<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"></head><body>
<div>I would look at the macro parsing. Is HOST correctly being parsed, etc. You could create a separate file destination using one macro at a time to narrow it down. Also you could check the syslog-ng logs themselves to look at drops. </div><div><br></div><div>Jim</div><div><br></div><div><br></div><div><br></div><div id="composer_signature"><div style="font-size:85%;color:#575757">Sent from my Verizon Wireless 4G LTE smartphone</div></div><br><br>-------- Original message --------<br>From: Brandon Kendall <brandon.kendall@gmail.com> <br>Date: 03/06/2015 11:56 AM (GMT-05:00) <br>To: syslog-ng@lists.balabit.hu <br>Subject: [syslog-ng] Single host logs aren't being written <br><br><div dir="ltr">Hello everyone.<div><br></div><div>I have a centralized syslog-ng server running that collect syslog messages from Cisco firewalls. The .conf file is very straightforward and contains the following:</div><div><br></div><div>options {</div><div>use_fqdn(no);</div><div>use_dns(yes);</div><div>dns_cache(yes);</div><div>dns_cache_size(2000);</div><div>dns_cache_expire(87600);</div><div>keep_hostname(no);</div><div>long_hostnames(no);</div><div>flush_lines(0);</div><div>normalize_hostnames(yes);</div><div>create_dirs(yes);</div><div>dir_group(group_name);</div><div>dir_perm(0751);</div><div>stats_freq(600);</div><div>stats_level(1);</div><div>group(group_name);</div><div>perm(0640);</div><div>};</div><div><br></div><div>source s_network_1 {</div><div>udp();</div><div>};</div><div><br></div><div>destination d_network_1 {</div><div>file ("/var/syslog/$R_YEAR-$R_MONTH-$R_DAY/$HOST/$R_YEAR-$R_MONTH-$R_DAY-$HOST-$R_HOUR.log");</div><div>};</div><div><br></div><div>log {</div><div>source(s_network_1);</div><div>destination(d_network_1);</div><div>};</div><div><br></div><div><br></div><div>The goal is to have the logs from each device arranged in a hierarchy that is as follows (simplified):</div><div>Date/device_name/hour-1.log</div><div>Date/device/name/hour2.log</div><div>etc</div><div><br></div><div>This has been working great.</div><div><br></div><div>Recently I configured another network device to send syslog messages to this server, and they aren't being logged. Using tcpdump on the syslog-ng box, I've verified the messages are making it to the server from the network device. They are UDP and using the correct port. I've compared the message format in the pcap to other devices that are still logging and everything matches. I have no errors in /var/log/syslog files, nor do I have errors in /var/log/messages.</div><div><br></div><div>I've hit a dead end in troubleshooting, since all other devices sending logs to this server are being correctly written to log files. Can someone point me to anything else to check?</div><div><br></div><div>This is syslog-ng 3.1.2 running on RHEL 5.8.</div><div><br></div><div><br></div><div>Thanks!</div></div>
</body></html>