[BBLISA] Help with destination of syslog messages?
John P. Rouillard
rouilj at cs.umb.edu
Wed Mar 28 20:15:32 EDT 2012
In message
<CADjQVp=fyDNSqh69sbJ7edJ0r5FhRGEdwoPhWGkr+Qj_RdCnXw at mail.gmail.com> ,
Scott Ehrlich writes:
>I have a test environment consisting of Win 2008 R2 Server and Windows
>XP w/SP3, both running the latest Snare Agent for Windows, along with
>RHEL 5.6 and RHEL 6.2 servers, all within a VM environment.
>
>I am testing Linux as a central logging option. Snare Agent (free
>version) uses UDP, so it is a natural option for standard syslog on
>Linux.
>
>I am tailing /var/log/messages and only see host-only traffic, but
>another terminal window running tcpdump (or tcpdump -X port 514) DOES
>show incoming traffic from the clients.
>[...]
>Or, is there another step I need to learn to capture the data to a file?
Read 'man 8 syslogd', usually you need -r (IIRC) to enable remote
access.
Run sudo netstat -anp and see if anything is listening at *.*:514,
I'll bet there is nothing listening there. After you change ths
startup options to restart with -r syslogd should be bound to port
514.
Change the startup options by using a setting in
/etc/sysconfig/syslogd. Read the syslogd startup script in /etc/init.d
to see what variable to set and verify the name of the sysconfig file.
--
-- rouilj
John Rouillard
===========================================================================
My employers don't acknowledge my existence much less my opinions.
More information about the bblisa
mailing list