<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"></head><body><div>Can you test manually using logger? That way you can see if it behaves differently with different combinations of facility and priority. Also capture those with tcpdump or whatever. I seem to recall that Solaris uses different mappings than other operating systems. You might look at the sending and receiving system header files. I forget the exact name or location but something like /usr/include/sys/syslog.h I think...</div><div><br></div><div>Good luck </div><div>Jim</div><div><br></div><div><br></div><div><br></div><div id="composer_signature"><div style="font-size:85%;color:#575757" dir="auto">Sent from my Verizon, Samsung Galaxy smartphone</div></div><div><br></div><div style="font-size:100%;color:#000000"><!-- originalMessage --><div>-------- Original message --------</div><div>From: "Cottington-Bray, Ian" <ian.cottington-bray@mclaren.com> </div><div>Date: 4/27/16 7:06 AM (GMT-05:00) </div><div>To: Syslog-ng users' and developers' mailing list <syslog-ng@lists.balabit.hu> </div><div>Subject: Re: [syslog-ng] Switching the syslog-ng central server - client messages go missing </div><div><br></div></div>
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D;mso-fareast-language:EN-US">Thanks for the feedback – had to wait for a period to test again.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D;mso-fareast-language:EN-US">Comments below<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><b><span style="font-size:7.5pt;font-family:"Arial",sans-serif;color:gray">Ian Cottington-Bray | Senior Infrastructure Engineer – Linux/Unix |</span></b><b><span style="font-size:7.5pt;font-family:"Arial",sans-serif;color:#1F497D">
</span></b><b><span style="font-size:7.5pt;font-family:"Arial",sans-serif;color:gray">McLaren Technology Group Limited</span></b><span style="font-size:7.5pt;font-family:"Arial",sans-serif;color:#1F497D"><br>
</span><span style="font-size:7.5pt;font-family:"Arial",sans-serif;color:gray">McLaren Technology Centre, Chertsey Road, Woking, Surrey GU21 4YH, UK</span><span style="font-size:7.5pt;font-family:"Arial",sans-serif;color:#1F497D">
<br>
<br>
</span><b><span lang="DE" style="font-size:7.5pt;font-family:"Arial",sans-serif;color:red">T:</span></b><span lang="DE" style="font-size:7.5pt;font-family:"Arial",sans-serif;color:#1F497D">
</span><span lang="DE" style="font-size:7.5pt;font-family:"Arial",sans-serif;color:gray"> +44 (0) 1483 261 900</span><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p></o:p></span></p>
<p class="MsoNormal"><b><span lang="DE" style="font-size:7.5pt;font-family:"Arial",sans-serif;color:red">D:</span></b><span lang="DE" style="font-size:7.5pt;font-family:"Arial",sans-serif;color:#1F497D">
</span><span lang="DE" style="font-size:7.5pt;font-family:"Arial",sans-serif;color:gray"> +44 (0) 1483 262 357</span><span lang="DE" style="font-size:7.5pt;font-family:"Arial",sans-serif;color:#1F497D"><br>
</span><b><span lang="DE" style="font-size:7.5pt;font-family:"Arial",sans-serif;color:red">E:</span></b><span lang="DE" style="font-size:7.5pt;font-family:"Arial",sans-serif;color:red"> </span><span lang="DE" style="font-size:7.5pt;font-family:"Arial",sans-serif;color:gray">ian.cottington-bray@mclaren.com</span><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p></o:p></span></p>
<p class="MsoNormal"><b><span lang="DE" style="font-size:7.5pt;font-family:"Arial",sans-serif;color:red">W:</span></b><span lang="DE" style="font-size:7.5pt;font-family:"Arial",sans-serif;color:#1F497D">
</span><span style="font-size:7.5pt;font-family:"Arial",sans-serif;color:#1F497D"><a href="http://www.mclaren.com/"><span lang="DE" style="color:gray">www.mclaren.com</span></a>
</span><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><b><span lang="EN-US" style="font-size:11.0pt;font-family:"Calibri",sans-serif">From:</span></b><span lang="EN-US" style="font-size:11.0pt;font-family:"Calibri",sans-serif"> syslog-ng-bounces@lists.balabit.hu [mailto:syslog-ng-bounces@lists.balabit.hu]
<b>On Behalf Of </b>Scheidler, Balázs<br>
<b>Sent:</b> 21 April 2016 10:33<br>
<b>To:</b> Syslog-ng users' and developers' mailing list <syslog-ng@lists.balabit.hu><br>
