<div dir="ltr">So I upgraded to syslog-ng 3.18 and it has syslog-ng-debun options. I was reading through the documentation and when I issue syslog-ng-debun -d -P 'port 12201' should I see anything on standard out because all that happen was it displayed the options for the command.  That is all that happened when I issued the command below in this email. I tried to run syslog-ng-debun -r and that executed and created a tarball.<div>





<p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica Neue";min-height:14px"><br></p>
<p class="gmail-p2" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica Neue"">syslog-ng-debun -d -P 'port 12201'</p>
<p class="gmail-p2" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica Neue"">Usage: syslog-ng-debun [OPTIONS]</p>
<p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica Neue";min-height:14px"><br></p>
<p class="gmail-p2" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica Neue"">General Options:</p>
<p class="gmail-p2" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica Neue""><span class="gmail-Apple-converted-space">  </span>-r<span class="gmail-Apple-tab-span" style="white-space:pre">      </span><span class="gmail-Apple-tab-span" style="white-space:pre">      </span>Run actual information gathering</p>
<p class="gmail-p2" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica Neue""><span class="gmail-Apple-converted-space">  </span>-h<span class="gmail-Apple-tab-span" style="white-space:pre">      </span><span class="gmail-Apple-tab-span" style="white-space:pre">      </span>Show this help page</p>
<p class="gmail-p2" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica Neue""><span class="gmail-Apple-converted-space">  </span>-R [dir]<span class="gmail-Apple-tab-span" style="white-space:pre">        </span>Syslog-ng-PE's alternate install dir, instead of /opt/syslog-ng</p>
<p class="gmail-p2" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica Neue""><span class="gmail-Apple-converted-space">  </span>-W [dir]<span class="gmail-Apple-tab-span" style="white-space:pre">        </span>Work dir, where debug bundle will be placed</p>
<p class="gmail-p2" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica Neue""><span class="gmail-Apple-converted-space">  </span>-l<span class="gmail-Apple-tab-span" style="white-space:pre">      </span><span class="gmail-Apple-tab-span" style="white-space:pre">      </span>"light" collect: Don't get data, which may disturb your sense about</p>
<p class="gmail-p2" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica Neue""><span class="gmail-Apple-tab-span" style="white-space:pre">  </span><span class="gmail-Apple-tab-span" style="white-space:pre">      </span>privacy, like process tree, fstab, etc. If you use with -d, then it</p>
<p class="gmail-p2" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica Neue""><span class="gmail-Apple-tab-span" style="white-space:pre">  </span><span class="gmail-Apple-tab-span" style="white-space:pre">      </span>will also enlighten that's params: -Fev</p>
<p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica Neue";min-height:14px"><br></p>
<p class="gmail-p2" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica Neue"">Debug mode options:</p>
<p class="gmail-p2" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica Neue""><span class="gmail-Apple-converted-space">  </span>-d<span class="gmail-Apple-tab-span" style="white-space:pre">      </span><span class="gmail-Apple-tab-span" style="white-space:pre">      </span>Debug with params: -Fedv --enable-core</p>
<p class="gmail-p2" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica Neue""><span class="gmail-Apple-tab-span" style="white-space:pre">  </span><span class="gmail-Apple-tab-span" style="white-space:pre">      </span>Warning! May increase disk io during the debug,</p>
<p class="gmail-p2" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica Neue""><span class="gmail-Apple-tab-span" style="white-space:pre">  </span><span class="gmail-Apple-tab-span" style="white-space:pre">      </span>and dumps huge amount of data!</p>
<p class="gmail-p2" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica Neue""><span class="gmail-Apple-converted-space">  </span>-D [params]<span class="gmail-Apple-tab-span" style="white-space:pre">     </span>Debug with custom params</p>
<p class="gmail-p2" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica Neue""><span class="gmail-Apple-converted-space">  </span>-w [sec]<span class="gmail-Apple-tab-span" style="white-space:pre">        </span>Wait [sec] seconds before start syslog's debug mode, and</p>
<p class="gmail-p2" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica Neue""><span class="gmail-Apple-tab-span" style="white-space:pre">  </span><span class="gmail-Apple-tab-span" style="white-space:pre">      </span>start realtime watching of it</p>
