Date: Thu, 30 Apr 2015 18:42:46 -0453 From: "William A. Mahaffey III" <wam@hiwaay.net> To: freebsd-questions@freebsd.org Subject: Re: minor syslog issue Message-ID: <5542BC7F.7050602@hiwaay.net> In-Reply-To: <5542348D.8000109@infracaninophile.co.uk> References: <55422366.8060000@hiwaay.net> <554229CE.30009@infracaninophile.co.uk> <55422E43.8090206@hiwaay.net> <5542348D.8000109@infracaninophile.co.uk>
next in thread | previous in thread | raw e-mail | index | archive | help
On 04/30/15 09:02, Matthew Seaman wrote:
> On 04/30/15 14:28, William A. Mahaffey III wrote:
>> 08:23:28.496828 IP RPiB+.59735 > kabini1.local.syslog: SYSLOG
>> syslog.error, length: 59
>> 08:23:28.497229 IP RPiB+.59735 > kabini1.local.syslog: SYSLOG
>> syslog.error, length: 59
> This is the only relevant bit out of your tcpdump output -- it usually
> helps if you filter out as much of the irrelevant stuff that you can[*].
>
> Anyhow, as you can see, your RPiB+ is logging *from* an arbitrary
> high-numbered port. This time it happens to be using 59735 but that
> would probably change with each restart of syslogd. Basically use the
> '-a 192.168.0.0/16:*' form in this case.
>
> Cheers,
>
> Matthew
>
> [*] ie. 'tcpdump port syslog' should work as the packets are being sent
> to the syslog port on your server.
>
An update here, I kicked off the above command on both the RPi &
kabini1. It took a while, but the RPi did its daily 'syslogd restart':
Apr 27 22:00:01 rpi syslogd[603]: restart
Apr 28 08:00:00 rpi syslogd[603]: restart
Apr 28 22:00:00 rpi syslogd[603]: restart
Apr 29 14:54:44 rpi syslogd[603]: Exiting on signal 15
Apr 29 10:01:01 rpi syslogd[25366]: restart
Apr 29 17:06:15 rpi syslogd[25366]: restart
Apr 30 07:28:32 rpi syslogd[25366]: Exiting on signal 15
Apr 30 07:28:34 rpi syslogd[27124]: restart
Apr 30 08:20:34 rpi syslogd[27124]: Exiting on signal 15
Apr 30 08:20:34 rpi syslogd[27124]: Exiting on signal 15
Apr 30 08:20:37 rpi syslogd[2779]: restart
Apr 30 08:23:43 rpi syslogd[2779]: Exiting on signal 15
Apr 30 08:23:43 rpi syslogd[2779]: Exiting on signal 15
Apr 30 08:23:45 rpi syslogd[14885]: restart
Apr 30 08:41:03 rpi syslogd[14885]: Exiting on signal 15
Apr 30 08:41:03 rpi syslogd[14885]: Exiting on signal 15
Apr 30 08:41:05 rpi syslogd[27342]: restart
Apr 30 09:25:16 rpi syslogd[27342]: Exiting on signal 15
Apr 30 09:25:16 rpi syslogd[27342]: Exiting on signal 15
Apr 30 09:25:18 rpi syslogd[11087]: restart
Apr 30 09:26:03 rpi timed[6547]: This machine is master
Apr 30 17:06:15 rpi syslogd[11087]: restart
Thu Apr 30 18:32:45 MCDT 2015
rpi #
& I got packets both from the RPi & to kabini1, but nothing in
kabini1's logfile:
rpi # tcpdump port syslog
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on usmsc0, link-type EN10MB (Ethernet), capture size 65535 bytes
17:06:00.980239 IP 192.168.0.1.59623 > 192.168.0.27.syslog: SYSLOG
syslog.info, length: 47
[root@kabini1, /etc, 9:26:24am] 503 % tcpdump port syslog
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on re0, link-type EN10MB (Ethernet), capture size 65535 bytes
17:07:00.976242 IP RPiB+.59623 > kabini1.local.syslog: SYSLOG
syslog.info, length: 47
[root@kabini1, /etc, 6:31:31pm] 364 % tail -15 /var/log/messages ;
hwclock -r ; date
Apr 28 09:30:12 kabini1 kernel: Limiting closed port RST response from
276 to 200 packets/sec
Apr 28 09:30:13 kabini1 kernel: Limiting closed port RST response from
239 to 200 packets/sec
Apr 28 09:30:14 kabini1 kernel: Limiting closed port RST response from
280 to 200 packets/sec
Apr 28 09:30:16 kabini1 kernel: Limiting closed port RST response from
319 to 200 packets/sec
Apr 30 08:13:49 kabini1 syslogd: exiting on signal 15
Apr 30 08:13:49 kabini1 syslogd: kernel boot file is /boot/kernel/kernel
Apr 30 08:16:36 kabini1 kernel: re0: promiscuous mode enabled
Apr 30 08:17:53 kabini1 kernel: re0: promiscuous mode disabled
Apr 30 08:33:43 kabini1 kernel: re0: promiscuous mode enabled
Apr 30 08:41:19 kabini1 kernel: re0: promiscuous mode disabled
Apr 30 08:52:53 kabini1 kernel: re0: promiscuous mode enabled
Apr 30 09:07:57 kabini1 kernel: re0: promiscuous mode disabled
Apr 30 09:18:45 kabini1 syslogd: exiting on signal 15
Apr 30 09:18:45 kabini1 syslogd: kernel boot file is /boot/kernel/kernel
Apr 30 09:20:47 kabini1 kernel: re0: promiscuous mode enabled
hwclock: Command not found.
Thu Apr 30 18:39:25 MCDT 2015
[root@kabini1, /etc, 6:39:25pm] 365 %
syslogd on kabini1 should be accepting traffic from all ports:
[root@kabini1, /etc, 6:40:19pm] 366 % ps -ax | grep syslog
783 ?? Is 0:39.07 /usr/sbin/amd -p -a /.amd_mnt -l syslog
/host /etc/amd.map /net /etc/amd.map
73506 ?? Is 0:00.10 /usr/sbin/syslogd -a 192.168.0.0/16:* -C -T
8622 4 S+ 0:00.00 grep syslog
73648 7 S+ 0:00.93 tcpdump port
i.e. looks like the traffic is there, but syslogd isn't recording it (?)
.... Any clues appreciated.
--
William A. Mahaffey III
----------------------------------------------------------------------
"The M1 Garand is without doubt the finest implement of war
ever devised by man."
-- Gen. George S. Patton Jr.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5542BC7F.7050602>