<b>Subject:</b> Re: [syslog-ng] Switching the syslog-ng central server - client messages go missing<o:p></o:p></span></p>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<p class="MsoNormal" style="margin-bottom:12.0pt">hmm... couple of things come to mind, not all syslog-ng related:<o:p></o:p></p>
</div>
<p class="MsoListParagraph" style="text-indent:-18.0pt;mso-list:l0 level1 lfo1"><!--[if !supportLists]--><span style="mso-list:Ignore">1)<span style="font:7.0pt "Times New Roman"">
</span></span><!--[endif]-->are those messages actually arriving on the host (check with tcpdump)<o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D">Sometimes – I see network packets being sent some of the time (by the client) but not always<o:p></o:p></span></p>
</div>
<p class="MsoListParagraph" style="text-indent:-18.0pt;mso-list:l0 level1 lfo1"><!--[if !supportLists]--><span style="mso-list:Ignore">2)<span style="font:7.0pt "Times New Roman"">
</span></span><!--[endif]-->is the local firewall letting them through?<o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D">There is no firewall on this network<o:p></o:p></span></p>
</div>
<p class="MsoListParagraph" style="text-indent:-18.0pt;mso-list:l0 level1 lfo1"><!--[if !supportLists]--><span style="mso-list:Ignore">3)<span style="font:7.0pt "Times New Roman"">
</span></span><!--[endif]-->is syslog-ng bound to a specific ip/port or it is bound to 0.0.0.0? (check that with netstat)<o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D">Specific IP/port (514) – several IPs in fact<o:p></o:p></span></p>
</div>
<p class="MsoListParagraph" style="text-indent:-18.0pt;mso-list:l0 level1 lfo1"><!--[if !supportLists]--><span style="mso-list:Ignore">4)<span style="font:7.0pt "Times New Roman"">
</span></span><!--[endif]-->you should be able to use telnet/netcat on the client host to check if the port on the solaris11 box is open<o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D">The port is open<o:p></o:p></span></p>
</div>
<p class="MsoListParagraph" style="margin-bottom:12.0pt;text-indent:-18.0pt;mso-list:l0 level1 lfo1">
<!--[if !supportLists]--><span style="color:#1F497D"><span style="mso-list:Ignore">5)<span style="font:7.0pt "Times New Roman"">
</span></span></span><!--[endif]-->if all else fails, check the syslog-ng config, but that shouldn't be a problem<span style="color:#1F497D"><o:p></o:p></span></p>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">It looks OK to me ..<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">It almost looks like the client systems don’t send all the time – which is VERY strange and I’m struggling to understand why. The
client systems seem to send a few messages immediately after syslog-ng starts on the central server and then stop sending …
<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">If I shutdown the new server and bring up the old one the messages start appearing in the logs as I would expect.<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">Any suggestions ?<o:p></o:p></span></p>
</div>
<p class="MsoNormal" style="margin-bottom:12.0pt">Bazsi<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><br clear="all">
<o:p></o:p></p>
<div>
<div>
<div>
<p class="MsoNormal">-- <br>
Bazsi<o:p></o:p></p>
</div>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal">On Wed, Apr 20, 2016 at 4:51 PM, Cottington-Bray, Ian <<a href="mailto:ian.cottington-bray@mclaren.com" target="_blank">ian.cottington-bray@mclaren.com</a>> wrote:<o:p></o:p></p>
<blockquote style="border:none;border-left:solid #CCCCCC 1.0pt;padding:0cm 0cm 0cm 6.0pt;margin-left:4.8pt;margin-right:0cm">
<div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">Hi<o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">I have a Solaris 10 server running version 3.0 of syslog-ng.<o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">I have built a new server running Solaris 11 with version 3.6 of syslog-ng installed.<o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">I have tested the new server by pointing another client at it and messages appear in the configured files as expected.<o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">I then shut down the Solaris 10 server – change the Solaris 11 server IP configuration to match the details for the Solaris 10 server – restart syslog-ng on the Solaris 11 server.
