<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
mso-fareast-language:EN-US;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.5in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
mso-fareast-language:EN-US;}
p.msipfooterd9b5198, li.msipfooterd9b5198, div.msipfooterd9b5198
{mso-style-name:msipfooterd9b5198;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
span.EmailStyle20
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:2029060272;
mso-list-type:hybrid;
mso-list-template-ids:2021972376 134807567 134807577 134807579 134807567 134807577 134807579 134807567 134807577 134807579;}
@list l0:level1
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level2
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level3
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l0:level4
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level5
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level6
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l0:level7
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level8
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level9
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-GB" link="#0563C1" vlink="#954F72" style="word-wrap:break-word">
<div class="WordSection1">
<p class="MsoNormal"><b>Dear All,<o:p></o:p></b></p>
<p class="MsoNormal"><b><o:p> </o:p></b></p>
<p class="MsoNormal"><b>Can somebody please help me on this – <o:p></o:p></b></p>
<p class="MsoNormal"><b><o:p> </o:p></b></p>
<p class="MsoNormal"><b>I am trying to configure syslog-ng in one our linux instance to get NGIPS/FMC data via udp connection on its default port (514). I have configured syslog-ng.conf under /etc/syslog-ng and then we have set SE Linux as Permissive. I am
using RHEL 8.7 and syslog version 4.0. Apparently all looked good to me however while checking in the destination path that is mentioned in syslog-ng.conf I don’t see any directory or logfile from for the said udp connection got created.
<o:p></o:p></b></p>
<p class="MsoNormal"><b>Below is our observation and steps that we executed, can any of you please help me telling where I went wrong or if I am missing something, there is another testing in pipeline that is stalled for this –
<o:p></o:p></b></p>
<p class="MsoNormal"><o:p> </o:p></p>
<ol style="margin-top:0in" start="1" type="1">
<li class="MsoListParagraph" style="margin-left:0in;mso-list:l0 level1 lfo1">Define source, destination and log_file in syslog-ng.conf (file attached).<o:p></o:p></li><li class="MsoListParagraph" style="margin-left:0in;mso-list:l0 level1 lfo1">Run the below SELinux command –<o:p></o:p></li></ol>
<p class="MsoListParagraph"># ausearch -c 'syslog-ng' --raw | audit2allow -M my-syslogng<br>
# semodule -X 300 -i my-syslogng.pp<o:p></o:p></p>
<ol style="margin-top:0in" start="3" type="1">
<li class="MsoListParagraph" style="margin-left:0in;mso-list:l0 level1 lfo1">Restart syslog-ng service –<o:p></o:p></li></ol>
<p class="MsoListParagraph"># systemctl restart syslog-ng.service (no error message received)<o:p></o:p></p>
<ol style="margin-top:0in" start="4" type="1">
<li class="MsoListParagraph" style="margin-left:0in;mso-list:l0 level1 lfo1">Checked if the syslog-ng service is running or not– it is showing as active(running), no error message.<o:p></o:p></li></ol>
<p class="MsoListParagraph"><o:p> </o:p></p>
<ol style="margin-top:0in" start="5" type="1">
<li class="MsoListParagraph" style="margin-left:0in;mso-list:l0 level1 lfo1">Checked if syslog-ng is listening to udp port 514 – it is listening to it.<o:p></o:p></li></ol>
<p class="MsoListParagraph"><o:p> </o:p></p>
<ol style="margin-top:0in" start="6" type="1">
<li class="MsoListParagraph" style="margin-left:0in;mso-list:l0 level1 lfo1">Checked and we have incoming data stream from source using the below command –
<o:p></o:p></li></ol>
<p class="MsoListParagraph"><b>tcpdump -i any -c10 -nn -A port 514<o:p></o:p></b></p>
<p class="MsoListParagraph"><b><o:p> </o:p></b></p>
<ol style="margin-top:0in" start="7" type="1">
<li class="MsoListParagraph" style="margin-left:0in;mso-list:l0 level1 lfo1">I have went through the syslog-ng troubleshooting steps mentioned in the link (I haven’t got any link for 4.0.0 version)–
<o:p></o:p></li></ol>
<p class="MsoListParagraph"><a href="https://www.syslog-ng.com/technical-documents/doc/syslog-ng-open-source-edition/3.37/administration-guide/105#TOPIC-1829320">https://www.syslog-ng.com/technical-documents/doc/syslog-ng-open-source-edition/3.37/administration-guide/105#TOPIC-1829320</a><o:p></o:p></p>
<p class="MsoListParagraph"><o:p> </o:p></p>
<p class="MsoListParagraph"><b>syslog-ng -Fdev command output is also attached.<o:p></o:p></b></p>
