Solved syslogd: exiting on signal 15 and not listening

[mayers]

Stopping syslogd.
Waiting for PIDS: 960.
Starting syslogd.
Trying peer: /var/run/log
new socket fd is 6
listening on socket
sending on socket
Trying peer: /var/run/logpriv
new socket fd is 7
listening on socket
sending on socket
off & running....
init
loading timezone data via tzset()
cfline("*.err;kern.warning;auth.notice;mail.crit                /dev/console", f, "*", "*", "*")
cfline("*.notice;authpriv.none;kern.debug;lpr.info;mail.crit;news.err   /var/log/messages", f, "*", "*", "*")
cfline("security.*                                      /var/log/security", f, "*", "*", "*")
cfline("auth.info;authpriv.info                         /var/log/auth.log", f, "*", "*", "*")
cfline("mail.info                                       /var/log/maillog", f, "*", "*", "*")
cfline("cron.*                                          /var/log/cron", f, "*", "*", "*")
cfline("*.=debug                                        /var/log/debug.log", f, "-devd", "*", "*")
cfline("*.emerg                                         *", f, "-devd", "*", "*")
cfline("daemon.info                                     /var/log/daemon.log", f, "-devd", "*", "*")
Trying to include files in '/etc/syslog.d'
reading /etc/syslog.d/ftp.conf
cfline("ftp.info                                        /var/log/xferlog", f, "*", "*", "*")
reading /etc/syslog.d/lpr.conf
cfline("lpr.info                                        /var/log/lpd-errs", f, "*", "*", "*")
reading /etc/syslog.d/ppp.conf
cfline("*.*                                             /var/log/ppp.log", f, "ppp", "*", "*")
reading /etc/syslog.d/ssh.conf
cfline("*.*                                     /var/log/sshd.log", f, "sshd", "*", "*")
Trying to include files in '/usr/local/etc/syslog.d'
4 3 2 3 5 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3 X CONSOLE: /dev/console
7 5 2 5 5 5 6 3 5 5 X 5 5 5 5 5 5 5 5 5 5 5 5 5 X FILE: /var/log/messages
X X X X X X X X X X X X X 7 X X X X X X X X X X X FILE: /var/log/security
X X X X 6 X X X X X 6 X X X X X X X X X X X X X X FILE: /var/log/auth.log
X X 6 X X X X X X X X X X X X X X X X X X X X X X FILE: /var/log/maillog
X X X X X X X X X 7 X X X X X X X X X X X X X X X FILE: /var/log/cron
7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 X FILE: /var/log/debug.log (-devd)
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 X WALL:  (-devd)
X X X 6 X X X X X X X X X X X X X X X X X X X X X FILE: /var/log/daemon.log (-devd)
X X X X X X X X X X X 6 X X X X X X X X X X X X X FILE: /var/log/xferlog
X X X X X X 6 X X X X X X X X X X X X X X X X X X FILE: /var/log/lpd-errs
7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 X FILE: /var/log/ppp.log (ppp)
7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 X FILE: /var/log/sshd.log (sshd)
logmsg: pri 56, flags 0, from bsd01, msg restart
syslogd: restarted
logmsg: pri 6, flags 0, from bsd01, msg kernel boot file is /boot/kernel/kernel
Logging to FILE /var/log/messages
kernel boot file is /boot/kernel/kernel
logmsg: pri 166, flags 13, from bsd01, msg Jan 18 14:12:06 bsd01 syslogd: exiting on signal 15

 

[SirDice]

What does freebsd-version -urk output?

 

[mayers]

[root@bsd01]~# freebsd-version -urk
14.0-RELEASE-p3
14.0-RELEASE-p3
14.0-RELEASE-p4

 

[mayers]

If you restart the machine the service starts but the first time you restart or reload the service it stops

 

[mayers]

This is my syslog.conf

#
#       Spaces ARE valid field separators in this file. However,
#       other *nix-like systems still insist on using tabs as field
#       separators. If you are sharing this file between systems, you
#       may want to use only tabs as field separators here.
#       Consult the syslog.conf(5) manpage.
*.err;kern.warning;auth.notice;mail.crit                /dev/console
*.notice;authpriv.none;kern.debug;lpr.info;mail.crit;news.err   /var/log/messages
security.*                                      /var/log/security
auth.info;authpriv.info                         /var/log/auth.log
mail.info                                       /var/log/maillog
cron.*                                          /var/log/cron
!-devd
*.=debug                                        /var/log/debug.log
*.emerg                                         *
daemon.info                                     /var/log/daemon.log
# uncomment this to log all writes to /dev/console to /var/log/console.log
# touch /var/log/console.log and chmod it to mode 600 before it will work
#console.info                                   /var/log/console.log
# uncomment this to enable logging of all log messages to /var/log/all.log
# touch /var/log/all.log and chmod it to mode 600 before it will work
#*.*                                            /var/log/all.log
# uncomment this to enable logging to a remote loghost named loghost
#*.*                                            @loghost
# uncomment these if you're running inn
# news.crit                                     /var/log/news/news.crit
# news.err                                      /var/log/news/news.err
# news.notice                                   /var/log/news/news.notice
# Uncomment this if you wish to see messages produced by devd
# !devd
# *.>=notice                                    /var/log/devd.log
!*
include                                         /etc/syslog.d
include                                         /usr/local/etc/syslog.d

The problem appears to be file message not updating

 

[SirDice]

The problem appears to be file message not updating

File is managed by syslogd(8), if that's not running then /var/log/messages won't show anything.

