Hi Team,

 

 

I am trying to configure syslog-ng in one our linux instance to get NGIPS/FMC data via udp connection on its default port (514). I have configured syslog-ng.conf under /etc/syslog-ng and then we have set SE Linux as Permissive. I am using RHEL 8.7 and syslog version 4.0. Apparently all looked good to me however while checking in the destination path that is mentioned I don’t see any directory or logfile from for the said udp connection got created.

Below is our observation and steps that we executed, can any of you please help me telling where I went wrong or if I am missing something, there is another testing in pipeline that is stalled for this –

 

  1. Define source, destination and log_file in syslog-ng.conf (file attached).
  2. Run the below SELinux command –

# ausearch -c 'syslog-ng' --raw | audit2allow -M my-syslogng
# semodule -X 300 -i my-syslogng.pp

  1. Restart syslog-ng service –

# systemctl restart syslog-ng.service (no error message received)

  1. Check if the service is running –

 

 

  1. Check if syslog-ng is listening to udp port 514 –

 

  1. Checked and  we have incoming data stream from source using the below command –

tcpdump -i any -c10 -nn -A port 514

 

  1. I have went through the syslog-ng troubleshooting steps mentioned in the link –

https://www.syslog-ng.com/technical-documents/doc/syslog-ng-open-source-edition/3.37/administration-guide/105#TOPIC-1829320

 

 

syslog-ng -Fdev command output is also attached.

 

  1. While running the following command got the below output - # watch '/usr/sbin/syslog-ng-ctl stats | grep "^center"'

 

  1. # journaltctl command output (first 500 lines) attached

 

  1. Current SE Linux status :

 

  1. Our syslog-ng is logging to /var/log/messages and we are getting this message in /var/log/messages –

 

 

Thanks & Regards,

Sumanta Banerjee

Splunk Admin | CISO | Aviva Group

Tel: +91-8420892593

24x7x365: +44 1603 208 582

sumanta.banerjee@aviva.com

GlobalCyberSecurityEngineeringTeam@aviva.com

www.aviva.com

Wipro Technologies - SJP2, Bangalore, India

 

 

Aviva: Internal


Aviva plc, registered Office: St. Helen's, 1 Undershaft, London EC3P 3DQ. Registered in England No. 02468686. www.aviva.com

This message and any attachments may be confidential or legally privileged. If you are not the intended recipient, please telephone or e-mail the sender and delete this message and any attachments from your system. Also, if you are not the intended recipient you must not copy this message or attachments or disclose the contents to any other person. Any views or opinions expressed are solely those of the author and do not necessarily represent those of Aviva.