Hi,
I am trying to get the Syslog Service to listen on a TCP port instead of a UDP port, for the purpose of testing stunnel (as far as I've read, stunnel cannot push to a UDP port). Here are the steps I have taken. I am using SW Orion NPM 9.1 SP2 SLX.
On client linux machine using syslog-ng -
nano /etc/syslog-ng/syslog-ng.conf
# BB - adding tcp test
destination orion_tcp { tcp("<orion_server_ip>" port(514)); };
log { source(s_all); destination(orion_tcp); };
On Windows Server 2003 machine hosting Orion -
Not sure if this is recommended, but I edited the following file -
C:\Program Files\SolarWinds\Network Performance Monitor V8\SyslogService\SyslogService.exe.config
And made the following change -
<add key="UDPListenPort" value="0" />
<add key="TCPListenPort" value="514" />
And the restarted the SolarWinds Syslog Service, and then verified with the following command
C:\netstat -abn | find "514"
TCP 0.0.0.0:514 0.0.0.0:0 LISTENING 12304
TCP <orion_server_ip>:514 <linux_client_ip>:57446 ESTABLISHED 12304
Here is what the eventlog for SolarWinds.Net says after the restart
Event Type: Information
Event Source: SyslogService
Event Category: None
Event ID: 1001
Date: 1/22/2009
Time: 4:14:46 PM
User: N/A
Computer: ORION
Description:
UDP Listening Disabled
For more information, see Help and Support Center at go.microsoft.com/.../events.asp.
Event Type: Information
Event Source: SyslogService
Event Category: None
Event ID: 1011
Date: 1/22/2009
Time: 4:14:46 PM
User: N/A
Computer: ORION
Description:
Syslog Collector Started on TCP Endpoint 0.0.0.0:514
For more information, see Help and Support Center at go.microsoft.com/.../events.asp.
Event Type: Error
Event Source: SyslogService
Event Category: None
Event ID: 1016
Date: 1/22/2009
Time: 4:14:46 PM
User: N/A
Computer: ORION
Description:
SWSyslogService.ListenForTCPConnection() - TCPServer started-
Server Exception Error: Object reference not set to an instance of an object.
For more information, see Help and Support Center at go.microsoft.com/.../events.asp.
Even so, the service is still listening and syslog-ng indicates that the connection is up and running. Though it is listening, none of the log messages that were passing via UDP are passing via TCP in the Syslog Viewer.
After about 5 minutes the netstat command no longer shows established connections or listening on TCP 514.
When it does this, there is nothing of interest logged to -
C:\Program Files\SolarWinds\Network Performance Monitor V8\SyslogService\SyslogService.log
So, I know this isn't a whole lot of info to go on. If anything, I first want to ask - am I making the correct (and supported) config change to get syslog to listen on a TCP port? If so, where can I look to see why it quits listening and why it is not actually pushing the messages to the database?
Thanks,
Ben Brewer
Sr. Data Network Technician
Advanced Communications Technology
