Further,<br>I have tried setting the kernel parameters without any luck<br><br>[root@aspsyslog ~]# sysctl -w net.core.rmem_max=8388608<br>[root@aspsyslog ~]# sysctl -w net.core.rmem_default=1048576<br><br><br><br><br><div class="gmail_quote">
On Wed, Nov 17, 2010 at 5:19 PM, keshava V <span dir="ltr"><<a href="mailto:mv.keshava@gmail.com">mv.keshava@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
I am receiving messages on udp port 514 and nothing on tcp 514. <br><br>17:15:50.816216 IP 10.140.141.7.syslog > aspsyslog.syslog: SYSLOG local4.debug, length: 88<br>17:15:50.819013 IP 10.140.141.7.syslog > aspsyslog.syslog: SYSLOG <a href="http://local4.info" target="_blank">local4.info</a>, length: 191<br>
17:15:50.817631 IP 10.140.141.6.syslog > aspsyslog.syslog: SYSLOG <a href="http://local4.info" target="_blank">local4.info</a>, length: 182<br>17:15:50.820751 IP 10.140.141.6.syslog > aspsyslog.syslog: SYSLOG <a href="http://local4.info" target="_blank">local4.info</a>, length: 166<br>
17:15:50.837713 IP 10.140.141.7.syslog > aspsyslog.syslog: SYSLOG local4.alert, length: 126<br>17:15:50.837730 IP 10.140.141.6.syslog > aspsyslog.syslog: SYSLOG local4.alert, length: 126<br>17:15:50.898519 IP 10.140.141.6.syslog > aspsyslog.syslog: SYSLOG <a href="http://local4.info" target="_blank">local4.info</a>, length: 181<br>
17:15:50.903282 IP 10.41.42.254.syslog > aspsyslog.syslog: SYSLOG local4.debug, length: 112<br><br>I am running syslog-ng in debug mode and this is what is being sent to stdout<br><br>[root@aspsyslog ~]# /opt/syslog-ng/sbin/syslog-ng -d -v<br>
Running application hooks; hook='1'<br>Running application hooks; hook='3'<div class="im"><br>syslog-ng starting up; version='3.1.2'<br></div>Incoming log entry; line='<6>device eth0 entered promiscuous mode'<br>
Initializing destination file writer; template='/var/log/messages_syslog-ng.log', filename='/var/log/messages_syslog-ng.log'<br>Incoming log entry; line='<6>device eth0 left promiscuous mode'<br>
Incoming log entry; line='<6>device eth0 entered promiscuous mode'<br>Incoming log entry; line='<6>device eth0 left promiscuous mode'<br>Incoming log entry; line='<6>device eth0 entered promiscuous mode'<div>
<div></div><div class="h5"><br>
<br><br><br><br><div class="gmail_quote">On Wed, Nov 17, 2010 at 5:14 PM, keshava V <span dir="ltr"><<a href="mailto:mv.keshava@gmail.com" target="_blank">mv.keshava@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
We had a old syslog-ng server which was completely configured and working fine which died. I am using the same IP address so I can confidently say that firewall is open and all the messages are arriving at the new server. syslog is writing messages to the destination but the messages coming on udp/tcp 514. I am trying to get it to write to one file and if that works then to filter all the messages later by host. <br>
<br>I have attached the tcpdump output here and see info, debug messages making it to this server<br><br>17:03:47.495842 IP aspsyslog.filenet-cm > neo.domain: 32289+ PTR? 41.34.73.10.in-addr.arpa. (42)<br>17:03:47.496324 IP 10.140.141.6.syslog > aspsyslog.syslog: SYSLOG <a href="http://local4.info" target="_blank">local4.info</a>, length: 182<br>
