Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 30 Apr 2015 18:42:46 -0453
From:      "William A. Mahaffey III" <wam@hiwaay.net>
To:        freebsd-questions@freebsd.org
Subject:   Re: minor syslog issue
Message-ID:  <5542BC7F.7050602@hiwaay.net>
In-Reply-To: <5542348D.8000109@infracaninophile.co.uk>
References:  <55422366.8060000@hiwaay.net> <554229CE.30009@infracaninophile.co.uk> <55422E43.8090206@hiwaay.net> <5542348D.8000109@infracaninophile.co.uk>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
On 04/30/15 09:02, Matthew Seaman wrote:
> On 04/30/15 14:28, William A. Mahaffey III wrote:
>> 08:23:28.496828 IP RPiB+.59735 > kabini1.local.syslog: SYSLOG
>> syslog.error, length: 59
>> 08:23:28.497229 IP RPiB+.59735 > kabini1.local.syslog: SYSLOG
>> syslog.error, length: 59
> This is the only relevant bit out of your tcpdump output -- it usually
> helps if you filter out as much of the irrelevant stuff that you can[*].
>
> Anyhow, as you can see, your RPiB+ is logging *from* an arbitrary
> high-numbered port.  This time it happens to be using 59735 but that
> would probably change with each restart of syslogd.  Basically use the
> '-a 192.168.0.0/16:*' form in this case.
>
> 	Cheers,
>
> 	Matthew
>
> [*] ie. 'tcpdump port syslog' should work as the packets are being sent
> to the syslog port on your server.
>

An update here, I kicked off the above command on both the RPi & 
kabini1. It took a while, but the RPi did its daily 'syslogd restart':


Apr 27 22:00:01 rpi syslogd[603]: restart
Apr 28 08:00:00 rpi syslogd[603]: restart
Apr 28 22:00:00 rpi syslogd[603]: restart
Apr 29 14:54:44 rpi syslogd[603]: Exiting on signal 15
Apr 29 10:01:01 rpi syslogd[25366]: restart
Apr 29 17:06:15 rpi syslogd[25366]: restart
Apr 30 07:28:32 rpi syslogd[25366]: Exiting on signal 15
Apr 30 07:28:34 rpi syslogd[27124]: restart
Apr 30 08:20:34 rpi syslogd[27124]: Exiting on signal 15
Apr 30 08:20:34 rpi syslogd[27124]: Exiting on signal 15
Apr 30 08:20:37 rpi syslogd[2779]: restart
Apr 30 08:23:43 rpi syslogd[2779]: Exiting on signal 15
Apr 30 08:23:43 rpi syslogd[2779]: Exiting on signal 15
Apr 30 08:23:45 rpi syslogd[14885]: restart
Apr 30 08:41:03 rpi syslogd[14885]: Exiting on signal 15
Apr 30 08:41:03 rpi syslogd[14885]: Exiting on signal 15
Apr 30 08:41:05 rpi syslogd[27342]: restart
Apr 30 09:25:16 rpi syslogd[27342]: Exiting on signal 15
Apr 30 09:25:16 rpi syslogd[27342]: Exiting on signal 15
Apr 30 09:25:18 rpi syslogd[11087]: restart
Apr 30 09:26:03 rpi timed[6547]: This machine is master
Apr 30 17:06:15 rpi syslogd[11087]: restart
Thu Apr 30 18:32:45 MCDT 2015
rpi #


  & I got packets both from the RPi & to kabini1, but nothing in 
kabini1's logfile:

rpi # tcpdump port syslog
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on usmsc0, link-type EN10MB (Ethernet), capture size 65535 bytes
17:06:00.980239 IP 192.168.0.1.59623 > 192.168.0.27.syslog: SYSLOG 
syslog.info, length: 47

[root@kabini1, /etc, 9:26:24am] 503 % tcpdump port syslog
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on re0, link-type EN10MB (Ethernet), capture size 65535 bytes
17:07:00.976242 IP RPiB+.59623 > kabini1.local.syslog: SYSLOG 
syslog.info, length: 47

[root@kabini1, /etc, 6:31:31pm] 364 % tail -15 /var/log/messages ; 
hwclock -r ; date
Apr 28 09:30:12 kabini1 kernel: Limiting closed port RST response from 
276 to 200 packets/sec
Apr 28 09:30:13 kabini1 kernel: Limiting closed port RST response from 
239 to 200 packets/sec
Apr 28 09:30:14 kabini1 kernel: Limiting closed port RST response from 
280 to 200 packets/sec
Apr 28 09:30:16 kabini1 kernel: Limiting closed port RST response from 
319 to 200 packets/sec
Apr 30 08:13:49 kabini1 syslogd: exiting on signal 15
Apr 30 08:13:49 kabini1 syslogd: kernel boot file is /boot/kernel/kernel
Apr 30 08:16:36 kabini1 kernel: re0: promiscuous mode enabled
Apr 30 08:17:53 kabini1 kernel: re0: promiscuous mode disabled
Apr 30 08:33:43 kabini1 kernel: re0: promiscuous mode enabled
Apr 30 08:41:19 kabini1 kernel: re0: promiscuous mode disabled
Apr 30 08:52:53 kabini1 kernel: re0: promiscuous mode enabled
Apr 30 09:07:57 kabini1 kernel: re0: promiscuous mode disabled
Apr 30 09:18:45 kabini1 syslogd: exiting on signal 15
Apr 30 09:18:45 kabini1 syslogd: kernel boot file is /boot/kernel/kernel
Apr 30 09:20:47 kabini1 kernel: re0: promiscuous mode enabled
hwclock: Command not found.
Thu Apr 30 18:39:25 MCDT 2015
[root@kabini1, /etc, 6:39:25pm] 365 %

syslogd on kabini1 should be accepting traffic from all ports:

[root@kabini1, /etc, 6:40:19pm] 366 % ps -ax | grep syslog
   783 ??  Is       0:39.07 /usr/sbin/amd -p -a /.amd_mnt -l syslog 
/host /etc/amd.map /net /etc/amd.map
73506 ??  Is       0:00.10 /usr/sbin/syslogd -a 192.168.0.0/16:* -C -T
  8622  4  S+       0:00.00 grep syslog
73648  7  S+       0:00.93 tcpdump port

i.e. looks like the traffic is there, but syslogd isn't recording it (?) 
.... Any clues appreciated.

-- 

	William A. Mahaffey III

  ----------------------------------------------------------------------

	"The M1 Garand is without doubt the finest implement of war
	 ever devised by man."
                            -- Gen. George S. Patton Jr.




Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?5542BC7F.7050602>