<div class="gmail_quote">On Wed, Sep 12, 2012 at 11:39 AM, Sandor Geller <span dir="ltr"><<a href="mailto:Sandor.Geller@morganstanley.com" target="_blank">Sandor.Geller@morganstanley.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Hi,<br>
<br>
I don't see anything obvious. Could you check whether there are other<br>
apps listening on <a href="http://172.30.6.70:514" target="_blank">172.30.6.70:514</a> ? In other words grep for 514 in the<br>
netstat output not for syslog. Are there packet filter rules dropping<br>
incoming traffic?<br>
<br>
Regards,<br>
<br>
Sandor<br>
______________________________________________________________________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" target="_blank">http://www.balabit.com/wiki/syslog-ng-faq</a><br>
<br>
</blockquote></div><br>@ Sandor Geller<br><br>Thanks for your response. The port 514 is for syslog-ng as it is defined in the services file :<br><br><i><span style="font-family:courier new,monospace">~# cat /etc/services | grep 514<br>
shell 514/tcp cmd # no passwords used<br>syslog-ng 514/udp</span></i><br><i><span style="font-family:courier new,monospace"><br>~# netstat -a --numeric-ports | grep 514<br>tcp 0 0 <a href="http://0.0.0.0:514">0.0.0.0:514</a> 0.0.0.0:* LISTEN <br>
udp 0 0 <a href="http://0.0.0.0:514">0.0.0.0:514</a> 0.0.0.0:* <br>unix 3 [ ] STREAM CONNECTED 1514 </span></i><br><br>As you can see there is only the syslog-ng running on that port.<br>
<br><br><div class="gmail_quote">On Wed, Sep 12, 2012 at 11:45 AM, Gergely Nagy <span dir="ltr"><<a href="mailto:algernon@balabit.hu" target="_blank">algernon@balabit.hu</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Alex Clone <<a href="mailto:alexandros.clone@gmail.com">alexandros.clone@gmail.com</a>> writes:<br>
<br>
> *~# tcpdump -i eth0 udp 'port 514' -v<br>
<div class="im">> tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535<br>
> bytes<br>
> 06:05:58.669992 IP (tos 0x0, ttl 254, id 20209, offset 0, flags [none],<br>
> proto UDP (17), length 82)<br>
> 172.29.1.6.syslog-ng > 172.30.6.70.syslog-ng: SYSLOG, length: 54<br>
> Facility local4 (20), Severity debug (7)<br>
> Msg: %ASA-7-609001: Built local-host WAN:172.30.254.4\0x0a<br>
> 06:05:58.670134 IP (tos 0x0, ttl 254, id 52, offset 0, flags [none], proto<br>
> UDP (17), length 85)<br>
> 172.29.1.6.syslog-ng > 172.30.6.70.syslog-ng: SYSLOG, length: 57<br>
> Facility local4 (20), Severity debug (7)<br>
> Msg: %ASA-7-609001: Built local-host outside:172.26.10.4\0x0a<br>
</div>> ………..*<br>
<br>
These look like CISCO logs, which do not conform to the format syslog-ng<br>
expects, and as such, they're not recognised and not processed either.<br>
<br>
If you just want to store them as-is, I'd recommend using the<br>
flags(no-parse) setting in the s_network source, like this:<br>
<br>
source s_network {<br>
tcp(flags(no-parse));<br>
udp(flags(no-parse));<br>
};<br>
<span class="HOEnZb"><font color="#888888"><br>
--<br>
|8]<br>
</font></span><div class="HOEnZb"><div class="h5"><br>
______________________________________________________________________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" target="_blank">http://www.balabit.com/wiki/syslog-ng-faq</a><br>
<br>
</div></div></blockquote></div><br>@ Gergely Nagy<br><br>Thanks for your response and your recommendation. I change the source block to the one that you mail me. The result is exactly the same. Syslog-ng cannot read the stream.<br>
<br>By the way, when I tried to log local data using the internal(); option to the source block, syslog-ng worked perfectly. All the data logged to the given file. So, the problem, I have to solve, is why syslog-ng cannot read the interface eth0 (udp).<br>
<br>Thanks in advance,<br>Alex<br>