# Testing a remote syslog connection



## Dan Barowy (Jan 4, 2015)

Hi everyone,

I am attempting to write log data to syslog via log4j.  Unfortunately, log4j is only capable of outputting log data to a host listening on UDP 514.

But I am having trouble getting messages sent to localhost:514 to actually appear in my syslog.  Here's my /etc/syslog.conf:


```
*.err;kern.warning;auth.notice;mail.crit     /dev/console
*.notice;authpriv.none;kern.debug;lpr.info;mail.crit;news.err;local0.*   /var/log/messages
security.*           /var/log/security
auth.info;authpriv.info         /var/log/auth.log
mail.info           /var/log/maillog
lpr.info           /var/log/lpd-errs
ftp.info           /var/log/xferlog
cron.*             /var/log/cron
!-devd
*.=debug           /var/log/debug.log
*.emerg             *
!ppp
*.*             /var/log/ppp.log
!*
```

Nothing fancy.  The only real modification is to log all local0 messages to /var/log/messages.

I've also added the following to /etc/rc.conf:


```
syslogd_flags="-a 127.0.0.1 -v -v"
```

And then I restarted syslog with `service syslogd restart`.

Now, if I try to log locally, everything works fine:


```
$ logger -i -s -p local0.info "Test local logging."
$ tail -n 1 /var/log/messages
Jan  4 14:39:49 <local0.info> fnord dbarowy[18940]: Test local logging.
```

But if I try to log via UDP, nothing happens (no new messages).


```
$ logger -i -s -h 127.0.0.1 -p local0.info "Test UDP logging."
$ tail -n 1 /var/log/messages
Jan  4 14:39:49 <local0.info> fnord dbarowy[18940]: Test local logging.
```

syslog _is_ listening locally:


```
$ netstat -anf inet | grep 514
udp4  0  0 *.514  *.*
$ lsof | egrep -i "\*:syslog"
syslogd  18921  root  6u  IPv6 0xfffff80011254230  0t0  UDP *:syslog
syslogd  18921  root  7u  IPv4 0xfffff80011b66000  0t0  UDP *:syslog
```

So I'm stumped.  Any pointers?  Obviously, if I can't even get logger to work, then log4j won't either.


----------



## junovitch@ (Jan 4, 2015)

That's rather strange.  It seems to work without the -a flag restricting what source is used.  I think I would have to look at little closer.  Does removing that flag work for you?


----------



## Dan Barowy (Jan 5, 2015)

Omitting `-a` makes network logging work for me.  Weird.

Just to make sure that `logger` is communicating to syslog via UDP localhost:514, I fired up `tcpdump`:


```
$ sudo tcpdump -n -e -ttt -i lo0
```

and then called the network version of the `logger` command again.  Sure enough, it's being sent to localhost from localhost.


```
00:00:01.805948 AF IPv4 (2), length 63: 127.0.0.1.51426 > 127.0.0.1.514: SYSLOG local0.info, length: 31
```

Bug, maybe?


----------



## junovitch@ (Jan 5, 2015)

No bug, looking closer this appears to be the correct and documented behavior.  I added the -d flag for debug and restarted.  Here is what i found.

/etc/rc.conf

```
syslogd_flags="-v -v -d -a 127.0.0.1"
```
Result:

```
validate: dgram from IP 127.0.0.1, port 59813, name localhost.;
rejected in rule 0 due to port mismatch.
cvthname(127.0.0.1)
```

One minor change, add allowing from any source port.
/etc/rc.conf

```
syslogd_flags="-v -v -d -a 127.0.0.1:*"
```
Result:

```
cvthname(127.0.0.1)
validate: dgram from IP 127.0.0.1, port 45250, name localhost.;
accepted in rule 0.
```

I see now this is mentioned in syslogd(8).


> A service of `*' allows packets being sent from any UDP port.


----------

