# Syslog not listening on port 514 for remote client 12.0-RELEASE-p8



## Bryce Alexander (Nov 12, 2019)

Hopefully this is easy, but I am not seeing straight any more. Sure would appreciate another pair of eyes. I can see that the packets arrive at the server using TCPDump on that server, but get a ICMP UDP port unreachable from the server back to the client. 

```
tcpdump host 10.30.55.44 and 10.30.55.254
```
20:07:43.057814 IP 10.30.55.254.52193 > 10.30.55.44.syslog: SYSLOG local7.notice, length: 169
20:08:27.594271 IP 10.30.55.254.52193 > 10.30.55.44.syslog: SYSLOG local7.notice, length: 109
20:08:47.054824 IP 10.30.55.44 > 10.30.55.254: ICMP 10.30.55.44 udp port domain unreachable, length 87

logfiles /var/log/router.log is empty and nothing related in /var/log/messages

I am setting up the syslog SERVER 12.0-RELEASE-p8 on IP addr 10.30.55.44
CLIENT is a Cisco router sending log messages from 10.30.55.254

Server Syslog Config:
/etc/rc.conf

```
ifconfig_re0="inet 10.30.55.44 netmask 255.255.255.0"
defaultrouter="10.30.55.254"
syslogd_enable="YES"
sylogd_flags="-a -d -4 10.30.55.254 -v -v"
```
/etc/syslog.conf

```
# $FreeBSD: releng/12.0/usr.sbin/syslogd/syslog.conf 338146 2018-08-21 17:01:47Z brd $
#
#       Spaces ARE valid field separators in this file. However,
#       other *nix-like systems still insist on using tabs as field
#       separators. If you are sharing this file between systems, you
#       may want to use only tabs as field separators here.
#       Consult the syslog.conf(5) manpage.
*.err;kern.warning;auth.notice;mail.crit                /dev/console
*.notice;authpriv.none;kern.debug;lpr.info;mail.crit;news.err   /var/log/messages
security.*                                      /var/log/security
auth.info;authpriv.info                         /var/log/auth.log
mail.info                                       /var/log/maillog
cron.*                                          /var/log/cron
!-devd
*.=debug                                        /var/log/debug.log
*.emerg                                         *
# uncomment this to log all writes to /dev/console to /var/log/console.log
# touch /var/log/console.log and chmod it to mode 600 before it will work
#console.info                                   /var/log/console.log
# uncomment this to enable logging of all log messages to /var/log/all.log
# touch /var/log/all.log and chmod it to mode 600 before it will work
*.=debug                                        /var/log/debug.log
*.emerg                                         *
# uncomment this to log all writes to /dev/console to /var/log/console.log
# touch /var/log/console.log and chmod it to mode 600 before it will work
#console.info                                   /var/log/console.log
# uncomment this to enable logging of all log messages to /var/log/all.log
# touch /var/log/all.log and chmod it to mode 600 before it will work
#*.*                                            /var/log/all.log
# uncomment this to enable logging to a remote loghost named loghost
#*.*                                            @loghost
# uncomment these if you're running inn
# news.crit                                     /var/log/news/news.crit
# news.err                                      /var/log/news/news.err
# news.notice                                   /var/log/news/news.notice
# Uncomment this if you wish to see messages produced by devd
# !devd
# *.>=notice                                    /var/log/devd.log
!*
include                                         /etc/syslog.d
include                                         /usr/local/etc/syslog.d
+10.33.55.254
*.* /var/log/router.log
```


----------



## SirDice (Nov 12, 2019)

Remove the `-a` option.


```
-a allowed_peer
             Allow allowed_peer to log to this syslogd using UDP datagrams.
             Multiple -a options may be specified.
```
Binding the service to a specific IP requires the `-b` option:

```
-b bind_address[:service]

     -b :service
             Bind to a specific address and/or port.  The address can be
             specified as a hostname, and the port as a service name.  If an
             IPv6 address is specified, it should be enclosed with `[' and
             `]'.  The default service is `syslog'.  This option can be
             specified multiple times to bind to multiple addresses and/or
             ports.
```

You need to review your options, most of them aren't needed or are used incorrectly.


----------



## Bryce Alexander (Nov 16, 2019)

SirDice said:


> Remove the `-a` option.
> 
> 
> ```
> ...



I continue to have the same problem, whether using the -b and the specific IP option or if I am using the fully qualified DNS name and the -a option after validating both regular DNS and reverse DNS resolve correctly. I also removed the -4 option and removed AAAA records in DNS so this is not an issue of the packets needing to be forced to IPv4 instead of IPv6.

