Announcement

Collapse
No announcement yet.

Why can't I get any syslog server to work [Windows]?

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Why can't I get any syslog server to work [Windows]?

    I've tried Kiwi, Mikrotik, PRTG, & syslog server. I can't get any of them to receive logs from my sonicwall. If I run netstat -ano | find "514" on the server where the syslog server is running, I can see it's listening on UDP port 514. If I run wireshark on it, I can see UDP packets coming in over port 514. I have everything configured correctly on the sonciwall. Syslog is enabled, and I have several categories enabled for syslog. And yes, the sonicwall is generating logs that fall in the categories I have enabled on the sonicwall.

    No matter which syslog server I use, I never get any data to show up in it. Am I not doing something right? Can someone walk me through this?

    192.168.5.104 is the IP of my syslog server (runs on server 2008 R2, and 192.168.5.254 is the LAN IP of my sonicwall):


  • #2
    Re: Why can't I get any syslog server to work [Windows]?

    I setup a Linux server and configured sysklogd as a test. It started working instantly, receiving the logs from the sonicwall. I really want to use the windows system for this function, but still can't get it to work?
    Has anyone got a setup like this working on a Server 2008 R2 system before?

    Comment


    • #3
      Re: Why can't I get any syslog server to work [Windows]?

      I'm using TNT Enterprise Log Mgr, which receives syslog messages from a collection of Cisco and other network manufacturers, as well as collecting info from servers, domain and non-domain.

      The servers have clients installed, the network devices simply send to the IP of the ELM server. Works a treat. They've got different different licensing models depending on what you want, but it's not free.
      *RicklesP*
      MSCA (2003/XP), Security+, CCNA

      ** Remember: credit where credit is due, and reputation points as appropriate **

      Comment


      • #4
        Re: Why can't I get any syslog server to work [Windows]?

        Originally posted by RicklesP View Post
        I'm using TNT Enterprise Log Mgr, which receives syslog messages from a collection of Cisco and other network manufacturers, as well as collecting info from servers, domain and non-domain.

        The servers have clients installed, the network devices simply send to the IP of the ELM server. Works a treat. They've got different different licensing models depending on what you want, but it's not free.
        Well it's good to know that someone else has got it working. As you can see, I've tried several different syslog servers, and none of them will log the incoming data. The syslog data is coming into the server, as you can see in the wireshark screenshot. Just none of the syslog servers pick the data up for some reason.

        Comment


        • #5
          Re: Why can't I get any syslog server to work [Windows]?

          Here's what I believe is happening based on some testing I just did:

          The Windows Firewall is blocking the incoming syslog traffic.

          The traffic hits Wireshark before it hits the Windows Firewall. That's why the traffic shows up in your Wireshark capture but not in the syslog application.

          I just tested this with my home DNS server. I blocked incoming DNS traffic and started a Wireshark capture. I issued a few DNS queries from a client machine and then I looked at the Wireshark capture and I could see my DNS queries get to the server but the server didn't answer. Then I looked at the Windows Firewall log and sure enough it had dropped the DNS traffic.

          So your inbound syslog traffic is hitting the network stack, being captured by Wireshark and then is being dropped by the Windows firewall. My guess is that you don't have an inbound rule for the syslog traffic in the Windows Firewall.

          Comment


          • #6
            Re: Why can't I get any syslog server to work [Windows]?

            Originally posted by joeqwerty View Post
            Here's what I believe is happening based on some testing I just did:

            The Windows Firewall is blocking the incoming syslog traffic.

            The traffic hits Wireshark before it hits the Windows Firewall. That's why the traffic shows up in your Wireshark capture but not in the syslog application.

            I just tested this with my home DNS server. I blocked incoming DNS traffic and started a Wireshark capture. I issued a few DNS queries from a client machine and then I looked at the Wireshark capture and I could see my DNS queries get to the server but the server didn't answer. Then I looked at the Windows Firewall log and sure enough it had dropped the DNS traffic.

            So your inbound syslog traffic is hitting the network stack, being captured by Wireshark and then is being dropped by the Windows firewall. My guess is that you don't have an inbound rule for the syslog traffic in the Windows Firewall.
            Windows firewall is disabled. There is no third party firewall either. I've also completely removed the anti-virus software we use, just in case it was causing a conflict.

            Comment


            • #7
              Re: Why can't I get any syslog server to work [Windows]?

              add the firewall entry to WFS anyway..
              Please do show your appreciation to those who assist you by leaving Rep Point https://www.petri.com/forums/core/im.../icon_beer.gif

              Comment


              • #8
                Re: Why can't I get any syslog server to work [Windows]?

                I noticed that the screendump in your first post shows netstat reporting two different PIDs listening to UDP port 515. Which of the two is your syslog server?

                Comment


                • #9
                  Re: Why can't I get any syslog server to work [Windows]?

                  Originally posted by Ser Olmy View Post
                  I noticed that the screendump in your first post shows netstat reporting two different PIDs listening to UDP port 515. Which of the two is your syslog server?
                  that's a good spot..
                  Please do show your appreciation to those who assist you by leaving Rep Point https://www.petri.com/forums/core/im.../icon_beer.gif

                  Comment

                  Working...
                  X