17:03:47.496373 IP 10.140.141.7.syslog > aspsyslog.syslog: SYSLOG <a href="http://local4.info" target="_blank">local4.info</a>, length: 164<br>17:03:47.496395 IP 10.140.141.7.syslog > aspsyslog.syslog: SYSLOG <a href="http://local4.info" target="_blank">local4.info</a>, length: 164<br>
17:03:47.496530 IP neo.domain > aspsyslog.filenet-cm: 32289 NXDomain* 0/1/0 (128)<br>17:03:47.497113 IP aspsyslog.ssh > nim.42783: P 48256:49264(1008) ack 97 win 53 <nop,nop,timestamp 93630177 1310858340><br>
17:03:47.497603 IP 10.140.141.6.syslog > aspsyslog.syslog: SYSLOG <a href="http://local4.info" target="_blank">local4.info</a>, length: 166<br>
17:03:47.497635 IP nim.42783 > aspsyslog.ssh: . ack 49264 win 32761 <nop,nop,timestamp 1310858341 93630124><br>17:03:47.506126 IP 10.140.141.6.syslog > aspsyslog.syslog: SYSLOG local4.debug, length: 86<br>17:03:47.506169 IP 10.140.141.6.syslog > aspsyslog.syslog: SYSLOG <a href="http://local4.info" target="_blank">local4.info</a>, length: 189<br>
17:03:47.521584 IP 10.140.130.20.filenet-pa > aspsyslog.syslog: SYSLOG <a href="http://daemon.info" target="_blank">daemon.info</a>, length: 107<br>17:03:47.521615 IP aspsyslog. > <a href="http://10.140.130.20" target="_blank">10.140.130.20</a>: ICMP host aspsyslog. unreachable - admin prohibited, length 143<br>
17:03:47.521907 IP aspsyslog.filenet-cm > neo.domain: 57020+ PTR? 20.130.140.10.in-addr.arpa. (44)<br>17:03:47.522331 IP 10.140.141.6.syslog > aspsyslog.syslog: SYSLOG <a href="http://local4.info" target="_blank">local4.info</a>, length: 182<br>
17:03:47.522504 IP neo.domain > aspsyslog.filenet-cm: 57020 NXDomain* 0/1/0 (132)<br>17:03:47.523087 IP aspsyslog.ssh > nim.42783: P 49264:50416(1152) ack 97 win 53 <nop,nop,timestamp 93630203 1310858341><br>
17:03:47.523574 IP 10.140.141.6.syslog > aspsyslog.syslog: SYSLOG <a href="http://local4.info" target="_blank">local4.info</a>, length: 166<br>
17:03:47.549950 IP 10.140.141.7.syslog > aspsyslog.syslog: SYSLOG <a href="http://local4.info" target="_blank">local4.info</a>, length: 164<br>17:03:47.549973 IP 10.140.141.7.syslog > aspsyslog.syslog: SYSLOG <a href="http://local4.info" target="_blank">local4.info</a>, length: 164<br>
17:03:47.552109 IP 10.73.34.45.32822 > aspsyslog.syslog: SYSLOG <a href="http://daemon.info" target="_blank">daemon.info</a>, length: 109<br>17:03:47.552136 IP aspsyslog. > <a href="http://10.73.34.45" target="_blank">10.73.34.45</a>: ICMP host aspsyslog. unreachable - admin prohibited, length 145<br>
17:03:47.552410 IP aspsyslog.filenet-cm > neo.domain: 41657+ PTR? 45.34.73.10.in-addr.arpa. (42)<br>17:03:47.552852 IP 10.140.141.6.syslog > aspsyslog.syslog: SYSLOG <a href="http://local4.info" target="_blank">local4.info</a>, length: 182<br>
17:03:47.553052 IP neo.domain > aspsyslog.filenet-cm: 41657 NXDomain* 0/1/0 (128)<br>17:03:47.553576 IP aspsyslog.ssh > nim.42783: P 50416:51392(976) ack 97 win 53 <nop,nop,timestamp 93630233 1310858341><br>17:03:47.554127 IP 10.140.141.6.syslog > aspsyslog.syslog: SYSLOG <a href="http://local4.info" target="_blank">local4.info</a>, length: 166<br>
