remote logging using syslogd - Ubuntu 18.04.2 LTS - just will not send

Question

so, playing with centralized logging and i just cannot get syslogd to send the messages to a remote syslog server.

background:

syslog server is setup and working, tested with other devices sending logs into it.

networking both server and client reside in the same subnet, firewalls are off on server, from what i can tell ubuntu has no firewall configured. tested 514 open on the server from the client and get a successful connection.

setup/test process

syslogd didn't seem to exist on my install, so i installed it:

sudo apt-get install -y inetutils-syslogd

modified the config file in /etc/syslogd.conf to include 2 lines:

*.* /home/lee/test
*.* @10.120.1.20

saved and reloaded syslogd by sending the hangup signal

killall -s SIGHUP syslogd

testing with the logger function:

logger "test"

inserts lines into the local file, but nothing gets to the server.

tried setting up a tcpdump on 512 outbound to see if anything is going through:

tcpdump -n -s 1500 -X port 514 -w /home/lee/tcpdump.pcap

the file is empty, tried tracing the PID as such:

strace -s 500 -tfp 188341 -o /home/lee/strace_syslog

the output of the file indicates it sees the test messages, and writes to some outputs, but nothing seems to indicate writing out to the remote syslog address...

1446  10:27:52 restart_syscall(<... resuming interrupted poll ...>) = 1
1446  10:28:03 recvfrom(21, "<13>May 18 10:28:03 lee: test", 1024, 0, 0x7ffd918070e0, [110->0]) = 29
1446  10:28:03 rt_sigprocmask(SIG_BLOCK, [HUP ALRM], [], 8) = 0
1446  10:28:03 writev(22, [{iov_base="May 18 10:28:03", iov_len=15}, {iov_base=" ", iov_len=1}, {iov_base="ubuntu-docker", iov_len=13}, {iov_base=" ", iov_len=1}, {iov_base="lee: test", iov_len=9}, {iov_base="\n", iov_len=1}], 6) = 40
1446  10:28:03 writev(20, [{iov_base="May 18 10:28:03", iov_len=15}, {iov_base=" ", iov_len=1}, {iov_base="ubuntu-docker", iov_len=13}, {iov_base=" ", iov_len=1}, {iov_base="lee: test", iov_len=9}, {iov_base="\n", iov_len=1}], 6) = 40
1446  10:28:03 writev(11, [{iov_base="May 18 10:28:03", iov_len=15}, {iov_base=" ", iov_len=1}, {iov_base="ubuntu-docker", iov_len=13}, {iov_base=" ", iov_len=1}, {iov_base="lee: test", iov_len=9}, {iov_base="\n", iov_len=1}], 6) = 40
1446  10:28:03 writev(6, [{iov_base="May 18 10:28:03", iov_len=15}, {iov_base=" ", iov_len=1}, {iov_base="ubuntu-docker", iov_len=13}, {iov_base=" ", iov_len=1}, {iov_base="lee: test", iov_len=9}, {iov_base="\n", iov_len=1}], 6) = 40
1446  10:28:03 rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
1446  10:28:03 poll([{fd=3, events=POLLIN|POLLPRI}, {fd=21, events=POLLIN|POLLPRI}], 2, -1) = ? ERESTART_RESTARTBLOCK (Interrupted by signal)
1446  10:28:10 --- SIGALRM {si_signo=SIGALRM, si_code=SI_KERNEL} ---
1446  10:28:10 alarm(30)                = 0
1446  10:28:10 rt_sigreturn({mask=[]})  = -1 EINTR (Interrupted system call)
1446  10:28:10 poll([{fd=3, events=POLLIN|POLLPRI}, {fd=21, events=POLLIN|POLLPRI}], 2, -1) = ? ERESTART_RESTARTBLOCK (Interrupted by signal)
1446  10:28:40 --- SIGALRM {si_signo=SIGALRM, si_code=SI_KERNEL} ---
1446  10:28:40 alarm(30)                = 0
1446  10:28:40 rt_sigreturn({mask=[]})  = -1 EINTR (Interrupted system call)

what have i missed???

i just cannot get it to output to a remote host.... from my testing i am confident that it is a configuration issue in /etc/syslogd.conf but i cannot see what!

Your confidence may be misplaced! Your syslogd may consider this message as coming from another system. Syslogd does not, by default, forward messages. — Gerard H. Pille, May 18 '20 at 11:03
A. you shouldn't have install `inetutils-syslogd` - Ubuntu comes with RSyslog which is a much better implementation. I have used RSyslog successfully for remote logging many times and it is recommended. — Guss, May 18 '20 at 11:10
B. While `logger` by default sends messages through `/dev/log`, because of your non-standard setup it may fail to do so and fallback to logging over UDP - in that case, rsyslog will refuse to forward the message as noted by @GerardH.Pille — Guss, May 18 '20 at 11:11
o ok! thank you guys, so the correct way to proceed would be to now uninstall inetutils-syslogd hopefully reverting back to now use rsyslogd instead? — Lee Hill, May 18 '20 at 11:43
uninstalled ```inetutils-syslogd```. then unmasked rsyslog. added this line to the rsyslog.conf file: ```*.* @@10.120.1.20:1468``` restarted rsyslogd ```sudo service rsyslog restart``` testing with Logger but i still don't get any messages? — Lee Hill, May 18 '20 at 12:13

score 1 · Accepted Answer · answered May 18 '20 at 11:14

1

If you want to force your local syslogd to forward messages, restart it with

-h, --hop
    Enable forwarding remote messages. By default syslogd will not forward
    messages it receives from remote hosts.

answered May 18 '20 at 11:14

Gerard H. Pille

2,469
1
12
10

this was extremely helpful and i am very surprised that it is not more results from my goggle searches :) i should have ready the man page more thoroughly! thank you. – Lee Hill May 18 '20 at 11:47
I assure you it took quite some digging before I understood what could be wrong with your configuration - since nothing was wrong. ;-) – Gerard H. Pille May 18 '20 at 12:28

remote logging using syslogd - Ubuntu 18.04.2 LTS - just will not send

1 Answers1