<div dir="ltr"><div>Dear Anatoly,</div><div><br></div><div>I would recommend you to stop the syslog-ng service, and start it in the foreground, in debug mode, with:</div><div># syslog-ng -Fedv</div><div><br></div><div>Or possibly direct all its output to a file, and then try sending in the test logs, and subsequently check the debug output to see whether syslog-ng has received the logs.</div><div>(It will report all incoming logs, so in the debug output you should see it even if it's not written to the destination file for some reason.)</div><div>Also in the debug output you should see any file creation related error messages, if there are any.</div><div>If you don't see your test logs in the debug output, then the cause is likely something outside of syslog-ng's scope.</div><div><br></div><div>BTW do you have SELinux enabled?</div><div>(I would not think so though, because syslog-ng was allowed to bind to UDP/3514, a non-standard port, which SELinux would prevent, if in enforcing mode.)</div><div><br></div><div>Best Regards,</div><div>János<br></div><div><div><div dir="ltr" class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr">--</div><div dir="ltr">Janos SZIGETVARI<br><span>RHCE, License no. <a href="https://www.redhat.com/rhtapps/verify/?certId=150-053-692" target="_blank">150-053-692</a></span><br></div><div dir="ltr"><span><br></span></div><div dir="ltr"><span>LinkedIn: <a href="http://linkedin.com/in/janosszigetvari" target="_blank">linkedin.com/in/janosszigetvari</a></span><br><br>__@__˚V˚<br>Make the switch to open (source) applications, protocols, formats now:<br>- windows -> Linux, iexplore -> Firefox, msoffice -> LibreOffice<br>- msn -> jabber protocol (Pidgin, Google Talk)<br>- mp3 -> ogg, wmv -> ogg, jpg -> png, doc/xls/ppt -> odt/ods/odp</div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div><br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">Anatoly Pugachev <<a href="mailto:matorola@gmail.com">matorola@gmail.com</a>> ezt írta (időpont: 2020. febr. 19., Sze, 12:29):<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Hello!<br>
<br>
Can someone help me with network logging with syslog-ng :<br>
<br>
# rpm -q syslog-ng<br>
syslog-ng-3.25.1.239.g0535e8a-1.el7.x86_64<br>
<br>
# rpm -qf /etc/os-release<br>
centos-release-7-7.1908.0.el7.centos.x86_64<br>
<br>
server is centos 7 x86_64 vm<br>
<br>
/etc/syslog-ng/syslog-ng.conf is in the default configuration (no<br>
changes made from rpm package installed), have additional<br>
configuration in :<br>
<br>
# cat conf.d/mtcaptive.conf<br>
source s_mtcaptive { network( ip("0.0.0.0") port(3514) transport("udp")); };<br>
destination d_mtcaptive { file("/var/log/mt-captive-remote"); };<br>
log { source(s_mtcaptive); destination(d_mtcaptive); };<br>
<br>
<br>
If i try to log a test message with logger on a localhost (where<br>
syslog-ng runs):<br>
<br>
[root@localhost syslog-ng]# logger -d -i -n 172.16.3.50 -P 3514 "test<br>
from localhost"<br>
<br>
it does work and appears in /var/log/mt-captive-remote :<br>
<br>
$ tail -1 /var/log/mt-captive-remote<br>
Feb 19 06:15:01 172.16.3.50 root[11326]: test from localhost<br>
<br>
But if i try the same command on a nearby host (vm2, same L2 network,<br>
but different IP network), it does not logged, but udp packet with<br>
test messages is received by host:<br>
<br>
[root@vm2 ~]# logger -d -i -n 172.16.3.50 -P 3514 "test from vm2"<br>
<br>
back to syslog-ng host:<br>
<br>
# ngrep -d ens224 -n 10 "test from" "udp and port 3514"<br>
interface: ens224 (<a href="http://172.16.3.0/255.255.255.0" rel="noreferrer" target="_blank">172.16.3.0/255.255.255.0</a>)<br>
filter: ( udp and port 3514 ) and ((ip || ip6) || (vlan && (ip || ip6)))<br>
match: test from<br>
##########################################################################################################################################################################################################################<br>
U <a href="http://100.64.128.5:24046" rel="noreferrer" target="_blank">100.64.128.5:24046</a> -> <a href="http://172.16.3.50:3514" rel="noreferrer" target="_blank">172.16.3.50:3514</a> #218<br>
<5>Feb 19 06:20:27 root[31663]: test from vm2.<br>
#####################################################################################################^Cexit<br>
319 received, 1 matched<br>
<br>
<br>
looking at socket status on syslog-ng host:<br>
<br>
# ss -unlp | grep 3514<br>
UNCONN 0 0 *:3514 *:*<br>
users:(("syslog-ng",pid=11198,fd=23))<br>
<br>
no firewall or iptables rules (default all ACCEPT).<br>
<br>
Can someone suggest why syslog-ng does not log remote messages to my<br>
destination file?<br>
<br>
Thanks.<br>
______________________________________________________________________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" rel="noreferrer" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" rel="noreferrer" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" rel="noreferrer" target="_blank">http://www.balabit.com/wiki/syslog-ng-faq</a><br>
<br>
</blockquote></div>