>> Any help or insight would be much appreciated.
<br>><br><br>Don't know what Splunk is but I do something similar on my Mandriva machines.<br><br>Are you sure you restarted syslogd after modifying your config files?<br><br>Do you have a local local firewall on your receiving server? I use
<br>shorewall so I had to add an explicit rule to allow udp 514 packets.<br><br>btw, from my router, I do a broadcast (last octet is 255) so any<br>machine listening to the syslog udp port will get the log messages.<br>The idea is to hide the IP of the logging machine so if someone breaks
<br>into your FW, they won't necessarily know where to look for the remote<br>logger.<br><br>Oh, another thing I do is send a copy of the logs to /dev/tty11 so I<br>can switch to that console and look at the last screen's worth of
<br>logs. But watch out, i think I crashed the my server once when I left<br>it on tty11. Not sure if I had hit scroll lock before going to bed<br>and the kernel panicked when it ran out of buffers or perhaps it was<br>
when I was sharing the monitor with my desktop with one of those KVM<br>switches and my wife started hitting keys at random to swap computers.<br> I've since put the server in another room w/ a dedicated monitor.<br><br>
claude<br></blockquote></div><br>