Things seem to be working ok – except for the (Solaris and Linux) clients using syslog-ng (and referencing the central syslog-ng server by IP) their messages do not arrive at the expected files.
<o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">Any suggestions ?<o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">Ian<o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><b><span style="font-size:7.5pt;font-family:"Arial",sans-serif;color:gray">Ian Cottington-Bray | Senior Infrastructure Engineer – Linux/Unix |</span></b><b><span style="font-size:7.5pt;font-family:"Arial",sans-serif">
<span style="color:gray">McLaren Technology Group Limited</span></span></b><span style="font-size:7.5pt;font-family:"Arial",sans-serif"><br>
<span style="color:gray">McLaren Technology Centre, Chertsey Road, Woking, Surrey GU21 4YH, UK</span>
<br>
<br>
</span><b><span lang="DE" style="font-size:7.5pt;font-family:"Arial",sans-serif;color:red">T:</span></b><span lang="DE" style="font-size:7.5pt;font-family:"Arial",sans-serif">
<span style="color:gray"> <a href="tel:%2B44%20%280%29%201483%20261%20900" target="_blank">+44 (0) 1483 261 900</a></span></span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><b><span lang="DE" style="font-size:7.5pt;font-family:"Arial",sans-serif;color:red">D:</span></b><span lang="DE" style="font-size:7.5pt;font-family:"Arial",sans-serif">
<span style="color:gray"> <a href="tel:%2B44%20%280%29%201483%20262%20357" target="_blank">+44 (0) 1483 262 357</a></span><br>
<b><span style="color:red">E:</span></b><span style="color:red"> </span><span style="color:gray"><a href="mailto:ian.cottington-bray@mclaren.com" target="_blank">ian.cottington-bray@mclaren.com</a></span></span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><b><span lang="DE" style="font-size:7.5pt;font-family:"Arial",sans-serif;color:red">W:</span></b><span lang="DE" style="font-size:7.5pt;font-family:"Arial",sans-serif">
</span><span style="font-size:7.5pt;font-family:"Arial",sans-serif"><a href="http://www.mclaren.com/" target="_blank"><span lang="DE" style="color:gray">www.mclaren.com</span></a>
</span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
</div>
<p class="MsoNormal"><br clear="all">
The contents of this e-mail are confidential and for the exclusive use of the intended recipient. If you are not the intended recipient you should not read, copy, retransmit or disclose its contents. If you have received this email in error please delete it
from your system immediately and notify us either by email or telephone. The views expressed in this communication may not necessarily be the views held by McLaren Technology Group Limited.
<br>
McLaren Technology Group Limited | McLaren Technology Centre | Chertsey Road | Woking | Surrey | GU21 4YH | UK | Company Number: 01967715<o:p></o:p></p>
</div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><br>
______________________________________________________________________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" target="_blank">
https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" target="_blank">
http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" target="_blank">http://www.balabit.com/wiki/syslog-ng-faq</a><br>
<br>
<o:p></o:p></p>
</blockquote>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</div>
<br clear="both">
The contents of this e-mail are confidential and for the exclusive use of the intended recipient. If you are not the intended recipient you should not read, copy, retransmit or disclose its contents. If you have received this email in error please delete it from your system immediately and notify us either by email or telephone. The views expressed in this communication may not necessarily be the views held by McLaren Technology Group Limited. <br>
McLaren Technology Group Limited | McLaren Technology Centre | Chertsey Road | Woking | Surrey | GU21 4YH | UK | Company Number: 01967715<br>
</body></html>