Full /etc/rc.conf with actual domain and IPv6 addrs sanitized for security

```
hostname="NS4.local.mydomain.com"
keymap="us.kbd"
ifconfig_re0="inet 10.30.55.44 netmask 255.255.0.0"
defaultrouter="10.30.55.254"
sshd_enable="YES"
moused_enable="YES"
ntpdate_enable="YES"
ntpd_enable="YES"
powerd_enable="YES"
dumpdev="AUTO"
named_enable="YES"
sendmail_enable="YES"
inetd_enable="YES"
apache24_enable="yes"
ftpd_enable="YES"
ipv6_enable="YES"
ifconfig_re0_ipv6="inet6 2001:omitted:44 prefixlen 65"
ipv6_defaultrouter="2001:omitted:254"
ntpd_enable="YES"
syslogd_enable="YES"
sylogd_flags="-a odin.local.multifreq.com -v -v"
```

full /etc/syslog.conf

```
# $FreeBSD: releng/12.0/usr.sbin/syslogd/syslog.conf 338146 2018-08-21 17:01:47Z brd $
#
#       Spaces ARE valid field separators in this file. However,
#       other *nix-like systems still insist on using tabs as field
#       separators. If you are sharing this file between systems, you
#       may want to use only tabs as field separators here.
#       Consult the syslog.conf(5) manpage.
*.err;kern.warning;auth.notice;mail.crit                /dev/console
*.notice;authpriv.none;kern.debug;lpr.info;mail.crit;news.err   /var/log/messages
security.*                                      /var/log/security
auth.info;authpriv.info                         /var/log/auth.log
mail.info                                       /var/log/maillog
cron.*                                          /var/log/cron
!-devd
*.=debug                                        /var/log/debug.log
*.emerg                                         *
# uncomment this to log all writes to /dev/console to /var/log/console.log
# touch /var/log/console.log and chmod it to mode 600 before it will work
#console.info                                   /var/log/console.log
# uncomment this to enable logging of all log messages to /var/log/all.log
# touch /var/log/all.log and chmod it to mode 600 before it will work
#*.*                                            /var/log/all.log
# uncomment this to enable logging to a remote loghost named loghost
#*.*                                            @loghost
# uncomment these if you're running inn
# news.crit                                     /var/log/news/news.crit
# news.err                                      /var/log/news/news.err
# news.notice                                   /var/log/news/news.notice
# Uncomment this if you wish to see messages produced by devd
# !devd
# *.>=notice                                    /var/log/devd.log
!*
include                                         /etc/syslog.d
include                                         /usr/local/etc/syslog.d
+odin.local.mydomain.com
*.* /var/log/router.log
```


```
root@NS4:/etc # nslookup odin.local.mydomain.com
Server:         10.30.55.3
Address:        10.30.55.3#53

Name:   odin.local.mydomain.com
Address: 10.30.55.254
```


```
root@NS4:/etc # nslookup 10.30.55.254
254.55.30.10.in-addr.arpa       name = odin.local.mydomain.com.
```

Network packet trace running on the logging server (ns4.local.mydomain.com)
Please note that this is captured on the log host, so the packets are received by that host, are properly resolved by name, and it arrives on the UDP SYSLOG port (514) This points toward syslog not processing or recording the packet.

```
root@NS4:/etc # tcpdump host 10.30.55.254 and 10.30.55.44                       tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on re0, link-type EN10MB (Ethernet), capture size 262144 bytes
14:44:15.085497 IP odin.local.mydomain.com.65184 > ns4.local.mydomain.com.syslog: SYSLOG local7.notice, length: 89
^C
1 packet captured
93 packets received by filter
0 packets dropped by kernel
root@NS4:/etc #
```

The file /var/log/router.log remains empty despite allowing 666 in the file permissions.

```
root@NS4:/var/log # ls -la router.log
-rw-rw-rw-  1 root  wheel  0 Nov 10 14:38 router.log
root@NS4:/var/log # tail router.log
```


----------



## Bryce Alexander (Nov 16, 2019)

Forgot to mention above, I did resolve the ICMP unreachable issue, but still am not getting the messages to syslog and the target file and the /var/log/messages only shows promiscuous mode on and off from the tcpdump command.

```
Nov 16 14:43:55 NS4 kernel: re0: promiscuous mode enabled
Nov 16 14:44:37 NS4 kernel: re0: promiscuous mode disabled
```


----------



## Bryce Alexander (Oct 15, 2022)

Update to resolve this issue:
I finally got around to addressing this once more and ended up running debug [-d] on syslog by entering the following code in rc.conf:

```
syslogd_enable="YES"
sylogd_flags="-d -a router.mydomain.com -v -v"
```

This revealed that the problem was Rule 1, bad port, on further examination it revealed that the Cisco Router was correctly sending to port 514, however in the from portion of the IP header it was using an ephemeral port of 30652, which varied.  to reslove this I set a :* behind the peer address to allow both the peer, and any source port. This solved the problem.

New entry in rc.conf:

```
sylogd_flags="-a router.mydomain.com:* -v -v"
```


----------

