Hello Doc, First of all check you firewall rules and verify that a logging rule is present.
UDP port 514 is, usually, used by syslogd. Is any other system on your network configured to send data to this server? Have you tried to sniff and see what's going on? Bye, William On 12/16/2009 03:50 PM, PECKENPAUGH, DEREK R wrote: > We're seeing a lot of bytes NOT written to syslog. We see traffic on the > firewall, but /var/log/messages is pretty quiet. A netstat shows a large > amount of bytes in a receive queue for port 514: > > [root@<xxxxxxxxxxxx>]# netstat -anu > > Active Internet connections (servers and established) > > Proto Recv-Q Send-Q Local Address Foreign Address > State > > udp 106488 0 0.0.0.0:514 0.0.0.0:* > udp 0 0 0.0.0.0:55692 0.0.0.0:* > udp 0 0 0.0.0.0:821 0.0.0.0:* > udp 0 0 0.0.0.0:824 0.0.0.0:* > udp 0 0 0.0.0.0:5353 0.0.0.0:* > udp 0 0 0.0.0.0:111 0.0.0.0:* > udp 0 0 0.0.0.0:631 0.0.0.0:* > udp 0 0 127.0.0.1:123 0.0.0.0:* > udp 0 0 0.0.0.0:123 0.0.0.0:* > udp 0 0 :::47893 :::* > udp 0 0 :::5353 :::* > udp 0 0 :123 :::* > udp 0 0 ::1:123 :::* > udp 0 0 :::123 :::* > > Is there a way to determine why these bytes are not writing to > /var/log/messages -- or to clear this queue to see if writes do begin to > occur - short of reinstalling Ossec?? > > Thanks, > Doc > > > > This e-mail contains Omaha Public Power District's confidential and > proprietary information and is for use only by the intended recipient. > Unless explicitly stated otherwise, this e-mail is not a contract offer, > amendment, nor acceptance. If you are not the intended recipient you are > notified that disclosing, copying, distributing or taking any action in > reliance on the contents of this information is strictly prohibited. >