17:03:47.558864 IP 10.140.141.8.syslog > aspsyslog.syslog: SYSLOG <a href="http://local4.info" target="_blank">local4.info</a>, length: 177<br>17:03:47.558998 IP 10.140.141.9.syslog > aspsyslog.syslog: SYSLOG <a href="http://local4.info" target="_blank">local4.info</a>, length: 188<br>
17:03:47.559027 IP aspsyslog. > <a href="http://10.140.141.9" target="_blank">10.140.141.9</a>: ICMP host aspsyslog. unreachable - admin prohibited, length 224<br>17:03:47.559031 IP 10.140.141.9.syslog > aspsyslog.syslog: SYSLOG <a href="http://local4.info" target="_blank">local4.info</a>, length: 188<br>
17:03:47.595714 IP axprod20.filenet-rpc > aspsyslog.syslog: SYSLOG <a href="http://daemon.info" target="_blank">daemon.info</a>, length: 108<br>17:03:47.595820 arp who-has axprod20. tell aspsyslog.<br>17:03:47.596053 IP aspsyslog.filenet-cm > neo.domain: 65192+ PTR? 25.130.140.10.in-addr.arpa. (44)<br>
17:03:47.596226 IP aspsyslog. > axprod20.: ICMP host aspsyslog. unreachable - admin prohibited, length 144<br>17:03:47.596434 IP 10.140.141.6.syslog > aspsyslog.syslog: SYSLOG <a href="http://local4.info" target="_blank">local4.info</a>, length: 182<br>
17:03:47.596540 IP 10.140.141.7.syslog > aspsyslog.syslog: SYSLOG <a href="http://local4.info" target="_blank">local4.info</a>, length: 164<br>17:03:47.596549 IP 10.140.141.7.syslog > aspsyslog.syslog: SYSLOG local4.debug, length: 86<br>
<br><div class="gmail_quote"><div>On Wed, Nov 17, 2010 at 5:02 PM, Worsham, Michael <span dir="ltr"><<a href="mailto:mworsham@scires.com" target="_blank">mworsham@scires.com</a>></span> wrote:<br></div><div>
<div></div><div><blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
<div link="blue" vlink="purple" lang="EN-US">
<div>
<p class="MsoNormal"><span style="font-size: 11pt; color: rgb(31, 73, 125);">Try running the syslog-ng application in debug mode: “syslog-ng –d –v” and see what the output is to the screen for the UDP connection and destination attempts.</span></p>
<p class="MsoNormal"><span style="font-size: 11pt; color: rgb(31, 73, 125);"> </span></p>
<p class="MsoNormal"><span style="font-size: 11pt; color: rgb(31, 73, 125);"> </span></p>
<div style="border-width: 1pt medium medium; border-style: solid none none; border-color: rgb(181, 196, 223) -moz-use-text-color -moz-use-text-color; padding: 3pt 0in 0in;">
<p class="MsoNormal"><b><span style="font-size: 10pt;">From:</span></b><span style="font-size: 10pt;"> <a href="mailto:syslog-ng-bounces@lists.balabit.hu" target="_blank">syslog-ng-bounces@lists.balabit.hu</a> [mailto:<a href="mailto:syslog-ng-bounces@lists.balabit.hu" target="_blank">syslog-ng-bounces@lists.balabit.hu</a>]
<b>On Behalf Of </b>keshava V<br>
<b>Sent:</b> Wednesday, November 17, 2010 5:59 PM<br>
<b>To:</b> Syslog-ng users' and developers' mailing list<br>
<b>Subject:</b> Re: [syslog-ng] Syslog-ng not receiving messages</span></p>
</div><div><div></div><div>
<p class="MsoNormal"> </p>
<p class="MsoNormal" style="margin-bottom: 12pt;">Messages from kernel, syslog-ng are being written but not the ones coming on udp 514 to the destination file as seen below.
