<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<style type="text/css" style="display:none;"> P {margin-top:0;margin-bottom:0;} </style>
</head>
<body dir="ltr">
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
Hi,</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
<br>
</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
The most likely reason that another application also listens on this IP:port pair (it is possible in case of UDP and in that case the packet will be captured by the app started later)</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
Check the output of <b>netstat -anu |grep 514</b> when syslog-ng does not capture the udp packets. You should see only one line here.</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
<br>
</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
In other case, you should check the debug log of syslog-ng (syslog-ng -Fevd) perhaps there is some useful information.</div>
<div id="appendonsend"></div>
<hr style="display:inline-block;width:98%" tabindex="-1">
<div id="divRplyFwdMsg" dir="ltr"><font face="Calibri, sans-serif" style="font-size:11pt" color="#000000"><b>Feladó:</b> syslog-ng <syslog-ng-bounces@lists.balabit.hu>, meghatalmazó: William Luiz Ribeiro Vasconcelos Da Silva <wsilva_ericsson@timbrasil.com.br><br>
<b>Elküldve:</b> 2019. november 8., péntek 16:28<br>
<b>Címzett:</b> syslog-ng@lists.balabit.hu <syslog-ng@lists.balabit.hu><br>
<b>Tárgy:</b> [syslog-ng] Syslog-ng don't Listening UDP packets PORT(514) - Problem History</font>
<div> </div>
</div>
<style type="text/css" style="display:none">
<!--
p
{margin-top:0;
margin-bottom:0}
-->
</style>
<div dir="ltr">
<div style="background-color:#FFEB9C; width:100%; border-style:solid; border-color:#9C6500; border-width:1pt; padding:2pt; font-size:10pt; line-height:12pt; font-family:'Calibri'; color:Black; text-align:left">
<span style="color:#9C6500; font-weight:bold">CAUTION:</span> This email originated from outside of the organization. Do not follow guidance, click links, or open attachments unless you recognize the sender and know the content is safe.</div>
<br>
<div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">
<div style="margin:0px; font-size:12pt; font-family:Calibri,Arial,Helvetica,sans-serif; background-color:rgb(255,255,255)">
<span style="margin:0px">Good Morning,</span><br>
</div>
<div style="margin:0px; font-size:12pt; font-family:Calibri,Arial,Helvetica,sans-serif; background-color:rgb(255,255,255)">
<br>
</div>
<div style="margin:0px; font-size:12pt; font-family:Calibri,Arial,Helvetica,sans-serif; background-color:rgb(255,255,255)">
Yesterday, we performed the first test of syslog-ng 3.24 OSE on a RHEL 7.6 VM in our customer's production environment.<br>
</div>
<div style="margin:0px; font-size:12pt; font-family:Calibri,Arial,Helvetica,sans-serif; background-color:rgb(255,255,255)">
<br>
</div>
<div style="margin:0px; font-size:12pt; font-family:Calibri,Arial,Helvetica,sans-serif; background-color:rgb(255,255,255)">
<span style="margin:0px"> And we identified a very strange behavior.</span></div>
<div style="margin:0px; font-size:12pt; font-family:Calibri,Arial,Helvetica,sans-serif; background-color:rgb(255,255,255)">
<span style="margin:0px"><br>
</span></div>
<div style="margin:0px; font-size:12pt; font-family:Calibri,Arial,Helvetica,sans-serif; background-color:rgb(255,255,255)">
<span style="margin:0px"> We saw through tcpdump that packets were being received by the network card but were not captured by syslog-ng.</span><br>
</div>
<div style="margin:0px; font-size:12pt; font-family:Calibri,Arial,Helvetica,sans-serif; background-color:rgb(255,255,255)">
<br>
</div>
<div style="margin:0px; font-size:12pt; font-family:Calibri,Arial,Helvetica,sans-serif; background-color:rgb(255,255,255)">
<span style="margin:0px"><span style="margin:0px"> We have a UDP packet send simulator, and when I was pointing my simulator to another IP on the same machine(<span style="margin:0px; background-color:rgb(255,255,255); display:inline!important">the users'
connection IP)</span>, syslog-ng does the capping and consequently the treatment we put into the syslog-ng.conf file.</span><br>
</span></div>
<div style="margin:0px; font-size:12pt; font-family:Calibri,Arial,Helvetica,sans-serif; background-color:rgb(255,255,255)">
<span style="margin:0px"><span style="margin:0px"><br>
