Skip to content
View in the app

A better way to browse. Learn more.

Unraid

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

Remote Syslog option not sending logs to specified IP address

Featured Replies

I'm trying to track down a weird issue where VOID hard locks and I'm unable to capture any logs via normal means. I wanted to setup an old Pi I had lying around to act as a syslog server in the hopes of catching some clues as to what is going on.

Problem is from what I can tell UnRAID just isn't sending anything to the pi? UnRAID's config is simple and seems to be setup correctly:

image.png

That is the pi's static IP address.

eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500

inet 192.168.1.31 netmask 255.255.255.0 broadcast 192.168.1.255

inet6 2601:248:8300:fd7:e49e:8625:9e9c:42b3 prefixlen 64 scopeid 0x0<global>

inet6 2601:248:8300:fd7::1008 prefixlen 128 scopeid 0x0<global>

inet6 fe80::1eee:a574:e626:3bd9 prefixlen 64 scopeid 0x20<link>

ether b8:27:eb:1a:c8:e7 txqueuelen 1000 (Ethernet)

RX packets 154081 bytes 18953278 (18.0 MiB)

RX errors 0 dropped 86109 overruns 0 frame 0

TX packets 7841 bytes 1401897 (1.3 MiB)

TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

I've verified the Pi is listening on UDP 514:

module(load="imudp")

input(type="imudp" port="514")

module(load="imtcp")

input(type="imtcp" port="514")

root@logpi:/home/chris# netstat -an | grep 514

tcp 0 0 0.0.0.0:514 0.0.0.0:* LISTEN

tcp6 0 0 :::514 :::* LISTEN

udp 0 0 0.0.0.0:514 0.0.0.0:*

udp 0 0 0.0.0.0:514 0.0.0.0:*

udp6 0 0 :::514 :::*

udp6 0 0 :::514 :::*

There is no firewall installed on the Pi. AFAIK raspbian lite doesn't come with a firewall pre-installed.

Running TCPDump shows nothing captured on UDP 514 despite me spamming UnRAID's logger with random little messages.

tcpdump -n udp port 514

tcpdump: verbose output suppressed, use -v[v]... for full protocol decode

listening on eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes

Rsyslog on the pi is stock config so anything it receives should be hitting the syslog and it's not so I have to assume it isn't getting anything from VOID.

Not really sure what else to check? I manually restart the service each time I change the config on either end.

void-diagnostics-20250710-0925.zip

EDIT: Installed tcpdump on unraid using un-get and I can confirm I see zero traffic on eth0 on UDP port 514.

root@VOID:~# tcpdump -n udp port 514

tcpdump: verbose output suppressed, use -v[v]... for full protocol decode

listening on eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes

EDIT2: changed my tcpdump parameters to just monitor any traffic going to the Pi's IP. sent a ping to make sure I was actually able to capture traffic:

root@VOID:~# tcpdump -n dst host 192.168.1.31

tcpdump: verbose output suppressed, use -v[v]... for full protocol decode

listening on eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes

10:57:33.808992 IP 192.168.1.254 > 192.168.1.31: ICMP echo request, id 13570, seq 1, length 64

10:57:33.809500 ARP, Reply 192.168.1.254 is-at 04:7c:16:6e:e8:e3, length 28

10:57:34.836995 IP 192.168.1.254 > 192.168.1.31: ICMP echo request, id 13570, seq 2, length 64

10:57:35.861095 IP 192.168.1.254 > 192.168.1.31: ICMP echo request, id 13570, seq 3, length 64

10:57:36.885243 IP 192.168.1.254 > 192.168.1.31: ICMP echo request, id 13570, seq 4, length 64

10:57:37.909225 IP 192.168.1.254 > 192.168.1.31: ICMP echo request, id 13570, seq 5, length 64

10:57:38.933214 IP 192.168.1.254 > 192.168.1.31: ICMP echo request, id 13570, seq 6, length 64

10:57:39.317032 ARP, Request who-has 192.168.1.31 tell 192.168.1.254, length 28

10:57:39.957252 IP 192.168.1.254 > 192.168.1.31: ICMP echo request, id 13570, seq 7, length 64

10:57:40.981046 IP 192.168.1.254 > 192.168.1.31: ICMP echo request, id 13570, seq 8, length 64

Edited by weirdcrap

Solved by weirdcrap

  • Author

Bump, any ideas? Seems rather odd that unraid is just sending nothing despite it being configured to log to a remote system.

