<html>
<head>
<meta http-equiv=Content-Type content="text/html; charset=us-ascii">
<meta name=Generator content="Microsoft Word 11 (filtered)">
<style>
<!--
/* Font Definitions */
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:Verdana;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman";}
a:link, span.MsoHyperlink
{color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{color:#606420;
text-decoration:underline;}
span.EmailStyle17
{font-family:Tahoma;
color:windowtext;
font-weight:normal;
font-style:normal;
text-decoration:none none;}
@page Section1
{size:8.5in 11.0in;
margin:1.0in 1.25in 1.0in 1.25in;}
div.Section1
{page:Section1;}
-->
</style>
</head>
<body lang=EN-US link=blue vlink="#606420">
<div class=Section1>
<div>
<div>
<p class=MsoNormal><font size=2 face=Verdana><span style='font-size:9.5pt;
font-family:Verdana'>I'm trying to configure a ZyWALL 35 and syslog on an FC1
box for logging. The firewall's syslog settings are: <br>
<br>
Active [X]<br>
Syslog Server "FC1 box's private ip address"<br>
Log Facility Local1<br>
<br>
On the FC1 box, I edited /etc/rc.d/init.d/syslog.<br>
Specifically, the line:<br>
<br>
SYSLOGD_OPTIONS="-m 0 -r"<br>
<br>
I added the ' -r'.<br>
<br>
/etc/syslog.conf was also edited. The line:<br>
<br>
local1.* /var/log/zyxel/zw30.log<br>
<br>
was added to the bottom of the file. the directory /var/log/zyxel exists, and I
restarted the syslogd service. Even rebooted the system. The zw30.log file was
created, but it remains empty. The firewall log entries aren’t showing up
in 'messages' or any of the other logs either, not that they should. Ethereal
indicates that the firewall is attempting to send log entries to the syslog
server. The capture has packets like:<br>
<br>
Source Destination
Protocol Info<br>
-------------------------------------------------------------------------<br>
Firewall IP FC1 Box
IP Syslog Local1.info..<br>
FC1 Box IP Firewall
IP ICMP Dest.
host unreachable<br>
<br>
The packets show up in pairs...the Syslog and ICMP dest. host unreachable
packets. Likely related to the problems with syslogd not getting any logging
info from the firewall. The FC1 box is able to ping the firewall. Also, in the
firewall logs (on the firewall itself) are a lot of entries like:<br>
<br>
Time<br>
07/08/2004 15:51:55<br>
<br>
Message<br>
Unsupported/out-of-order ICMP: ICMP(type:3, code:3) <br>
<br>
Source<br>
FC1 Box IP<br>
<br>
Destination<br>
Firewall IP<br>
<br>
Note<br>
ACCESS BLOCK</span></font></p>
<p class=MsoNormal><font size=2 face=Verdana><span style='font-size:9.5pt;
font-family:Verdana'> </span></font></p>
<p class=MsoNormal><font size=2 face=Verdana><span style='font-size:9.5pt;
font-family:Verdana'>'man syslogd' on the FC1 box states that in addition to
starting with the '-r' option, the /etc/services file must have the line:<br>
<br>
'syslog 514/udp'<br>
<br>
That line is there. The man page says "If this entry is missing syslogd
neither can receive remote [syslog] messages nor send them, because the UDP
port can't be opened." According to NMap, 514/UDP doesn't appear to be
open, so this may be the problem. Later in the syslogd manual it states,
"The UDP socket used to forward messages to remote hosts or to receive
messages from them is only opened when it is needed." Perhaps the reason
NMap didn't detect 514/UDP as an open port? Earlier I disabled firewalling
features on the FC1 box altogether for testing purposes, so it's not an FC1 firewall
getting in the way.</span></font></p>
<p class=MsoNormal><font size=2 face=Verdana><span style='font-size:9.5pt;
font-family:Verdana'> </span></font></p>
<p class=MsoNormal><font size=2 face=Verdana><span style='font-size:9.5pt;
font-family:Verdana'>Any suggestions/tips are much appreciated. Note that I
posted this to fedora-list because I think the issue is a config prob on the
FC1 box rather than on the firewall.</span></font></p>
</div>
</div>
</div>
</body>
</html>