Also try:<div>tcpdump udp port 514</div><div>to make sure udp is being received - not being blocked by a firewall or something.</div><div><br clear="all">______________________________________________________________ <br><br>
Clayton Dukes<br>______________________________________________________________<br>
<br><br><div class="gmail_quote">On Wed, Nov 17, 2010 at 6:02 PM, Worsham, Michael <span dir="ltr"><<a href="mailto:mworsham@scires.com">mworsham@scires.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
<div lang="EN-US" link="blue" vlink="purple">
<div>
<p class="MsoNormal"><span style="font-size:11.0pt;color:#1F497D">Try running the syslog-ng application in debug mode: “syslog-ng –d –v” and see what the output is to the screen for the UDP connection and destination attempts.</span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;color:#1F497D"> </span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;color:#1F497D"> </span></p>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="font-size:10.0pt">From:</span></b><span style="font-size:10.0pt"> <a href="mailto:syslog-ng-bounces@lists.balabit.hu" target="_blank">syslog-ng-bounces@lists.balabit.hu</a> [mailto:<a href="mailto:syslog-ng-bounces@lists.balabit.hu" target="_blank">syslog-ng-bounces@lists.balabit.hu</a>]
<b>On Behalf Of </b>keshava V<br>
<b>Sent:</b> Wednesday, November 17, 2010 5:59 PM<br>
<b>To:</b> Syslog-ng users' and developers' mailing list<br>
<b>Subject:</b> Re: [syslog-ng] Syslog-ng not receiving messages</span></p>
</div><div><div></div><div class="h5">
<p class="MsoNormal"> </p>
<p class="MsoNormal" style="margin-bottom:12.0pt">Messages from kernel, syslog-ng are being written but not the ones coming on udp 514 to the destination file as seen below.
<br>
<br>
[root@aspsyslog ~]# ls -ltr /var/log/messages_syslog-ng.log<br>
<span style="background:red">-rw-r--r-- 1</span> root root 24645 2010-11-17 15:32 /var/log/messages_syslog-ng.log<br>
<br>
Nov 17 14:28:55 s_all@aspsyslog syslog-ng[4460]: Configuration reload request received, reloading configuration;<br>
Nov 17 14:29:40 s_all@aspsyslog syslog-ng[4460]: Configuration reload request received, reloading configuration;<br>
Nov 17 14:30:09 s_all@aspsyslog syslog-ng[4460]: Configuration reload request received, reloading configuration;<br>
Nov 17 14:36:33 s_all@aspsyslog syslog-ng[4460]: Termination requested via signal, terminating;<br>
Nov 17 14:36:33 s_all@aspsyslog syslog-ng[4460]: syslog-ng shutting down; version='3.1.2'<br>
Nov 17 14:36:40 s_all@aspsyslog syslog-ng[8051]: syslog-ng starting up; version='3.1.2'<br>
Nov 17 14:40:49 s_all@aspsyslog syslog-ng[8051]: Configuration reload request received, reloading configuration;<br>
Nov 17 14:47:07 s_all@aspsyslog syslog-ng[8051]: Termination requested via signal, terminating;<br>
Nov 17 14:47:07 s_all@aspsyslog syslog-ng[8051]: syslog-ng shutting down; version='3.1.2'<br>
Nov 17 14:55:43 s_all@aspsyslog kernel: device eth0 entered promiscuous mode<br>
Nov 17 14:56:09 s_all@aspsyslog kernel: device eth0 left promiscuous mode<br>
Nov 17 14:58:04 s_all@aspsyslog kernel: device eth0 entered promiscuous mode<br>
Nov 17 14:58:11 s_all@aspsyslog kernel: device eth0 left promiscuous mode<br>
<br>
<br>
<br>
</p>
<div>
<p class="MsoNormal">On Wed, Nov 17, 2010 at 4:29 PM, Martin Holste <<a href="mailto:mcholste@gmail.com" target="_blank">mcholste@gmail.com</a>> wrote:</p>
<p class="MsoNormal">Hm, maybe a permissions issue with writing? Try putting in<br>
/tmp/somefile as the destination and see if that works. Also, you<br>
should verify that messages are in fact arriving on the server using<br>
tcpdump.</p>
<div>
<div>
<p class="MsoNormal"><br>
On Wed, Nov 17, 2010 at 3:44 PM, keshava Veerabhadraiah<br>
<<a href="mailto:mv.keshava@gmail.com" target="_blank">mv.keshava@gmail.com</a>> wrote:<br>
> Hi<br>
> I am new to syslog-ng and I have gone through other post to see if I can<br>
> get a resolution to my problem.<br>
> Syslog is not writing to the destination file any messages received on udp()<br>
> or tcp().<br>
> I have made sure that syslog server is receiving the syslog messages as seen<br>
> from the tcpdump<br>
><br>
><br>
> 15:09:55.422423 IP 10.140.141.6.syslog > aspsyslog.sungardebs.com.syslog:<br>
> SYSLOG local4.warning, length: 153<br>
> 15:09:55.434638 IP 10.140.141.6.syslog > aspsyslog.sungardebs.com.syslog:<br>
> SYSLOG <a href="http://local4.info" target="_blank">local4.info</a>, length: 184<br>
> 15:09:55.470383 IP 10.140.141.6.syslog > aspsyslog.sungardebs.com.syslog:<br>
> SYSLOG <a href="http://local4.info" target="_blank">local4.info</a>, length: 176<br>
> 15:09:55.473519 IP 10.140.141.6.syslog > aspsyslog.sungardebs.com.syslog:<br>
> SYSLOG <a href="http://local4.info" target="_blank">local4.info</a>, length: 190<br>
> 15:09:55.493361 IP 10.140.141.6.syslog > aspsyslog.sungardebs.com.syslog:<br>
> SYSLOG <a href="http://local4.info" target="_blank">local4.info</a>, length: 180<br>
> 15:09:55.493748 IP aspsyslog.sungardebs.com.ssh > nim.sungardebs.com.42703:<br>
> P 128608:129696(1088) ack 289 win 461 <nop,nop,timestamp 88706531<br>
> 1310848493><br>
> 15:09:55.495519 IP 10.140.141.9.syslog > aspsyslog.sungardebs.com.syslog:<br>
