I have been installing syslog-ng on our Solaris 9 servers. All ov them are working except two which return the following error:
# /etc/init.d/syslog start
syslog-ng service starting.
Error binding socket; addr='AF_INET(0.0.0.0:514)', error='Address already in use (125)'
Error initializing source driver; source='inputs'
#
Any ideas what I'm missing here?
I think its because you have in.rshd enabled in /etc/inetd.conf
Try to comment out the following 2 lines, and kill -HUP the inetd process
shell stream tcp nowait root /usr/sbin/in.rshd in.rshd
shell stream tcp6 nowait root /usr/sbin/in.rshd in.rshd
I'd have though it was becuase the old version of syslog is still running - port 514 (0.0.0.0:514) is listed as the syslog port in /etc/services...
Use ps -ef | grep syslog to make sure it's not already running something on that port.
If not and you still get the error, check netstat -an | grep 514 to see if anything else is holding the port open.
If it does and you have lsof, then use lsof -i :514 to find the culprit
That was it! The rshd processes were suppose to have been disabled during hardening, but I guess a couple slipped through the cracks.
Thanks to both of you for the great responses!
Glad to be of help.. Maybe you can help me now.
I posted a question and have had no responses regarding the syslog-ng.conf file. Have a look here and comment if you can.
Thanks
It is possible to change the listening port of syslog-ng from syslog-ng.conf file.
You can add the following line to the conf file:
source remote_src { tcp(ip(yr.ip.add.ress) port(1099) ); };
Then, syslog-ng will listen on tcp port 1099.
Thanks
Or instead of using tcp port 514, you could use udp port 514