  • Community Expert

Does it save the log locally to a share if you set the Unraid IP in the Remote syslog server field?

  • Author
9 hours ago, JorgeB said:

Does it save the log locally to a share if you set the Unraid IP in the Remote syslog server field?

Yes that is how I had it setup previously, logging to a flash drive I have mounted via UD.

I was hoping I might be able to catch some additional entries with the remote system as the logs to the flash drive are normal and then just cease when the system locks up. No traces or any errors

EDIT: I think I found my issue. I didn't look far enough down in rsyslog.conf. I apparently made a hardcoded edit for my remote local logging trickery whenever I set it up and forgot about it:

# remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional

*.* @192.168.1.254:514

$DefaultRuleset local

$DefaultRuleset RSYSLOG_DefaultRuleset

$DefaultRuleset RSYSLOG_DefaultRuleset

$RuleSet remote

$FileOwner nobody

$FileGroup users

$FileCreateMode 0666

$IncludeConfig /etc/rsyslog.d/*.conf # remote

#*.* ?remote

$InputUDPServerBindRuleset remote

$UDPServerRun 514

EDIT2: Ok so this must be part of it but not the whole issue as changing that to my Pi's IP still doesn't get the system logs flowing to the pi. Is there somewhere I can grab an unmodified version of rsyslog.conf and rsyslog.cfg to try to figure out what all I must have changed?

EDIT3: Yeah I don't know what to make of this. There are only 3 rsyslog files in /boot/config/ and even after commenting out everything I can find that I believe I added over the standard config its still just happily logging to the flash drive ignoring changes I make to try to redirect it out. I've attached my rsyslog configuration files for review (there is also an older version in my diagnostics above). Am I going to need to make a new flash to get an unchanged copy of the rsyslog files?

rsyslog.cfg rsyslog.conf rsyslog.local

Edited by weirdcrap

  • Author
  • Solution

Ok, I don't really understand what was different between my file and the unraid defaults but I seem to have fixed it.

I created a new unraid flash and booted it on a spare pc I had. I just toggled on the local syslog server so unraid would generate an rsyslog.conf and rsyslog.cfg for me. I made backup copies of my existing files and emptied them out replacing them entirely with the default files from the new flash. Saved them and rolled the rsyslog service.

Now when I setup remote logging it is actually logging to the Pi as instructed.

  • Author

@JorgeB I know I marked this as solved and it is solved for this server but I have a related question for my other server. I'm using the documented trick to log to the local log server using the remote option in the settings. However I'm wanting to use a mounted Unassigned Device for the destination which I can't pick from the GUI. I'm trying to edit the path I want in and have it changed in both rsyslog.cfg and rsyslog.conf but the changes aren't taking it still logs to whatever directory was last set using the GUI even after restarting the service and rebooting the server.

So my question is, what other files does the webui touch when updating the syslog settings that I'm missing? I've tried editing them in both /boot/ and /etc/ but it just won't take now.

I used to have it working then it broke and I didn't notice.

If it's not as simple as I missed a file somewhere I'll open a new thread with my problem and diagnostics.

Edited by weirdcrap

  • Community Expert
6 hours ago, weirdcrap said:

So my question is, what other files does the webui touch when updating the syslog settings that I'm missing? I've tried editing them in both /boot/ and /etc/ but it just won't take now.

Can't help with that.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

Account

Navigation

Search

Search

Configure browser push notifications

Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.