Rebooted the syslog box. The Pix was correct, the syslog was not. <br><br><div><span class="gmail_quote">On 4/3/07, <b class="gmail_sendername">Claude Felizardo</b> <<a href="mailto:cafelizardo@gmail.com">cafelizardo@gmail.com
</a>> wrote:</span><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">so which machine did you reboot? The FW or the syslog server? Is Pix
<br>a brand or or model? Did you change the if-eth0 on the FW or server?<br><br>If you had to change the IP on the server and the FW was sending to<br>the wrong IP, then consider using a broadcast address. You'll be able
<br>to capture the logs on any machine on the same subnet w/o having to<br>touch the FW. This makes it easy to migrate to a new server - you<br>can have as many as you want running at the same time, all capturing<br>the logs. Remember that UDP isn't as expensive as TCP which has the
<br>overhead of setting up and tearing down connections.<br><br>claude<br><br><br><br>On 4/3/07, Joel Witherspoon <<a href="mailto:joel.witherspoon@gmail.com">joel.witherspoon@gmail.com</a>> wrote:<br>> Wow. Just...wow. I made a total rook mistake from the "Why didn't I think of
<br>> this before?" file. I had to change the IP address in<br>> /etc/sysconfig/network-scripts/if-eth0 from DHCP to a<br>> static IP. Rebooted the box; now it works fine. I need a drink.<br>><br>><br>
> On 4/3/07, Claude Felizardo <<a href="mailto:cafelizardo@gmail.com">cafelizardo@gmail.com</a>> wrote:<br>> > On 4/2/07, Joel Witherspoon <<a href="mailto:joel.witherspoon@gmail.com">joel.witherspoon@gmail.com
</a>> wrote:<br>> > ><br>> > > Are you sure you restarted syslogd after modifying your config files?<br>> > ><br>> > > Yep. Several times. Ran syslog -d as well. It doesn't show as writing to
<br>> a<br>> > > file.<br>> > ><br>> > > Do you have a local local firewall on your receiving server? I use<br>> > > shorewall so I had to add an explicit rule to allow udp 514 packets.
<br>> > ><br>> > > Took iptables down. SELinux isn't even installed. I can see the UDP<br>> traffic<br>> > > coming in, but I can't get it to write to file.<br>> ><br>> > [snip]
<br>> ><br>> > Okay, just going through a check list here. Are you sure there is<br>> > space on the device? Permission problems? mounted read-only?<br>> ><br>> > perhaps there's an error in your config file. Are any of the other
<br>> > logs being updated? Here's are my entries for my router:<br>> ><br>> > ## log router messages<br>> > local6.*<br>> > -/var/log/router.log<br>> > local6.* /dev/tty11<br>> >
<br>> > I believe the dash prefixed to the filename means syslogd should flush<br>> > after each write to prevent messages from getting lost during a crash.<br>> > Probably not needed and should not be used for a high rate log.
<br>> ><br>> > regarding iptables. with shorewall, even if you shut it down, it<br>> > still leaves some default rules that filter things out. Have you<br>> > tried a simple reboot? Perhaps something else got hosed?
<br>> ><br>> > claude<br>> ><br>><br>><br></blockquote></div><br>