</span></span></div>
<div style="margin:0px; font-size:12pt; font-family:Calibri,Arial,Helvetica,sans-serif; background-color:rgb(255,255,255)">
<span style="margin:0px"><span style="margin:0px"> What kind of TROUBLESHOOTING we can do in order to identify the reason for syslog-ng to capture packets on the users' connection IP, but for the application connection IP, it doesn't identify anything.<br>
</span></span></div>
<div style="margin:0px; font-size:12pt; font-family:Calibri,Arial,Helvetica,sans-serif; background-color:rgb(255,255,255)">
<br>
</div>
<div style="margin:0px; font-size:12pt; font-family:Calibri,Arial,Helvetica,sans-serif; background-color:rgb(255,255,255)">
<span style="margin:0px"><span style="margin:0px"><span style="margin:0px"> It is informed by the client at the beginning of our project that syslog should always capture all UDP packets received by the application IP.</span><br>
</span></span></div>
<div style="margin:0px; font-size:12pt; font-family:Calibri,Arial,Helvetica,sans-serif; background-color:rgb(255,255,255)">
<span style="margin:0px"><span style="margin:0px"><span style="margin:0px"><br>
</span></span></span></div>
<div style="margin:0px; font-size:12pt; font-family:Calibri,Arial,Helvetica,sans-serif; background-color:rgb(255,255,255)">
<span style="margin:0px"><span style="margin:0px"><span style="margin:0px"> This is the configuration of the "source" we have on this machine in our client's productive environment.<br>
</span></span></span></div>
<div style="margin:0px; font-size:12pt; font-family:Calibri,Arial,Helvetica,sans-serif; background-color:rgb(255,255,255)">
<span style="margin:0px"><span style="margin:0px"><span style="margin:0px"><br>
</span></span></span></div>
<div style="margin:0px; font-size:12pt; font-family:Calibri,Arial,Helvetica,sans-serif; background-color:rgb(255,255,255)">
<span style="margin:0px"><span style="margin:0px"><span style="margin:0px"><br>
</span></span></span></div>
<div style="margin:0px; font-size:12pt; font-family:Calibri,Arial,Helvetica,sans-serif; background-color:rgb(255,255,255)">
<span style="margin:0px"><span style="margin:0px"><span style="margin:0px"><span style="margin:0px">source s_model {<br>
</span>
<div style="margin:0px"> #udp(port(514));<br>
</div>
<div style="margin:0px"> udp(ip(10.46.105.34) port(514));<br>
</div>
<div style="margin:0px"> # udp();<br>
</div>
<div style="margin:0px"> #network(transport("udp"));<br>
</div>
<div style="margin:0px"> #network(<br>
</div>
<div style="margin:0px"> # ip("10.46.105.34")<br>
</div>
<div style="margin:0px"> # transport("udp")<br>
</div>
<div style="margin:0px"> #);<br>
</div>
<div style="margin:0px">};<br>
</div>
<span style="margin:0px"></span><br>
</span></span></span></div>
<div style="margin:0px; font-size:12pt; font-family:Calibri,Arial,Helvetica,sans-serif; background-color:rgb(255,255,255)">
<span style="margin:0px"><span style="margin:0px"><span style="margin:0px">Tks,</span></span></span></div>
<br>
<br>
</div>
<br>
<font size="-2">Esta mensagem, incluindo seus anexos, pode conter informações privilegiadas e/ou de caráter confidencial, não podendo ser retransmitida sem autorização do remetente. Se você não é o destinatário ou pessoa autorizada para recebê-la, informamos
que o seu uso, divulgação, cópia ou arquivamento são proibidos. Portanto, se você recebeu esta mensagem por engano, por favor nos informe respondendo imediatamente a este e-mail e delete o seu conteúdo.
<p>This message, including its attachments, may contain privileged or confidential information, and it must not be fowarded without the express authorization of the sender. If you are not the intended recipient, we hereby inform you that the use, disclosure,
copy or filing are forbidden. So, if you received this message as a mistake, please inform us by answering this e-mail and deleting its contents
</p>
<p>Questo messaggio, inclusi gli allegati, potrebbe contenere informazioni privilegiate e/o riservate, e non deve essere ritrasmesse senza l'autorizzazione del mittente. Se non siete il destinatario o la persona autorizzata a riceverlo, informiamo che il suo
utilizzo, diffusione, copia o archiviazione sono proibite. Quindi, se avete ricevuto questo messaggio per errore, per cortesia ci informi rispondendo immediatamente a questa email e cancelli il suo contenuto
</font></p>
</div>
</div>
</body>
</html>