EFW Support

Support => General Support => Topic started by: suk on Tuesday 25 November 2008, 10:10:29 pm


Title: remote syslog problem
Post by: suk on Tuesday 25 November 2008, 10:10:29 pm
I have a windows box configured as a syslogger on 10.0.0.10 port 514 which I know to be working correctly.

I have a endian fw box (virtulaized on vmware workstation with 2 network interfaces - green [10.0.0.1] and red [192.168.0.1]).  On Endian I have set the syslog settings to Remote with the ip address of the syslogger 10.0.0.10. 

I am not recieving any syslog message from the Endian box....  I can ping the syslogger from the Endian box no problem....I have only one firewall rule which is allow any to any.

Any ideas anyone?

regards

Suk

Title: Re: remote syslog problem
Post by: dimabar on Tuesday 20 January 2009, 09:20:17 pm
Some troubles in my EF install.... Please help!

Title: Re: remote syslog problem
Post by: lightenup on Monday 24 August 2009, 09:37:06 am
you can add this to the end of /etc/syslog/syslog.conf (obviously you would replace 172.16.1.1 with the ip of your syslog server):


#remote logging
destination d_loghost {udp("172.16.1.1" port(514));};
log { source(s_sys); destination(d_loghost); };


Once that is done restart syslog:

/etc/init.d/syslog-ng restart


That should do it. It looks like there is some problem with the web gui or the template file that generates the syslog.conf file. Keep in mind that if you make any changes to the syslog settings in the GUI this setting will likely be removed.

Lightenup

Title: Re: remote syslog problem
Post by: lightenup on Monday 31 August 2009, 03:42:52 am
I was poking around this morning and I found a better way to add the syslog entry in a way that it will not get over written. Create a file in /etc/syslog/syslog.d name it remote_syslog.tmpl and put the following contents in it:



#remote logging
destination d_loghost {udp("192.168.1.1" port(514));};
log { source(s_sys); destination(d_loghost); };



Now go to the web ui logs > settings and hit save. The tmpl config you created should now be included as part of the /etc/syslog/syslog.conf file, this will not get removed even after changing settings or reboots. Note, be sure to put some return characters  before and after the remote logging entries (above), otherwise the lines mights get wrapped in the final syslog.conf. Hope this helps.

Title: Re: remote syslog problem
Post by: amtz83 on Friday 24 May 2013, 08:46:56 am
Hi there, I did this procedure on my EF but it not send anything to splunk


What can I do ????


Can someone help me ?????


Powered by SMF 1.1 RC2 | SMF © 2001-2005, Lewis Media