Logging UDP port for syslog

steve.kerr · ‎10-20-2005

Does anyone know if it is possible to change the udp port that is used to send logging information to a syslog server?

I am running Kiwi syslog server on a Win2003 server and apparently udp port 514 (syslog port) is already in use.I can't find out what service is using the port so though it might be easier to use another udp port

dennylester · ‎10-20-2005

Does the Kiwi syslog server run as a service or a console app?

I ran into a similar issue with a console app FTP server. I connected via Terminal Services and tried launching the FTP server and got an error that something was already running on that port. It turns out the console was logged in and the FTP server was running there.

I personally would try to find out what is using that port on the server rather than working around it..

konigl · ‎10-20-2005

To find out what is using that UDP port, run the netstat.exe command with the following options from a Windows command (cmd) prompt:

netstat -ab

netstat -abn

The -a displays all connections and listening ports.

The -b displays the executable involved in creating each connection or listening port. In some cases well-known executables host multiple independent components, and in these cases the sequence of components involved in creating the connection or listening port is displayed. In this case the executable name is in [] at the bottom, on top is the component it called, and so forth until TCP/IP was reached. Note that this option can be time-consuming and will fail unless you have sufficient permissions.

The -n displays addresses and port numbers in numerical form.

Netstat -? will show you all the options.

If the executable associated with the syslog port (514) is "syslogd_service.exe" then Kiwi Syslog Server is already installed and running as a service. You may be trying to load a second syslog process, which is why it's telling you the port is already taken. (I saw something like this when I first started using Kiwi.)

Use the Kiwi Logfile Viewer and point it at C:\Program Files\Syslogd\Logs\SyslogCatchAll.txt to see what messages you have been collecting...

kdamisch · ‎02-09-2007

I have seen port 514 in use on a Windows server which conflicted with Kiwi Syslog. The conflicting application was a network monitoring suite.

I've changed the port that a router uses to send syslog messages with this command:

logging host 10.0.0.1 transport udp port 5000

This will send syslog messages from the router to the syslog server on 10.0.0.1 using UDP port 5000.

But, I have a 4506 switch running 12.2(25)EWA6, but don't see how to change which port it uses. If I type logging host 10.0.0.1 ? to see what options there are, I only see vrf and xml as parameters to set, and nothing to change the port. Does anyone know how to change the port a switch uses for syslog messages?

Thanks,

Kevin

konigl · ‎02-09-2007

Kevin,

That's a good question. I was wondering the same thing just last week.

My guess is, we'll have to wait for it to appear in a future switch IOS release. A major one.

I looked at a selection of my switches (3550, 4006, 6509). All were running 12.2(something). I saw either both "xml" and "vrf" keywords as you did; or neither one. No option to specify protocol and port number yet.

The on-line Command Lookup Tool for Cisco IOS shows "logging host" as having protocol and port number options. But it references 12.4 documentation.

The Command History for "logging host" in the 12.4 documentation shows when "xml" and "vrf" became available -- 12.2(15)T and 12.2(25)S, respectively -- but makes no mention of when "udp" or "port " were added.

The 12.3 and 12.2 documentation also show no mention of "udp" or "port " options.

So, it looks like we're going to have to wait until 12.4. Unless Cisco comes up with a special edition of 12.2 or 12.3 to permit this flexibility.

-Larry

hi_abdallah · ‎02-09-2007

ok