<p dir="ltr">Thanks for the responses, all. I managed to fix the issue by routing the syslog messages to a different interface on the server. </p>
<p dir="ltr">Sent from my Android device.</p>
<div class="gmail_quote">On Mar 9, 2015 4:53 AM, "Sandor Geller" <<a href="mailto:sandor.geller@ericsson.com">sandor.geller@ericsson.com</a>> wrote:<br type="attribution"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi,<br>
<br>
Is it possible to configure the given device to use another port? This<br>
way you could fire up another syslog-ng instance with debugging options<br>
enabled to see what it thinks about the incoming messages. Running this<br>
instance under strace won't impact the processing of logs from other<br>
devices and the strace output would be quite useful for debugging.<br>
<br>
Although you mentioned that the incoming logs seem to be OK could you<br>
show a few incoming packets? Preferably in hexdump format, maybe we<br>
could catch what's wrong.<br>
<br>
Regards,<br>
<br>
Sandor<br>
<br>
On 03/06/2015 07:09 PM, Brandon Kendall wrote:<br>
> Sorry, I should have specified that.<br>
><br>
> Not only does the hostname resolve to the correct IP, I created an entry<br>
> in the hosts file for this device.<br>
><br>
> Thanks!<br>
><br>
> On Fri, Mar 6, 2015 at 12:30 PM, Sandor Geller<br>
> <<a href="mailto:sandor.geller@ericsson.com">sandor.geller@ericsson.com</a> <mailto:<a href="mailto:sandor.geller@ericsson.com">sandor.geller@ericsson.com</a>>> wrote:<br>
><br>
> Hi!<br>
><br>
> The only macro in the destination which isn't generated by syslog-ng<br>
> itself is $HOST as you are using DNS for hostname resolution. Could you<br>
> doublecheck that the source IP address of the originating device<br>
> resolves properly to a hostname and the given hostname is unique?<br>
><br>
> hth,<br>
><br>
> Sandor<br>
><br>
> On 03/06/2015 05:56 PM, Brandon Kendall wrote:<br>
> > Hello everyone.<br>
> ><br>
> > I have a centralized syslog-ng server running that collect syslog<br>
> > messages from Cisco firewalls. The .conf file is very straightforward<br>
> > and contains the following:<br>
> ><br>
> > options {<br>
> > use_fqdn(no);<br>
> > use_dns(yes);<br>
> > dns_cache(yes);<br>
> > dns_cache_size(2000);<br>
> > dns_cache_expire(87600);<br>
> > keep_hostname(no);<br>
> > long_hostnames(no);<br>
> > flush_lines(0);<br>
> > normalize_hostnames(yes);<br>
> > create_dirs(yes);<br>
> > dir_group(group_name);<br>
> > dir_perm(0751);<br>
> > stats_freq(600);<br>
> > stats_level(1);<br>
> > group(group_name);<br>
> > perm(0640);<br>
> > };<br>
> ><br>
> > source s_network_1 {<br>
> > udp();<br>
> > };<br>
> ><br>
> > destination d_network_1 {<br>
> > file<br>
> ><br>
> ("/var/syslog/$R_YEAR-$R_MONTH-$R_DAY/$HOST/$R_YEAR-$R_MONTH-$R_DAY-$HOST-$R_HOUR.log");<br>
> > };<br>
> ><br>
> > log {<br>
> > source(s_network_1);<br>
> > destination(d_network_1);<br>
> > };<br>
> ><br>
> ><br>
> > The goal is to have the logs from each device arranged in a hierarchy<br>
> > that is as follows (simplified):<br>
> > Date/device_name/hour-1.log<br>
> > Date/device/name/hour2.log<br>
> > etc<br>
> ><br>
> > This has been working great.<br>
> ><br>
> > Recently I configured another network device to send syslog<br>
> messages to<br>
> > this server, and they aren't being logged. Using tcpdump on the<br>
> > syslog-ng box, I've verified the messages are making it to the server<br>
> > from the network device. They are UDP and using the correct port.<br>
> I've<br>
> > compared the message format in the pcap to other devices that are<br>
> still<br>
> > logging and everything matches. I have no errors in /var/log/syslog<br>
> > files, nor do I have errors in /var/log/messages.<br>
> ><br>
> > I've hit a dead end in troubleshooting, since all other devices<br>
> sending<br>
> > logs to this server are being correctly written to log files. Can<br>
> > someone point me to anything else to check?<br>
> ><br>
> > This is syslog-ng 3.1.2 running on RHEL 5.8.<br>
> ><br>
> ><br>
> > Thanks!<br>
> ><br>
> ><br>
> ><br>
> ______________________________________________________________________________<br>
> > Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
> > Documentation:<br>
> <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
> > FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" target="_blank">http://www.balabit.com/wiki/syslog-ng-faq</a><br>
> ><br>
><br>
> ______________________________________________________________________________<br>
> Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
> Documentation:<br>
> <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
> FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" target="_blank">http://www.balabit.com/wiki/syslog-ng-faq</a><br>
><br>
><br>
><br>
><br>
> ______________________________________________________________________________<br>
> Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
> Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
> FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" target="_blank">http://www.balabit.com/wiki/syslog-ng-faq</a><br>
><br>
<br>
______________________________________________________________________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" target="_blank">http://www.balabit.com/wiki/syslog-ng-faq</a><br>
<br>
</blockquote></div>