> SYSLOG <a href="http://local4.info" target="_blank">local4.info</a>, length: 188<br>
> 15:09:55.495548 IP 10.140.141.9.syslog > aspsyslog.sungardebs.com.syslog:<br>
> SYSLOG local4.debug, length: 90<br>
> 15:09:55.495556 IP 10.140.141.9.syslog > aspsyslog.sungardebs.com.syslog:<br>
> SYSLOG local4.debug, length: 85<br>
> 15:09:55.521115 IP 10.140.141.6.syslog > aspsyslog.sungardebs.com.syslog:<br>
> SYSLOG local4.debug, length: 87<br>
> 15:09:55.521188 IP 10.140.141.6.syslog > aspsyslog.sungardebs.com.syslog:<br>
> SYSLOG <a href="http://local4.info" target="_blank">local4.info</a>, length: 188<br>
> 15:09:55.522041 IP 10.140.141.6.syslog > aspsyslog.sungardebs.com.syslog:<br>
> SYSLOG <a href="http://local4.info" target="_blank">local4.info</a>, length: 175<br>
> 15:09:55.522212 IP 10.140.141.7.syslog > aspsyslog.sungardebs.com.syslog:<br>
> SYSLOG <a href="http://local4.info" target="_blank">local4.info</a>, length: 164<br>
><br>
><br>
><br>
> Here is how my syslog-ng config looks.<br>
><br>
> @version: 3.0<br>
> #Default configuration file for syslog-ng.<br>
> #<br>
> # For a description of syslog-ng configuration file directives, please read<br>
> # the syslog-ng Administrator's guide at:<br>
> #<br>
> # <a href="http://www.balabit.com/dl/html/syslog-ng-admin-guide_en.html/bk01-toc.html" target="_blank">
http://www.balabit.com/dl/html/syslog-ng-admin-guide_en.html/bk01-toc.html</a><br>
> #<br>
><br>
> options {<br>
> chain_hostnames(no);<br>
> create_dirs (no);<br>
> dir_perm(0755);<br>
> dns_cache(no);<br>
> keep_hostname(yes);<br>
> log_fifo_size(2048);<br>
> log_msg_size(1024);<br>
> log_iw_size (500);<br>
> long_hostnames(on);<br>
> perm(0644);<br>
> stats_freq(3600);<br>
> flush_lines(100);<br>
> time_reopen (10);<br>
> use_dns(no);<br>
> use_fqdn(yes);<br>
> # max_connections(100);<br>
><br>
> };<br>
><br>
> source s_all {<br>
> udp(so_rcvbuf(2048576));<br>
> tcp();<br>
> unix-stream("/dev/log");<br>
> internal();<br>
> file("/proc/kmsg");<br>
> };<br>
><br>
> destination d_file_normal {file("/var/log/messages_syslog-ng.log"); };<br>
><br>
> log { source(s_all); destination (d_file_normal); };<br>
><br>
><br>
> Any help would be greatly appreciated.<br>
><br>
> Thanks<br>
><br>
><br>
><br>
><br>
><br>
></p>
</div>
</div>
<p class="MsoNormal" style="margin-bottom:12.0pt">> ______________________________________________________________________________<br>
> Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" target="_blank">
https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
> Documentation:<br>
> <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" target="_blank">
http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
> FAQ: <a href="http://www.campin.net/syslog-ng/faq.html" target="_blank">http://www.campin.net/syslog-ng/faq.html</a><br>
><br>
><br>
><br>
______________________________________________________________________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" target="_blank">
https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" target="_blank">
http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
FAQ: <a href="http://www.campin.net/syslog-ng/faq.html" target="_blank">http://www.campin.net/syslog-ng/faq.html</a></p>
</div>
<p class="MsoNormal"> </p>
</div></div></div>
<br>
<hr>
<font face="Arial" color="Gray" size="1">CONFIDENTIALITY NOTICE: This email and any attachments are intended solely for the use of the named recipient(s). This email may contain confidential and/or proprietary information of Scientific Research Corporation.
If you are not a named recipient, you are prohibited from reviewing, copying, using, disclosing or distributing to others the information in this email and attachments. If you believe you have received this email in error, please notify the sender immediately
and permanently delete the email, any attachments, and all copies thereof from any drives or storage media and destroy any printouts of the email or attachments.<br>
<br>
EXPORT COMPLIANCE NOTICE: This email and any attachments may contain technical data subject to U.S export restrictions under the International Traffic in Arms Regulations (ITAR) or the Export Administration Regulations (EAR). Export or transfer of this technical
data and/or related information to any foreign person(s) or entity(ies), either within the U.S. or outside of the U.S., may require advance export authorization by the appropriate U.S. Government agency prior to export or transfer. In addition, technical data
may not be exported or transferred to certain countries or specified designated nationals identified by U.S. embargo controls without prior export authorization. By accepting this email and any attachments, all recipients confirm that they understand and will
comply with all applicable ITAR, EAR and embargo compliance requirements.<br>
</font>
</div>
<br>______________________________________________________________________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
FAQ: <a href="http://www.campin.net/syslog-ng/faq.html" target="_blank">http://www.campin.net/syslog-ng/faq.html</a><br>
<br>
<br></blockquote></div><br></div>