<div dir="ltr">Perfect - you know the packets are getting there - so that's done.<div><br></div><div>Now take a look at what creates the logging - As a test, try taking out the filter. </div><div><br></div><div>It is a bit confusing, but HOST, HOST_FROM and FULLHOST_FROM are very different (you can read the details here)</div><div><a href="https://www.balabit.com/documents/syslog-ng-ose-latest-guides/en/syslog-ng-ose-guide-admin/html/reference-macros.html">https://www.balabit.com/documents/syslog-ng-ose-latest-guides/en/syslog-ng-ose-guide-admin/html/reference-macros.html</a><br></div><div><br></div><div>You might find that HOST_FROM works better if the logs come directly from the FWs to the syslog server.</div><div><br></div><div>But if you take out the filter and it creates the files - you will know where to work.</div><div><br></div><div>Best,</div><div>Jim</div><div><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Feb 24, 2017 at 10:06 AM, Tim Tyler <span dir="ltr"><<a href="mailto:tyler@beloit.edu" target="_blank">tyler@beloit.edu</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div lang="EN-US" link="#0563C1" vlink="#954F72"><div class="m_-2454588525498911475WordSection1"><p class="MsoNormal">Syslog-ng experts.</p><p class="MsoNormal"> I am very new to syslog-ng. I installed syslog-ng on a fresh Redhat 7.3 server. It defaults working with internal logging. So I configured my firewall to send syslog with facility set to log_user. I turned on Wireshark on the syslog-ng server and observed the firewall sending traffic to the server on udp 514. </p><p class="MsoNormal"> </p><p class="MsoNormal">But the syslog server never created the directory structure and logs. I disabled the redhat firewall just to eliminate it as a possibility. Still no logging. So I don’t know what I am doing wrong at this point. I don’t know if this is a permission problem or some other configuration issue. I found someone that had posted a very basic syslog-ng configuration for firewalls. So I copied It into a firewall.conf I put in conf.d. Can anyone see what might be wrong with it?</p><p class="MsoNormal"> </p><p class="MsoNormal">####################</p><p class="MsoNormal">options {</p><p class="MsoNormal"> create_dirs(yes);</p><p class="MsoNormal"> owner(root);</p><p class="MsoNormal"> group(root);</p><p class="MsoNormal"> perm(0640);</p><p class="MsoNormal"> dir_owner(root);</p><p class="MsoNormal"> dir_group(root);</p><p class="MsoNormal"> dir_perm(0750);</p><p class="MsoNormal">};</p><p class="MsoNormal"> </p><p class="MsoNormal"> </p><p class="MsoNormal">##############################<wbr>####################</p><p class="MsoNormal">source s_udp {</p><p class="MsoNormal"> udp(port(514));</p><p class="MsoNormal">};</p><p class="MsoNormal"> </p><p class="MsoNormal">#Template for a new firewall in the firewalls.conf file</p><p class="MsoNormal">#Entries to be changed: NAMEOFTHEFIREWALL and IPOFTHEFIREWALL</p><p class="MsoNormal"> </p><p class="MsoNormal">##############################<wbr>####################</p><p class="MsoNormal">filter f_NAMEOFTHEFIREWALL {</p><p class="MsoNormal"> host("192.168.30.1");</p><p class="MsoNormal">};</p><p class="MsoNormal">destination d_NAMEOFTHEFIREWALL {</p><p class="MsoNormal"> file("/var/log/firewalls/PA/$<wbr>YEAR/$MONTH/$YEAR-$MONTH-$DAY.<wbr>PA.log");</p><p class="MsoNormal">};</p><p class="MsoNormal">log {</p><p class="MsoNormal"> source(s_udp);</p><p class="MsoNormal"> filter(f_NAMEOFTHEFIREWALL);</p><p class="MsoNormal"> destination(d_<wbr>NAMEOFTHEFIREWALL);</p><p class="MsoNormal">};</p><p class="MsoNormal"> </p><p class="MsoNormal"> </p><p class="MsoNormal">Tim Tyler</p><p class="MsoNormal">Network Engineer</p><p class="MsoNormal">Beloit College</p><p class="MsoNormal"> </p></div></div>
<br>______________________________<wbr>______________________________<wbr>__________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" rel="noreferrer" target="_blank">https://lists.balabit.hu/<wbr>mailman/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" rel="noreferrer" target="_blank">http://www.balabit.com/<wbr>support/documentation/?<wbr>product=syslog-ng</a><br>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" rel="noreferrer" target="_blank">http://www.balabit.com/wiki/<wbr>syslog-ng-faq</a><br>
<br>
<br></blockquote></div><br></div>