so, playing with centralized logging and i just cannot get syslogd to send the messages to a remote syslog server.
background:
syslog server is setup and working, tested with other devices sending logs into it.
networking both server and client reside in the same subnet, firewalls are off on server, from what i can tell ubuntu has no firewall configured. tested 514 open on the server from the client and get a successful connection.
setup/test process
syslogd didn't seem to exist on my install, so i installed it:
sudo apt-get install -y inetutils-syslogd
modified the config file in /etc/syslogd.conf to include 2 lines:
*.* /home/lee/test
*.* @10.120.1.20
saved and reloaded syslogd by sending the hangup signal
killall -s SIGHUP syslogd
testing with the logger function:
logger "test"
inserts lines into the local file, but nothing gets to the server.
tried setting up a tcpdump on 512 outbound to see if anything is going through:
tcpdump -n -s 1500 -X port 514 -w /home/lee/tcpdump.pcap
the file is empty, tried tracing the PID as such:
strace -s 500 -tfp 188341 -o /home/lee/strace_syslog
the output of the file indicates it sees the test messages, and writes to some outputs, but nothing seems to indicate writing out to the remote syslog address…
1446 10:27:52 restart_syscall(<... resuming interrupted poll ...>) = 1
1446 10:28:03 recvfrom(21, "<13>May 18 10:28:03 lee: test", 1024, 0, 0x7ffd918070e0, [110->0]) = 29
1446 10:28:03 rt_sigprocmask(SIG_BLOCK, [HUP ALRM], [], 8) = 0
1446 10:28:03 writev(22, [{iov_base="May 18 10:28:03", iov_len=15}, {iov_base=" ", iov_len=1}, {iov_base="ubuntu-docker", iov_len=13}, {iov_base=" ", iov_len=1}, {iov_base="lee: test", iov_len=9}, {iov_base="\n", iov_len=1}], 6) = 40
1446 10:28:03 writev(20, [{iov_base="May 18 10:28:03", iov_len=15}, {iov_base=" ", iov_len=1}, {iov_base="ubuntu-docker", iov_len=13}, {iov_base=" ", iov_len=1}, {iov_base="lee: test", iov_len=9}, {iov_base="\n", iov_len=1}], 6) = 40
1446 10:28:03 writev(11, [{iov_base="May 18 10:28:03", iov_len=15}, {iov_base=" ", iov_len=1}, {iov_base="ubuntu-docker", iov_len=13}, {iov_base=" ", iov_len=1}, {iov_base="lee: test", iov_len=9}, {iov_base="\n", iov_len=1}], 6) = 40
1446 10:28:03 writev(6, [{iov_base="May 18 10:28:03", iov_len=15}, {iov_base=" ", iov_len=1}, {iov_base="ubuntu-docker", iov_len=13}, {iov_base=" ", iov_len=1}, {iov_base="lee: test", iov_len=9}, {iov_base="\n", iov_len=1}], 6) = 40
1446 10:28:03 rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
1446 10:28:03 poll([{fd=3, events=POLLIN|POLLPRI}, {fd=21, events=POLLIN|POLLPRI}], 2, -1) = ? ERESTART_RESTARTBLOCK (Interrupted by signal)
1446 10:28:10 --- SIGALRM {si_signo=SIGALRM, si_code=SI_KERNEL} ---
1446 10:28:10 alarm(30) = 0
1446 10:28:10 rt_sigreturn({mask=[]}) = -1 EINTR (Interrupted system call)
1446 10:28:10 poll([{fd=3, events=POLLIN|POLLPRI}, {fd=21, events=POLLIN|POLLPRI}], 2, -1) = ? ERESTART_RESTARTBLOCK (Interrupted by signal)
1446 10:28:40 --- SIGALRM {si_signo=SIGALRM, si_code=SI_KERNEL} ---
1446 10:28:40 alarm(30) = 0
1446 10:28:40 rt_sigreturn({mask=[]}) = -1 EINTR (Interrupted system call)
what have i missed???
i just cannot get it to output to a remote host…. from my testing i am confident that it is a configuration issue in /etc/syslogd.conf but i cannot see what!
Best Answer
If you want to force your local syslogd to forward messages, restart it with