Syslog connections rejected using Syslog-NG on Solaris

The Problem

After an upgrade from Syslog-NG version 1.6.7 to version 2.0.5, our syslog server began reporting the following error each time an event was received from a remote host:

Syslog connection rejected by tcpd; from=’AF_INET(127.0.0.1:XXXXX)’

The syslog server was a Solaris x86 system which had a number of reverse SSH tunnels to several SPARC-based syslog clients. The version of syslog-ng was obtained from sunfreeware.com in binary form on both systems.

The Solution

It turns out that Syslog-NG 2.x introduced support for TCP Wrappers (which tcpd is part of) and thus, the settings in my /etc/hosts.allow and /etc/hosts.deny files were actually preventing syslog-ng from accessing port 514 on the local host. Adding the following entry to hosts.allow seems to have fixed the problem:

syslog-ng: localhost

Of course you will need to refresh/restart the inetd service after you do this (svcadm refresh/restart inetd).


2 thoughts on “Syslog connections rejected using Syslog-NG on Solaris”

  1. Hello,
    I’m install syslog-ng package at 2 client servers and 1 central server.
    On the all servers syslog-ng running, but i have problem to recieve logs from client to central server. I’m thinking i need create network service and assign port to the syslog-ng
    If you know how to do this, please, send me instruction.
    Thanks
    Jake

  2. Jake,

    There is a little more work you might need to do so that your central syslog server can receive events from your clients. Most forums recommend that you use reverse SSH tunnels to do this securely and this is also what we use.

    On our central syslog server (which is a Solaris system), we create a series of reverse SSH tunnels to each syslog client using entries in the /etc/inittab file as follows:

    lg01:3:respawn:/usr/bin/ssh -nNTx -R 1514:127.0.0.1:514
        user@client1.domain.com > /dev/null 2>&1
    lg02:3:respawn:/usr/bin/ssh -nNTx -R 1514:127.0.0.1:514
        user@client2.domain.com > /dev/null 2>&1
    lg03:3:respawn:/usr/bin/ssh -nNTx -R 1514:127.0.0.1:514
        user@client3.domain.com > /dev/null 2>&1

    Of course, you will need to ensure that you have the appropriate trusts set up between your server and your clients for the above commands to work (e.g. using RSA public key authentication)

    Once your server has created the reverse tunnels to each client, you should then see port 1514 listening at each client and configure your /etc/syslog-ng.conf to look something like this:

    options {
     check_hostname(yes);
     keep_hostname(yes);
     chain_hostnames(no);
     stats_freq(3600);
    };
    
    source inputs {
     internal();
     sun-streams("/dev/log" door("/etc/.syslog_door"));
     udp(ip("loghost"));
     tcp(ip("127.0.0.1"));
    };
    
    destination remote {
     tcp("127.0.0.1" port(1514));
    };
    
    log {
     source(inputs);
     destination(remote);
    };
    

    Best of luck!

Leave a Reply