Hello,
I recently discovered some oddness with syslogd when logging entries are
to be broadcasted to another syslogd. Sometimes, syslogd just states
'sendto: Operation not permitted', and the following messages are not
being broadcasted to the central syslogd. I have the strange feeling that
this happens especially if there is much logging traffic to be sent to the
far syslogd.
Kernel: 2.0.36, sysklogd: 1.3-31 (from Debian 2.1 slink).
I made some experiments to be sure that there are no 'trivial' reasons
avoiding the local syslogd to send its packages to the far syslogd:
- It is not the case that the packages are sent correctly, but
get lost in my LAN (traced with tcpdump).
- The problem seems to have nothing to do with the IP firewalling rules,
they correctly accept UDP traffic between ports 514 (verified by
fw-logging, see example below).
Here is some example:
The syslog.conf on the local machine 'gateway' was:
*.* /var/log/syslog
*.*;kernel.none @central
For the IP firewalling rules, the 'o' flag was set to get them logged in
order to see that they are not denying any UDP traffic. (Therefore, kernel
logs were not allowed to be transmitted to the far syslogd to avoid
infinite logging loops.)
This is the output in /var/log/syslog when taking down an isdn link to my
service provider:
--------------------------------------------------------------------------
Jun 24 21:19:03 gateway kernel: isdn_net: local hangup ippp0
Jun 24 21:19:03 gateway kernel: ippp0: Chargesum is 0
Jun 24 21:19:03 gateway isdnlog: Call (588312): 01910 Normal call clearing
(User)
Jun 24 21:19:03 gateway ipppd[203]: Modem hangup
Jun 24 21:19:03 gateway ipppd[203]: Connection terminated.
Jun 24 21:19:03 gateway ipppd[203]: taking down PHASE_DEAD link 0, linkunit:
0
Jun 24 21:19:03 gateway ipppd[203]: closing fd 8 from unit 0
Jun 24 21:19:03 gateway ipppd[203]: link 0 closed , linkunit: 0
Jun 24 21:19:03 gateway ipppd[203]: reinit_unit: 0
Jun 24 21:19:03 gateway ipppd[203]: Connect[0]: /dev/ippp0, fd: 8
Jun 24 21:19:03 gateway kernel: IP fw-out acc eth0 UDP 10.20.30.13:514
10.20.30.10:514 L=129 S=0x00 I=35681 F=0x0000 T=64
Jun 24 21:19:03 gateway kernel: IP fw-out acc eth0 UDP 10.20.30.13:514
10.20.30.10:514 L=58 S=0x00 I=35682 F=0x0000 T=64
Jun 24 21:19:03 gateway kernel: IP fw-out acc eth0 UDP 10.20.30.13:514
10.20.30.10:514 L=68 S=0x00 I=35683 F=0x0000 T=64
Jun 24 21:19:03 gateway kernel: IP fw-out acc eth0 UDP 10.20.30.13:514
10.20.30.10:514 L=88 S=0x00 I=35684 F=0x0000 T=64
Jun 24 21:19:03 gateway kernel: IP fw-out acc eth0 UDP 10.20.30.13:514
10.20.30.10:514 L=70 S=0x00 I=35685 F=0x0000 T=64
Jun 24 21:19:03 gateway kernel: IP fw-out acc eth0 UDP 10.20.30.13:514
10.20.30.10:514 L=73 S=0x00 I=35686 F=0x0000 T=64
Jun 24 21:19:03 gateway kernel: IP fw-out acc eth0 UDP 10.20.30.13:514
10.20.30.10:514 L=61 S=0x00 I=35687 F=0x0000 T=64
Jun 24 21:19:03 gateway kernel: IP fw-out acc eth0 UDP 10.20.30.13:514
10.20.30.10:514 L=75 S=0x00 I=35688 F=0x0000 T=64
Jun 24 21:19:03 gateway syslogd: sendto: Operation not permitted
Jun 24 21:19:03 gateway isdnlog: Call (588312): 01910 Free of charge
Jun 24 21:19:03 gateway isdnlog: Call (588312): 01910 HANGUP ( 0:00:49
I= 16.5Kb O= 2.8Kb) Normal call clearing (User)
--------------------------------------------------------------------------
All but the last three entries were successfully transmitted to the far
syslogd (except those from the 'kernel' facility).
Has anyone any idea about this?
Ciao, Thomas
