[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: help: syslogd on port 51



    According to "man syslogd", "By default syslogd will not forward 
messages it receives from remote hosts" unless you use the -h switch.
Maybe running syslogd in "m 0 -h -r" would work.  So far as port 51 is
concerned, I don't understand why the Cisco AP sends to it.  In the
original /etc/services you should find port 514 is for syslog, and
according to http://www.iana.org/assignments/port-numbers port 51
is assigned to la-maint.

On Wed, 25 Jun 2003, Daniel Grob wrote:

> 
> 
> Hi everybody,
> 
> I'm running RH 7.3 and I'm facing the following problem with it:
> 
> I have an Cisco AP that is configured to send syslog-messages to a my
> RH-station, where
> syslogd is running (in "m 0 -r" mode).
> Unfortunatly, the syslog-msgs never arrive at the RH-station. However, when I
> sniff the ethernet interface of the RH-station, I see the the udp-packets of
> syslog comin' in (headin' for port 51) and I see that packets are being send
> back,saying that udp port 51 is unreachable:
> 
> 09:56:24.216164 dhcp015010.mydomain.1120 > dhcp015043.mydomain.syslog:  udp 51
> 09:56:24.216215 arp who-has dhcp015010.mydomain tell dhcp015043.mydomain
> 09:56:24.216693 arp reply dhcp015010.mydomain is-at MAC-address
> 09:56:24.216706 dhcp015043.mydomain > dhcp015010.mydomain: icmp:
> dhcp015043.mydomain udp port syslog unreachable [tos 0xc0]
> 09:56:24.543660 dhcp015010.mydomain.1121 > dhcp015043.mydomain.syslog:  udp 50
> 09:56:24.543724 dhcp015043.mydomain > dhcp015010.mydomain: icmp:
> dhcp015043.mydomain udp port syslog unreachable [tos 0xc0]
> 09:56:24.543681 dhcp015010.mydomain.1122 > dhcp015043.mydomain.syslog:  udp 50
> 09:56:24.543739 dhcp015043.mydomain > dhcp015010.mydomain: icmp:
> dhcp015043.mydomain udp port syslog unreachable [tos 0xc0]
> 
> So the AP tries udp 51 first and then some ports around there.
> I also entered that port into /etc/services for syslog...
> 
> Here's the same from tethereal:
> tethereal -Nt -i eth0
> 
>   7.225867 <aPIP> -> <myIP> Syslog KERN.INFO: Asterix (Info): Backbone Con...
>   7.225907 <myIP> -> <aPIP> ICMP Destination unreachable
>   7.565259 <aPIP> -> <myIP> Syslog KERN.INFO: Asterix (Info): Stopped driv...
>   7.565332 <myIP> -> <aPIP> ICMP Destination unreachable
>   7.565294 <aPIP> -> <myIP> Syslog KERN.INFO: Asterix (Info): Started driv...
>   7.565348 <myIP> -> <aPIP> ICMP Destination unreachable
>  
> I was pretty puzzled seeing it using port 51 (instead of 514). But for some
> reason the AP and syslog (as netstat shows) use both that port, so I assumed
>   that ought to be correct and that my man page is not uptodate or sth. like        
>   that.... 
> 
> 
> I've checked everything I could think of:
> 
> -I've turned off ipchains.
> 
> -I checked with netstat -planu , which gives me the following:    
>  udp        0      0 0.0.0.0:51              0.0.0.0:*          634/syslogd
> 
> and
> 
> netstat -na|grep -E 'Proto|51'|more
> Proto Recv-Q Send-Q Local Address           Foreign Address         State
> udp        0      0 0.0.0.0:51              0.0.0.0:*
> Proto RefCnt Flags       Type       State         I-Node Path
> unix  3      [ ]         STREAM     CONNECTED     1851
> 
> 
> 
> -I've checked /etc/services:
>  syslog          51/udp
> 
> - the configuration of etc/syslog.conf is
>    *.* /var/log/cisco.log
> 
> What is strange though, is the outcome of nmap -sU localhost:
> 51/udp     open        la-maint
> 
> I found out that la-maint is a logical address maintainer for IMP, whatever
> that is...
> 
> I don't know whether la-maint is conflicting (and thus the syslog packets never
> arrive) or whether la-maint is just a bad guess ok nmap.
> 
> That's all the diagnosis I have performed so far, but I still
> don't know why that port is unreachable for the syslog-packets coming from the AP.
>  
> I also let the AP send the syslogs to a debian machine. Worked just fine...
> 
> Does anybody have an idea, why syslogd and the AP use port 51 instead of 514 and
> why the packets can't reach port 51 on my machine?
> 
> Thanks in advance
> 
> Daniel
> 
> 
> _______________________________________________
> Valhalla-list mailing list
> Valhalla-list redhat com
> https://www.redhat.com/mailman/listinfo/valhalla-list
> 

-- 
Steven Yellin




[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]