[syslog-ng] need help debugging some network received logs that aren't writing to files

Balazs Scheidler bazsi77 at gmail.com
Sat Feb 22 12:44:59 CET 2014 

Latest syslog-ng versions parse some of the cisco extensions. Which version
do you run?
On Feb 18, 2014 11:20 PM, "Scot Needy" <scotrn at gmail.com> wrote:

> It wasn't adding the data to the hostname just adding extra header data
> that broke the RFC  format.
>
>
> On Feb 18, 2014, at 5:14 PM, Chris Moody <chris at node-nine.com> wrote:
>
> > Hmm... that's a thought.   The troublesome device is an IOS system.
> > I'llgive 'er a gander to see if there are any other options.  I don't
> > recall there being any that controlled the 'hostname' header field
> though.
> >
> > -Chris
> >
> > On 2/18/14 5:10 PM, Scot Needy wrote:
> >> We had a parsing problem on our ASA where the log contained an extra
> date so the Host looked like "Feb".
> >>
> >> There was a syslog option in the ASA not to send the date in the header.
> >>
> >> On Feb 18, 2014, at 4:59 PM, Chris Moody <chris at node-nine.com> wrote:
> >>
> >>> yes - there are tons of spool files being created successfully. As any
> >>> new network device starts logging we see a new log-spool get created
> for
> >>> it's source-ip.
> >>>
> >>> Tons of free disk space - almost a Tb of free room.  Loads of
> >>> processor/mem overhead.  Nothing glaring in syslog-ng's logs (like
> >>> unable to write or whatnot)
> >>>
> >>> Just debugging a host-device that we're not seeing logs accounted for.
> >>>
> >>> -Chris
> >>>
> >>> On 2/18/14 3:51 PM, Austin Jorden wrote:
> >>>> Hi Chris,
> >>>>
> >>>> Are there *any* folders/files being created at all?
> >>>>
> >>>> There's one thing I noticed that isn't specified... which is the
> >>>> "createdirs = Yes" option. It appears (well, I assume) that you're
> >>>> wanting it to create a separate text file for each $HOST, not a
> separate
> >>>> directory named $HOST...
> >>>>
> >>>> - Austin
> >>>>
> >>>> On 2/18/2014 2:12 PM, Chris Moody wrote:
> >>>>> Hello.
> >>>>>
> >>>>> First off, thanks a __TON__ for syslog-ng.  I've sworn by this
> awesome
> >>>>> code for years now.  I've built all sorts of logging infrastructure
> with
> >>>>> it.
> >>>>>
> >>>>> I seem to have hit on something though that's got me scratching my
> head
> >>>>> and lacking for explanation.  Perhaps I've just been staring at it
> and
> >>>>> debugging it too long and am missing something obvious.
> >>>>>
> >>>>> I've got an installation with a couple thousand network devices
> logging
> >>>>> successfully to output spools on our log aggretor.  This is rockin'
> and
> >>>>> works beautifully.  I've got things configured whereby each network
> >>>>> source logs to it's own individual spool file with the source-ip as
> the
> >>>>> spool name.
> >>>>>
> >>>>> I'm running into a case though where I have a Cisco switch sending
> logs
> >>>>> to my log aggregator but the log-server isn't writing the output to
> the
> >>>>> device's spool file.  It is working however for many many more
> devices
> >>>>> just like this switch.
> >>>>>
> >>>>> I've confirmed via tcpdump that this log traffic does actually hit
> the
> >>>>> box, but it never gets recorded into the log spool for that network
> device.
> >>>>>
> >>>>> Since the host is -super- busy receiving logs from other gear
> >>>>> enterprise-wide, I have to treat it very gingerly, so can't enable
> too
> >>>>> much debugging...but I'm really confused why the logs wouldn't show
> up
> >>>>> in the log spool..
> >>>>>
> >>>>> Here's some bits of the config that are relevant:
> >>>>> =====
> >>>>> options {
> >>>>>           keep_hostname(yes);
> >>>>>           use_dns(no);
> >>>>>           use_fqdn(no);
> >>>>>           stats_freq(600);
> >>>>>           stats_level(2);
> >>>>>           # Allow large messages
> >>>>>           log_msg_size(65536);
> >>>>> };
> >>>>>
> >>>>> # =====================
> >>>>> # UDP Packet Source
> >>>>> source s_udp {
> >>>>>           udp();
> >>>>> };
> >>>>>
> >>>>> # =====================
> >>>>> # TCP Packet Source
> >>>>> source s_tcp {
> >>>>>            tcp(ip(aaa.bbb.ccc.ddd) port(514) max-connections(50000));
> >>>>> };
> >>>>>
> >>>>> # =====================
> >>>>> destination net_perhost {
> >>>>>           file("/data/log/per-host/$HOST"
> >>>>>           owner(root)
> >>>>>           group(nwadmin)
> >>>>>           perm(0775)
> >>>>>           );
> >>>>> };
> >>>>>
> >>>>> # =====================
> >>>>> log {
> >>>>>           source(s_tcp);
> >>>>>           source(s_udp);
> >>>>>           destination(net_perhost);
> >>>>> };
> >>>>> =====
> >>>>>
> >>>>> I've checked around for perhaps a different spool name, thinking
> perhaps
> >>>>> the data was getting recognized as something other than it's
> source-ip,
> >>>>> but haven't seen anything.
> >>>>>
> >>>>> Any thoughts?
> >>>>>
> >>>>> Cheers,
> >>>>> -Chris
> >>>>>
> ______________________________________________________________________________
> >>>>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> >>>>> Documentation:
> http://www.balabit.com/support/documentation/?product=syslog-ng
> >>>>> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
> >>>>>
> >>>>
> ______________________________________________________________________________
> >>>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> >>>> Documentation:
> http://www.balabit.com/support/documentation/?product=syslog-ng
> >>>> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
> >>>>
> >>>
> ______________________________________________________________________________
> >>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> >>> Documentation:
> http://www.balabit.com/support/documentation/?product=syslog-ng
> >>> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
> >>>
> >>
> ______________________________________________________________________________
> >> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> >> Documentation:
> http://www.balabit.com/support/documentation/?product=syslog-ng
> >> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
> >>
> >
> >
> ______________________________________________________________________________
> > Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> > Documentation:
> http://www.balabit.com/support/documentation/?product=syslog-ng
> > FAQ: http://www.balabit.com/wiki/syslog-ng-faq
> >
>
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation:
> http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20140222/174e6b3f/attachment.htm

More information about the syslog-ng mailing list