<br>
<br>
[root@aspsyslog ~]# ls -ltr /var/log/messages_syslog-ng.log<br>
<span style="background: none repeat scroll 0% 0% red;">-rw-r--r-- 1</span> root root 24645 2010-11-17 15:32 /var/log/messages_syslog-ng.log<br>
<br>
Nov 17 14:28:55 s_all@aspsyslog syslog-ng[4460]: Configuration reload request received, reloading configuration;<br>
Nov 17 14:29:40 s_all@aspsyslog syslog-ng[4460]: Configuration reload request received, reloading configuration;<br>
Nov 17 14:30:09 s_all@aspsyslog syslog-ng[4460]: Configuration reload request received, reloading configuration;<br>
Nov 17 14:36:33 s_all@aspsyslog syslog-ng[4460]: Termination requested via signal, terminating;<br>
Nov 17 14:36:33 s_all@aspsyslog syslog-ng[4460]: syslog-ng shutting down; version='3.1.2'<br>
Nov 17 14:36:40 s_all@aspsyslog syslog-ng[8051]: syslog-ng starting up; version='3.1.2'<br>
Nov 17 14:40:49 s_all@aspsyslog syslog-ng[8051]: Configuration reload request received, reloading configuration;<br>
Nov 17 14:47:07 s_all@aspsyslog syslog-ng[8051]: Termination requested via signal, terminating;<br>
Nov 17 14:47:07 s_all@aspsyslog syslog-ng[8051]: syslog-ng shutting down; version='3.1.2'<br>
Nov 17 14:55:43 s_all@aspsyslog kernel: device eth0 entered promiscuous mode<br>
Nov 17 14:56:09 s_all@aspsyslog kernel: device eth0 left promiscuous mode<br>
Nov 17 14:58:04 s_all@aspsyslog kernel: device eth0 entered promiscuous mode<br>
Nov 17 14:58:11 s_all@aspsyslog kernel: device eth0 left promiscuous mode<br>
<br>
<br>
<br>
</p>
<div>
<p class="MsoNormal">On Wed, Nov 17, 2010 at 4:29 PM, Martin Holste <<a href="mailto:mcholste@gmail.com" target="_blank">mcholste@gmail.com</a>> wrote:</p>
<p class="MsoNormal">Hm, maybe a permissions issue with writing? Try putting in<br>
/tmp/somefile as the destination and see if that works. Also, you<br>
should verify that messages are in fact arriving on the server using<br>
tcpdump.</p>
<div>
<div>
<p class="MsoNormal"><br>
On Wed, Nov 17, 2010 at 3:44 PM, keshava Veerabhadraiah<br>
<<a href="mailto:mv.keshava@gmail.com" target="_blank">mv.keshava@gmail.com</a>> wrote:<br>
> Hi<br>
> I am new to syslog-ng and I have gone through other post to see if I can<br>
> get a resolution to my problem.<br>
> Syslog is not writing to the destination file any messages received on udp()<br>
> or tcp().<br>
> I have made sure that syslog server is receiving the syslog messages as seen<br>
> from the tcpdump<br>
><br>
><br>
> 15:09:55.422423 IP 10.140.141.6.syslog > aspsyslog.sungardebs.com.syslog:<br>
> SYSLOG local4.warning, length: 153<br>
> 15:09:55.434638 IP 10.140.141.6.syslog > aspsyslog.sungardebs.com.syslog:<br>
> SYSLOG <a href="http://local4.info" target="_blank">local4.info</a>, length: 184<br>
> 15:09:55.470383 IP 10.140.141.6.syslog > aspsyslog.sungardebs.com.syslog:<br>
> SYSLOG <a href="http://local4.info" target="_blank">local4.info</a>, length: 176<br>
> 15:09:55.473519 IP 10.140.141.6.syslog > aspsyslog.sungardebs.com.syslog:<br>
> SYSLOG <a href="http://local4.info" target="_blank">local4.info</a>, length: 190<br>
> 15:09:55.493361 IP 10.140.141.6.syslog > aspsyslog.sungardebs.com.syslog:<br>
> SYSLOG <a href="http://local4.info" target="_blank">local4.info</a>, length: 180<br>
> 15:09:55.493748 IP aspsyslog.sungardebs.com.ssh > nim.sungardebs.com.42703:<br>
> P 128608:129696(1088) ack 289 win 461 <nop,nop,timestamp 88706531<br>
> 1310848493><br>
> 15:09:55.495519 IP 10.140.141.9.syslog > aspsyslog.sungardebs.com.syslog:<br>
> SYSLOG <a href="http://local4.info" target="_blank">local4.info</a>, length: 188<br>
> 15:09:55.495548 IP 10.140.141.9.syslog > aspsyslog.sungardebs.com.syslog:<br>
> SYSLOG local4.debug, length: 90<br>
> 15:09:55.495556 IP 10.140.141.9.syslog > aspsyslog.sungardebs.com.syslog:<br>
> SYSLOG local4.debug, length: 85<br>
> 15:09:55.521115 IP 10.140.141.6.syslog > aspsyslog.sungardebs.com.syslog:<br>
> SYSLOG local4.debug, length: 87<br>
> 15:09:55.521188 IP 10.140.141.6.syslog > aspsyslog.sungardebs.com.syslog:<br>
> SYSLOG <a href="http://local4.info" target="_blank">local4.info</a>, length: 188<br>
> 15:09:55.522041 IP 10.140.141.6.syslog > aspsyslog.sungardebs.com.syslog:<br>
> SYSLOG <a href="http://local4.info" target="_blank">local4.info</a>, length: 175<br>
> 15:09:55.522212 IP 10.140.141.7.syslog > aspsyslog.sungardebs.com.syslog:<br>