<p class="MsoListParagraph"><o:p> </o:p></p>
<ol style="margin-top:0in" start="8" type="1">
<li class="MsoListParagraph" style="margin-left:0in;mso-list:l0 level1 lfo1">While running the following command got the below output -
<b># watch '/usr/sbin/syslog-ng-ctl stats | grep "^center"'<o:p></o:p></b></li></ol>
<p class="MsoListParagraph"><b>Every 2.0s: /usr/sbin/syslog-ng-ctl stats | grep "^center" np-universal-forwarder-3.splunk: Fri Jun 9 17:05:14 2023<o:p></o:p></b></p>
<p class="MsoListParagraph"><b><o:p> </o:p></b></p>
<p class="MsoListParagraph"><b>center;;received;a;processed;615<o:p></o:p></b></p>
<p class="MsoListParagraph"><b>center;;queued;a;processed;615<o:p></o:p></b></p>
<p class="MsoListParagraph"><b><o:p> </o:p></b></p>
<ol style="margin-top:0in" start="9" type="1">
<li class="MsoListParagraph" style="margin-left:0in;mso-list:l0 level1 lfo1"><b># journaltctl command output (first 500 lines) attached<o:p></o:p></b></li></ol>
<p class="MsoListParagraph"><b><o:p> </o:p></b></p>
<ol style="margin-top:0in" start="10" type="1">
<li class="MsoListParagraph" style="margin-left:0in;mso-list:l0 level1 lfo1">Current SE Linux status is set as Permissive.
<b><o:p></o:p></b></li><li class="MsoListParagraph" style="margin-left:0in;mso-list:l0 level1 lfo1">Our syslog-ng is logging to /var/log/messages and we are getting this message in /var/log/messages –
<b><o:p></o:p></b></li></ol>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoListParagraph"><b>Jun 9 16:57:44 np-universal-forwarder-3.splunk syslog-ng[156121]: Log statistics; processed='global(payload_reallocs)=988', processed='src.journald(s_sys#0,journal)=333', stamp='src.journald(s_sys#0,journal)=1686326226', processed='global(sdata_updates)=0',
queued='global(scratch_buffers_bytes)=0', processed='src.internal(s_sys#1)=1', stamp='src.internal(s_sys#1)=1686325664', processed='destination(d_boot)=0', processed='destination(d_kern)=0', processed='source(s_sys)=334', dropped='global(internal_source)=0',
queued='global(internal_source)=0', processed='global(internal_queue_length)=0', processed='source(s_network)=0', processed='destination(d_spol)=0', processed='destination(d_mlal)=0', processed='destination(d_splunk)=0', processed='center(received)=334', processed='destination(d_mesg)=34',
processed='destination(d_mail)=0', processed='destination(d_auth)=0', processed='destination(d_cron)=300', queued='global(scratch_buffers_count)=0', processed='center(queued)=334', processed='global(msg_clones)=0'<o:p></o:p></b></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-GB">Thanks & Regards,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:12.0pt;mso-fareast-language:EN-GB">Sumanta Banerjee<o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-GB">Splunk Admin | CISO | Aviva Group<o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-GB">Tel: +91-8420892593<o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-GB">24x7x365: +44 1603 208 582<o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-GB"><a href="mailto:sumanta.banerjee@aviva.com">sumanta.banerjee@aviva.com</a><o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-GB"><a href="mailto:GlobalCyberSecurityEngineeringTeam@aviva.com">GlobalCyberSecurityEngineeringTeam@aviva.com</a><o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-GB"><a href="http://www.aviva.com">www.aviva.com</a><o:p></o:p></span></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-GB">Wipro Technologies - SJP2, Bangalore, India<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black;mso-fareast-language:EN-GB"><img border="0" width="201" height="54" style="width:2.0937in;height:.5625in" id="Picture_x0020_2" src="cid:image001.gif@01D99303.20AF3AC0"></span><span style="mso-fareast-language:EN-GB"><o:p></o:p></span></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><span style="mso-fareast-language:EN-GB"><o:p> </o:p></span></p>
<p class="msipfooterd9b5198" style="margin:0in"><span style="font-size:8.0pt;color:blue">Aviva: Internal</span><o:p></o:p></p>
</div>
<br clear="both">
Aviva plc, registered Office: St. Helen's, 1 Undershaft, London EC3P 3DQ. Registered in England No. 02468686. www.aviva.com<BR>
<BR>
This message and any attachments may be confidential or legally privileged. If you are not the intended recipient, please telephone or e-mail the sender and delete this message and any attachments from your system. Also, if you are not the intended recipient you must not copy this message or attachments or disclose the contents to any other person. Any views or opinions expressed are solely those of the author and do not necessarily represent those of Aviva.<BR>
</body>
</html>