<p class="gmail-p2" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica Neue""><span class="gmail-Apple-converted-space">  </span>-t [sec]<span class="gmail-Apple-tab-span" style="white-space:pre">        </span>Timeout for noninteractive debug</p>
<p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica Neue";min-height:14px"><br></p>
<p class="gmail-p2" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica Neue"">Packet capture options:</p>
<p class="gmail-p2" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica Neue""><span class="gmail-Apple-converted-space">  </span>-i [iface]<span class="gmail-Apple-tab-span" style="white-space:pre">      </span>Capture packets on specified interface</p>
<p class="gmail-p2" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica Neue""><span class="gmail-Apple-converted-space">  </span>-p<span class="gmail-Apple-tab-span" style="white-space:pre">      </span><span class="gmail-Apple-tab-span" style="white-space:pre">      </span>Create packet capture with filter: port 514 or port 601 or port 53</p>
<p class="gmail-p2" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica Neue""><span class="gmail-Apple-converted-space">  </span>-P [params]<span class="gmail-Apple-tab-span" style="white-space:pre">     </span>Create packet capture with custom filter</p>
<p class="gmail-p2" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica Neue""><span class="gmail-Apple-converted-space">  </span>-t [sec]<span class="gmail-Apple-tab-span" style="white-space:pre">        </span>Timeout for noninteractive debug</p>
<p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica Neue";min-height:14px"><br></p>
<p class="gmail-p2" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica Neue"">Syscall tracing options:</p>
<p class="gmail-p2" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica Neue""><span class="gmail-Apple-converted-space">  </span>-s<span class="gmail-Apple-tab-span" style="white-space:pre">      </span><span class="gmail-Apple-tab-span" style="white-space:pre">      </span>Trace syslog</p>
<p class="gmail-p2" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica Neue""><span class="gmail-Apple-converted-space">  </span>-t [sec]<span class="gmail-Apple-tab-span" style="white-space:pre">        </span>Timeout for noninteractive debug</p>
<p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica Neue";min-height:14px"><br></p></div><div><br></div></div><br><div class="gmail_quote"><div dir="ltr">On Wed, Nov 7, 2018 at 7:22 PM PÁSZTOR György <<a href="mailto:pasztor@linux.gyakg.u-szeged.hu">pasztor@linux.gyakg.u-szeged.hu</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi,<br>
<br>
"Rodney Bizzell" <<a href="mailto:hardworker30@gmail.com" target="_blank">hardworker30@gmail.com</a>> írta 2018-11-07 15:14-kor:<br>
> I can try that but I echoed a message from the syslog server to the graylog<br>
> server and that worked<br>
<br>
What this exactly means that you "echoed" a message?<br>
echo -ne '{some json formatted graylog message}\0' | nc graylog.server 12201<br>
?<br>
<br>
Can you please share the details?<br>
It's really hard to guess what you exactly thought of. And I don't have my<br>
magic crystal sphere with me to have a more reliable guess.<br>
<br>
Have you run a tcpdump to check communication between syslog-ng and<br>
graylog? Could you please share the pcap file?<br>
<br>
You only shared the debug messages of the syslog-ng initialization.<br>
But we haven't seen in your other mail what the debug mode says if you send<br>
in a message which should end up on the graylog server.<br>
Well, this is what debug mode is for: to debug situations like this.<br>
<br>
At this point it could be also useful, if this test system doesn't contain<br>
any sensitive information, to start a debug bundle run, and share the<br>
result:<br>
When your config is ready, etc. just use these parameters for the debun<br>
command:<br>
syslog-ng-debun -d -P 'port 12201'<br>
<br>
It will stop system's syslog-ng service, and restart that in debug mode and<br>
collect the data, and will wait for your input when to stop data collecting.<br>
So, while it runs in debug mode, on a second terminal please try to send a<br>
log message, what destined to reach the graylog server.<br>
Wait a couple of seconds.<br>
Then hit the enter on the first terminal where the data collection is<br>
running.<br>
It will pack the collected data into a tarball, and notify you where is the<br>
resulting file. Then please share that file with us.<br>
<br>
I think that is the most straightforward way to solve this mistery.<br>
<br>
Regards,<br>
Gyu<br>
______________________________________________________________________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" rel="noreferrer" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" rel="noreferrer" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" rel="noreferrer" target="_blank">http://www.balabit.com/wiki/syslog-ng-faq</a><br>
<br>
</blockquote></div>