I just did some testing, and while the port is definitely opened by syslogd, it doesn't look like it's actually handling or logging any activity directed to it on UDP 514. You can verify this by sending data with netcat
:
topher@nexus:~$ nc -u localhost 514
This is a test.
This is another test.
^C
And then checking the logfile. I tested it on two RHEL5 boxes, and if -r
isn't used, it won't actually process the logs.
Update: Another solution (or, really, work-around) that I just thought of would be to install rsyslog (or syslog-ng) as a replacement syslog daemon for the default sysklogd. Neither of these alternate syslog daemons suffer from the bug described above.
rsyslog is the default syslog daemon with RHEL 6.x, and is available as a supported package for RHEL/CentOS 5.2+. rsyslog is under active development (sysklogd is not, and hasn't been for years). rsyslog also supports many advanced features and functionality. As mentioned, with RHEL/CentOS 5.2+, switching from the stock syslogd to rsyslog is as easy as yum install rsyslog
.
If you do decide on replacing your syslog daemon, and you want something cleaner and more flexible (in my opinion), Syslog-NG is worth taking a look at. The config file doesn't maintain backwards compatibility with the old syslog.conf
(rsyslog does), so it can seem a little complicated at first glance, but for complex or advanced logging setups (especially at a central loghost), Syslog-NG is an excellent choice.
According to rsyslog'd documentation the gtls driver supports EITHER unencrypted transmission just like the ptcp driver does with InputTCPServerStreamDriverMode set to 0, or TLS mode with it set to 1.
It also states:
Note: mode 0 does not provide any benefit over the ptcp driver. This mode exists for technical reasons, but should not be used. It may be removed in the future.
Thus it appears you have to choose encrypted or not encrypted, at least for a particular IP address+port combination. So you will have to setup two ports, one using the ptcp driver, and one with the gtls driver. Or if every system you have logging supports encryption, only use encrypted syslog connections.
Best Answer
In your
/etc/rsyslog.conf
:Then in your rsyslogd start options (
/etc/sysconfig/rsyslog
on RHEL-based distros, not sure where it resides in Debian-based ones), you need to add-r514
toSYSLOGD_OPTIONS
.