FC1 syslogd configuration to accept remote messages

Ronald Nissley ronn at emm.org
Fri Jul 9 17:06:35 UTC 2004 

I'm trying to configure a ZyWALL 35 and syslog on an FC1 box for
logging. The firewall's syslog settings are: 

Active [X]
Syslog Server "FC1 box's private ip address"
Log Facility Local1

On the FC1 box, I edited /etc/rc.d/init.d/syslog.
Specifically, the line:

SYSLOGD_OPTIONS="-m 0 -r"

I added the ' -r'.

/etc/syslog.conf was also edited. The line:

local1.*               /var/log/zyxel/zw30.log

was added to the bottom of the file. the directory /var/log/zyxel
exists, and I restarted the syslogd service. Even rebooted the system.
The zw30.log file was created, but it remains empty. The firewall log
entries aren't showing up in 'messages' or any of the other logs either,
not that they should. Ethereal indicates that the firewall is attempting
to send log entries to the syslog server. The capture has packets like:

Source         Destination      Protocol      Info
------------------------------------------------------------------------
-
Firewall IP     FC1 Box IP     Syslog        Local1.info..
FC1 Box IP   Firewall IP       ICMP          Dest. host unreachable

The packets show up in pairs...the Syslog and ICMP dest. host
unreachable packets. Likely related to the problems with syslogd not
getting any logging info from the firewall. The FC1 box is able to ping
the firewall. Also, in the firewall logs (on the firewall itself) are a
lot of entries like:

Time
07/08/2004 15:51:55

Message
Unsupported/out-of-order ICMP: ICMP(type:3, code:3) 

Source
FC1 Box IP

Destination
Firewall IP

Note
ACCESS BLOCK

 

'man syslogd' on the FC1 box states that in addition to starting with
the '-r' option, the /etc/services file must have the line:

'syslog              514/udp'

That line is there. The man page says "If this entry is missing syslogd
neither can receive remote [syslog] messages nor send them, because the
UDP port can't be opened." According to NMap, 514/UDP doesn't appear to
be open, so this may be the problem. Later in the syslogd manual it
states, "The UDP socket used to forward messages to remote hosts or to
receive messages from them is only opened when it is needed." Perhaps
the reason NMap didn't detect 514/UDP as an open port? Earlier I
disabled firewalling features on the FC1 box altogether for testing
purposes, so it's not an FC1 firewall getting in the way.

 

Any suggestions/tips are much appreciated. Note that I posted this to
fedora-list because I think the issue is a config prob on the FC1 box
rather than on the firewall.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/fedora-list/attachments/20040709/6839f0f3/attachment-0001.htm>

More information about the fedora-list mailing list