Re: Very strange syslogd behavior

From: Ross Vandegrift (ross@willow.seitz.com)
Date: Tue Jan 27 2004 - 23:09:30 CET

• Next message: Martin Schulze: "Re: Very strange syslogd behavior"
• Previous message: Ross Vandegrift: "Re: Very strange syslogd behavior"
• In reply to: Martin Schulze: "Re: Very strange syslogd behavior"
• Next in thread: Martin Schulze: "Re: Very strange syslogd behavior"
• Reply: Martin Schulze: "Re: Very strange syslogd behavior"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

On Mon, Jan 26, 2004 at 10:28:14PM +0100, Martin Schulze wrote:
> Could you run tcpdump / ethereal on the log host using port 514/udp
> to ensure that messages from the hosts you are missing are indeed
> send to the log host and just not processed by syslogd?

Ok, I've done some more snooping and I think I can verify that the
problem is somewhere in syslogd. I found a piece of software called
passlogd - it's a passive syslogger that receives messages by sniffing
the local network for udp/514 traffic.

I installed it on my loghost, and after sending an email, it sniffed out
the following message:

Tue Jan 27 16:51:31 2004 146.145.147.188 to 146.145.147.149: <22> sm-mta[8325]:
i0RLpUAP008323: to=<ross@lug.udel.edu>, delay=00:00:01, xdelay=00:00:01,
mailer=esmtp, pri=120503, relay=mail.lug.udel.edu. [128.175.60.112],
dsn=2.0.0, stat=Sent (ok 1075240289 qp 16347)

146.145.147.188 is hedge, the mail relay. 146.145.147.149 is
sequoia, the logging host.

Looking in the mail.log for the latest message:

sequoia:/var/log/mail# grep hedge mail.log | tail -n 1
Jan 27 16:17:54 hedge sendmail[7581]: STARTTLS=client, relay=[127.0.0.1], version=TLSv1/SSLv3, verify=FAIL, cipher=EDH-RSA-DES-CBC3-SHA, bits=168/168

Looks like the most recent message from hedge processed by syslogd was
35 minutes ago. So at this point I'm sure that messages are being sent
out by sendmail, that they're being sent to the correct loghost, and
that the loghost is configured to receive them.

-- 
Ross Vandegrift
ross@willow.seitz.com
A Pope has a Water Cannon.                               It is a Water Cannon.
He fires Holy-Water from it.                        It is a Holy-Water Cannon.
He Blesses it.                                 It is a Holy Holy-Water Cannon.
He Blesses the Hell out of it.          It is a Wholly Holy Holy-Water Cannon.
He has it pierced.                It is a Holey Wholly Holy Holy-Water Cannon.
He makes it official.       It is a Canon Holey Wholly Holy Holy-Water Cannon.
Batman and Robin arrive.                                       He shoots them.

• Next message: Martin Schulze: "Re: Very strange syslogd behavior"
• Previous message: Ross Vandegrift: "Re: Very strange syslogd behavior"
• In reply to: Martin Schulze: "Re: Very strange syslogd behavior"
• Next in thread: Martin Schulze: "Re: Very strange syslogd behavior"
• Reply: Martin Schulze: "Re: Very strange syslogd behavior"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Tue Jan 27 2004 - 23:09:29 CET