<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD><TITLE>Forwarding to a Loglogic device</TITLE>
<META http-equiv=Content-Type content="text/html; charset=us-ascii">
<META content="MSHTML 6.00.2900.2963" name=GENERATOR></HEAD>
<BODY>
<DIV dir=ltr align=left><SPAN class=141275115-28092006><FONT face=Arial
color=#0000ff size=2>I found the problem - typo in
config...sheesh</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=141275115-28092006></SPAN> </DIV><BR>
<DIV class=OutlookMessageHeader lang=en-us dir=ltr align=left>
<HR tabIndex=-1>
<FONT face=Tahoma size=2><B>From:</B> syslog-ng-bounces@lists.balabit.hu
[mailto:syslog-ng-bounces@lists.balabit.hu] <B>On Behalf Of </B>Dukes
Clayton<BR><B>Sent:</B> Thursday, September 28, 2006 10:29 AM<BR><B>To:</B>
Syslog-ng users' and developers' mailing list<BR><B>Subject:</B> [syslog-ng]
Forwarding to a Loglogic device<BR></FONT><BR></DIV>
<DIV></DIV><!-- Converted from text/rtf format --><BR>
<P><FONT face=Arial size=2>Argh…</FONT> </P>
<P><FONT face=Arial size=2>Can someone tell me why a sniffer shows no traffic
passing to the destination when using this config?</FONT> <BR><FONT face=Arial
size=2>I've tried everything I can think of…what am I doing wrong?</FONT>
</P><BR>
<P><FONT face=Arial size=2>##############################</FONT> <BR><FONT
face=Arial size=2># Loglogic dump </FONT><BR><FONT face=Arial
size=2>##############################</FONT> <BR><FONT face=Arial size=2>options
{</FONT> <BR><FONT face=Arial size=2>sync(0);</FONT> <BR><FONT face=Arial
size=2>log_fifo_size(1024);</FONT> <BR><FONT face=Arial
size=2>chain_hostnames(no);</FONT> <BR><FONT face=Arial
size=2>use_fqdn(yes);</FONT> <BR><FONT face=Arial size=2>use_dns(yes);</FONT>
<BR><FONT face=Arial size=2>dns_cache(yes);</FONT> <BR><FONT face=Arial
size=2>dns_cache_expire(300);</FONT> <BR><FONT face=Arial
size=2>dns_cache_expire_failed(10);</FONT> <BR><FONT face=Arial
size=2>dns_cache_size(1024);</FONT> <BR><FONT face=Arial
size=2>keep_hostname(yes);</FONT> <BR><FONT face=Arial size=2>};</FONT>
<BR><FONT face=Arial size=2>source snet { tcp(); udp(); };</FONT> <BR><FONT
face=Arial size=2>filter f_loglogic { level(debug..emerg) and facility(local0,
local1, local2, local3, local4, local6, local7); };</FONT> <BR><FONT face=Arial
size=2>destination LogLogic { tcp("10.24.2.39" port(514) log_fifo_size(60000)
template("<$PRI> $R_DATE $SOURCEIP $MSG\n") ); };</FONT></P>
<P><FONT face=Arial size=2>log { source(snet); filter(f_loglogic);
destination(LogLogic); };</FONT> <BR><FONT face=Arial
size=2>##############################</FONT> <BR><FONT face=Arial size=2># END
Loglogic dump </FONT><BR><FONT face=Arial
size=2>##############################</FONT> </P><BR>
<P><FONT face=Arial size=2>When I telnet to my router and generate a
SYS-5-CONFIG, I see the packet come into the server:</FONT> <BR><FONT face=Arial
size=2>#----Start capture</FONT> <BR><FONT face=Arial size=2>tcpdump dst port
514 </FONT><BR><FONT face=Arial size=2>tcpdump: verbose output
suppressed, use -v or -vv for full protocol decode</FONT> <BR><FONT face=Arial
size=2>listening on eth0, link-type EN10MB (Ethernet), capture size 96
bytes</FONT> </P>
<P><FONT face=Arial size=2>10:17:33.211813 IP 10.26.31.2.52935 >
syslog.net.syslog: SYSLOG local7.notice, length: 105</FONT> <BR><FONT face=Arial
size=2>148 packets captured</FONT> <BR><FONT face=Arial size=2>297 packets
received by filter</FONT> <BR><FONT face=Arial size=2>0 packets dropped by
kernel</FONT> <BR><FONT face=Arial size=2>#----End capture</FONT> </P><BR>
<P><FONT face=Arial size=2>But when I try to sniff packets going to the
destination server, I see nothing:</FONT> <BR><FONT face=Arial
size=2> /etc/init.d/syslog-ng
restart
</FONT><BR><FONT face=Arial size=2> * Stopping syslog-ng
...
[ ok ]</FONT></P>
<P><FONT face=Arial size=2> * Starting syslog-ng ...
</FONT></P>
<P><FONT face=Arial size=2>#----Start capture - note that the entries below are
from syslog-ng restarting, so I know it establishes a connection...</FONT></P>
<P><FONT face=Arial size=2>tcpdump dst host 10.24.2.39
</FONT><BR><FONT face=Arial size=2>tcpdump: verbose output suppressed, use -v or
-vv for full protocol decode</FONT> <BR><FONT face=Arial size=2>listening on
eth0, link-type EN10MB (Ethernet), capture size 96 bytes</FONT> </P>
<P><FONT face=Arial size=2>10:24:40.401037 IP syslog.net.56631 > .shell: F
1487912722:1487912722(0) ack 91904650 win 1460 <nop,nop,timestamp 866281169
157842259></FONT></P>
<P><FONT face=Arial size=2>10:24:40.407670 IP syslog.net.56631 > .shell: .
ack 2 win 1460 <nop,nop,timestamp 866281177 158151244></FONT> <BR><FONT
face=Arial size=2>10:24:43.014989 IP syslog.net.42848 > .shell: S
1805017512:1805017512(0) win 5840 <mss 1460,sackOK,timestamp 866283785
0,nop,wscale 2></FONT></P>
<P><FONT face=Arial size=2>10:24:43.015885 IP syslog.net.42848 > .shell: .
ack 425051406 win 1460 <nop,nop,timestamp 866283786 158153852></FONT>
<BR><FONT face=Arial size=2>#----End capture</FONT> </P><BR>
<P><FONT face=Arial size=2>What am I missing here?</FONT> </P>
<P><FONT face=Arial size=2>Thanks!</FONT> <BR><FONT face=Arial
size=2>Clayton</FONT> </P><BR></BODY></HTML>