What does ps -aux | grep syslog show?

 

[mayers]

ps -aux | grep syslog
root 677 0.0 0.1 12864 2932 - Ss 16:30 0:00.02 /usr/sbin/syslogd -ss -C -f /etc/syslog.conf
root 4219 0.0 0.1 12796 2520 0 S+ 16:46 0:00.01 grep --color=auto syslog

 

[mayers]

File is managed by syslogd(8), if that's not running then /var/log/messages won't show anything.

What does ps -aux | grep syslog show?

Nothing is written in the message file but the updates arrive in the ssh.log file even if the lines actually written are much fewer than usual

 

[mayers]

Now it's restarted but if I restart the service it still appears

Jan 18 18:52:14 bsd01 syslogd: exiting on signal 15
Jan 18 18:52:14 bsd01 syslogd: restart
Jan 18 18:52:14 bsd01 syslogd: kernel boot file is /boot/kernel/kernel
Jan 18 18:52:14 bsd01 kernel: Jan 18 18:52:14 bsd01 syslogd: exiting on signal 15

 

[mayers]

Now I'm trying to receive logs from a host so I set the flags

syslogd_flags="-4 -a %ip host% -b %ip server% -C"

but it seems that the service is not listening

udp4 0 0 192.168.16.46.syslog *.*

 

[mayers]

I try disable

syslogd_flags and the coustom configuration to /etc/syslog.d

but when i restart the service

Jan 25 05:17:13 <syslog.err> bsd01 syslogd: exiting on signal 15

However, it records logs locally but does not listen correctly to remote machines

udp4 0 0 192.168.16.46.syslog *.*

ps aux | grep syslog
root 4710 0.0 0.1 12864 3008 - Is 05:31 0:00.03 /usr/sbin/syslogd -4 -a 192.168.16.0/24 -b 192.168.16.46 -C -vv

 

[mayers]

If start the service with flags -ss

logmsg: pri 166, flags 13, from bsd01, msg Jan 25 06:48:24 <syslog.err> bsd01 syslogd: exiting on signal 2

 

[mayers]

As a test I created a new virtual machine without configuring anything if I restart syslod the error is the same using netstat -a the service is not in LISTENING

 

[SirDice]

Only TCP ports can be in a LISTEN state.

 

[mayers]

I create file .conf in /etc/syslog.d

+192.168..x.x
*.* /var/log/....log

Client send log but

nothing appears in the log file or all.log file either in message

 

[SirDice]

Use tcpdump(1) to see if something gets sent.

 

[mayers]

Yes

2024-01-25T14:58:22.176Z Archivio qulogd: 465 - [QuLog@Event mac="XX:XX:XX:XX:XX" ip="127.0.0.1" user="admin" source="Archivio" computer="" application="" application_id="" category="" category_id="" message_id="" extra_data="" client_id="" client_app="" client_agent=""] [Test Message] This is a test log sent from QuLog Center.

I try filter

:source,contains,"Archivio"

Not found

 

[mayers]

I did it

Filer

:hostname, contains, "archivio"

In this page https://man.freebsd.org/cgi/man.cgi?query=syslogd&sektion=8

I read default format is The default is to generate RFC 3164 log messages

But when i change the format in rfc5424 on client the log entri immediatly

Good thanks

 

[mayers]

I forgot syslogd_flags option -a subnet:* allows all sisters udp port

Anyway the error when i started o restarted the service remains

Restart service exiting with error code 15

Stop the service & start service error code 2

The steps to enable a remote host have been

1.
sysrc syslogd_enable=YES

2.
sysrc syslogd_flags=" -4 -a %your subnet%:* -b %server bind address% -C -vv"

I created a custom file in /etc/syslog.d/ %yuor name%.conf

The filter is

:property,    operator, "value"

Therefore in my case

:hostname, contains, "%hosntame client%".
*.*                                            /var/log/%your file name%.log

In the client in my case a QNAP

Set the address server, port 514, protocol UDP and format rfc5424

Reference Page
Man Syslog.conf
Man Syslogd

 

[mayers]

Finally, I noticed that the messages I received were not complete, this was because I had to specify the -O rfc5424 option in the flags