-2

The TCPDUMP output from the source server is given below:

04:48:03.074010 IP RCVSPRLN002.37915 > 10.61.0.12.syslog: SYSLOG authpriv.info, length: 103

This shows that the server RCVSPRLN002 is forwarding the logs to 10.61.0.12 server which is fine. I want 37915 to be replaced with "syslog". That is it should be like RCVSPRLN002.syslog

Saurabh Singla
  • 11
  • 1
  • 1
  • 4
  • Are you saying that you want the sending port to be 514, or that you want `tcpdump` to consider `37915` to be a syslog port? – MadHatter Sep 01 '15 at 09:30

1 Answers1

2

I want 37915 to be replaced with "syslog".

You almost certainly don't want to do that, it won't achieve anything meaningful.

The TCPDUMP fragment you show is saying that RCVSPRLN002 is using port 37915 to send a packet to 10.61.0.12 port syslog which is port 514. The tcpdump program is using the /etc/services file to translate the 514 into syslog.

You could edit /etc/services on your monitoring system and add an entry for port 37915 but chances are high that it won't achieve anything meaningful. The rsyslog process on the sending side is just using an ephemeral port. If you restart rsyslog it could easily choose a different one then you'd have to add a new entry to /etc/services and so on.

user9517
  • 115,471
  • 20
  • 215
  • 297