UDP Syslog 514 with authbind fails


(Haider) #1

I configured port 514 with authbind. I do see messages coming in but for some reason they get rejected. Any insights ?

netstat -tulpn
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:5432 0.0.0.0:* LISTEN -
tcp 0 0 192.168.1.241:12900 0.0.0.0:* LISTEN -
tcp 0 0 192.168.1.241:9000 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:27017 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:110 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:143 0.0.0.0:* LISTEN -
tcp6 0 0 :::22 :::* LISTEN -
tcp6 0 0 ::1:5432 :::* LISTEN -
tcp6 0 0 :::110 :::* LISTEN -
tcp6 0 0 :::143 :::* LISTEN -
tcp6 0 0 127.0.0.1:9200 :::* LISTEN -
tcp6 0 0 ::1:9200 :::* LISTEN -
tcp6 0 0 :::80 :::* LISTEN -
tcp6 0 0 127.0.0.1:9300 :::* LISTEN -
tcp6 0 0 ::1:9300 :::* LISTEN -
udp 0 0 0.0.0.0:514 0.0.0.0:* -
udp 0 0 0.0.0.0:5514 0.0.0.0:* -
udp 0 0 0.0.0.0:2055 0.0.0.0:* -
udp 0 0 0.0.0.0:3514 0.0.0.0:* -
udp 0 0 0.0.0.0:68 0.0.0.0:* -
hkj@GrayLog:/etc/authbind/byport$
hkj@GrayLog:/etc/authbind/byport$
hkj@GrayLog:/etc/authbind/byport$
hkj@GrayLog:/etc/authbind/byport$ sudo tcpdump host 192.168.1.247
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens18, link-type EN10MB (Ethernet), capture size 262144 bytes
20:08:07.733621 ARP, Request who-has 192.168.1.247 tell GrayLog.cybridllc.com, length 28
20:08:07.765808 ARP, Reply 192.168.1.247 is-at 00:15:60:eb:2a:40 (oui Unknown), length 46
20:08:08.024208 IP 192.168.1.247.syslog > GrayLog.cybridllc.com.syslog: SYSLOG user.debug, length: 77
20:08:08.024267 IP GrayLog.cybridllc.com > 192.168.1.247: ICMP GrayLog.cybridllc.com udp port syslog unreachable, length 113
20:08:08.024504 IP 192.168.1.247.syslog > GrayLog.cybridllc.com.syslog: SYSLOG user.debug, length: 67
20:08:08.024521 IP GrayLog.cybridllc.com > 192.168.1.247: ICMP GrayLog.cybridllc.com udp port syslog unreachable, length 103
20:08:08.026191 IP 192.168.1.247.syslog > GrayLog.cybridllc.com.syslog: SYSLOG user.debug, length: 77
20:08:08.026213 IP GrayLog.cybridllc.com > 192.168.1.247: ICMP GrayLog.cybridllc.com udp port syslog unreachable, length 113
20:08:08.026666 IP 192.168.1.247.syslog > GrayLog.cybridllc.com.syslog: SYSLOG user.debug, length: 67
20:08:08.761589 IP 192.168.1.247.syslog > GrayLog.cybridllc.com.syslog: SYSLOG user.debug, length: 79
20:08:08.761670 IP GrayLog.cybridllc.com > 192.168.1.247: ICMP GrayLog.cybridllc.com udp port syslog unreachable, length 115


(Jan Doberstein) #2

I do see messages coming in but for some reason they get rejected.

where did they get rejected? What point did that? Did you get any kind of log messages that gives you this information? How do you identify that they are rejected?


(Haider) #3

This tells me they are rejected meaning no app picked them up at port 514.

udp port syslog unreachable, length 103


(system) #4

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.