> SYSLOG <a href="http://local4.info" target="_blank">local4.info</a>, length: 164<br>
><br>
><br>
><br>
> Here is how my syslog-ng config looks.<br>
><br>
> @version: 3.0<br>
> #Default configuration file for syslog-ng.<br>
> #<br>
> # For a description of syslog-ng configuration file directives, please read<br>
> # the syslog-ng Administrator's guide at:<br>
> #<br>
> # <a href="http://www.balabit.com/dl/html/syslog-ng-admin-guide_en.html/bk01-toc.html" target="_blank">
http://www.balabit.com/dl/html/syslog-ng-admin-guide_en.html/bk01-toc.html</a><br>
> #<br>
><br>
> options {<br>
> chain_hostnames(no);<br>
> create_dirs (no);<br>
> dir_perm(0755);<br>
> dns_cache(no);<br>
> keep_hostname(yes);<br>
> log_fifo_size(2048);<br>
> log_msg_size(1024);<br>
> log_iw_size (500);<br>
> long_hostnames(on);<br>
> perm(0644);<br>
> stats_freq(3600);<br>
> flush_lines(100);<br>
> time_reopen (10);<br>
> use_dns(no);<br>
> use_fqdn(yes);<br>
> # max_connections(100);<br>
><br>
> };<br>
><br>
> source s_all {<br>
> udp(so_rcvbuf(2048576));<br>
> tcp();<br>
> unix-stream("/dev/log");<br>
> internal();<br>
> file("/proc/kmsg");<br>
> };<br>
><br>
> destination d_file_normal {file("/var/log/messages_syslog-ng.log"); };<br>
><br>
> log { source(s_all); destination (d_file_normal); };<br>
><br>
><br>
> Any help would be greatly appreciated.<br>
><br>
> Thanks<br>
><br>
><br>
><br>
><br>
><br>
></p>
</div>
</div>
<p class="MsoNormal" style="margin-bottom: 12pt;">> ______________________________________________________________________________<br>
> Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" target="_blank">
https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
> Documentation:<br>
> <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" target="_blank">
http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
> FAQ: <a href="http://www.campin.net/syslog-ng/faq.html" target="_blank">http://www.campin.net/syslog-ng/faq.html</a><br>
><br>
><br>
><br>
______________________________________________________________________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" target="_blank">
https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" target="_blank">
http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
FAQ: <a href="http://www.campin.net/syslog-ng/faq.html" target="_blank">http://www.campin.net/syslog-ng/faq.html</a></p>
</div>
<p class="MsoNormal"> </p>
</div></div></div>
<br>
<hr>
<font color="Gray" face="Arial" size="1">CONFIDENTIALITY NOTICE: This email and any attachments are intended solely for the use of the named recipient(s). This email may contain confidential and/or proprietary information of Scientific Research Corporation.
If you are not a named recipient, you are prohibited from reviewing, copying, using, disclosing or distributing to others the information in this email and attachments. If you believe you have received this email in error, please notify the sender immediately
and permanently delete the email, any attachments, and all copies thereof from any drives or storage media and destroy any printouts of the email or attachments.<br>
<br>
EXPORT COMPLIANCE NOTICE: This email and any attachments may contain technical data subject to U.S export restrictions under the International Traffic in Arms Regulations (ITAR) or the Export Administration Regulations (EAR). Export or transfer of this technical
data and/or related information to any foreign person(s) or entity(ies), either within the U.S. or outside of the U.S., may require advance export authorization by the appropriate U.S. Government agency prior to export or transfer. In addition, technical data
may not be exported or transferred to certain countries or specified designated nationals identified by U.S. embargo controls without prior export authorization. By accepting this email and any attachments, all recipients confirm that they understand and will
comply with all applicable ITAR, EAR and embargo compliance requirements.<br>
</font>
</div>
<br>______________________________________________________________________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
FAQ: <a href="http://www.campin.net/syslog-ng/faq.html" target="_blank">http://www.campin.net/syslog-ng/faq.html</a><br>
<br>
<br></blockquote></div></div></div><br>
</blockquote></div><br>
</div></div></blockquote></div><br>