The tcpdump looks good and there doesn’t appear to be any drops. I should also mention that the syslog servers are behind a Netscaler load balancer doing round
robin load balancing between two different syslog-ng servers that are setup exactly the same. I have about 10 different sources send logs to these syslog servers and all of them are writing to disk except this particular source (cisco_asa).
Thanks
Ed
10:24:21.525178 IP (tos 0x0, ttl 254, id 3483, offset 0, flags [none], proto UDP (17), length 190)
x.x.x.x > x.x.x.x: SYSLOG, length: 162
Facility local4 (20), Severity debug (7)
Msg: 2020-04-30T17:24:21Z: %ASA-7-734003: DAP: User blah, Addr x.x.x.x: Session Attribute endpoint.am["539"].description="Trend Micro OfficeScan Client"\0x0a
10:24:21.525179 IP (tos 0x0, ttl 254, id 15604, offset 0, flags [none], proto UDP (17), length 166)
x.x.x.x > x.x.x.x: SYSLOG, length: 138
Facility local4 (20), Severity debug (7)
Msg: 2020-04-30T17:24:21Z: %ASA-7-734003: DAP: User blah, Addr x.x.x.x: Session Attribute endpoint.am["539"].version="12.0.5400"\0x0a
10:24:21.525368 IP (tos 0x0, ttl 254, id 19622, offset 0, flags [none], proto UDP (17), length 193)
x.x.x.x > x.x.x.x: SYSLOG, length: 165
Facility local4 (20), Severity debug (7)
Msg: 2020-04-30T17:24:21Z: %ASA-7-734003: DAP: User blah, Addr x.x.x.x: Session Attribute endpoint.anyconnect.devicetype = "Dell Inc. Latitude 5290 2-in-1"\0x0a
From: syslog-ng [mailto:syslog-ng-bounces@lists.balabit.hu]
On Behalf Of Balazs Scheidler
Sent: Thursday, April 30, 2020 10:50 AM
To: Syslog-ng users' and developers' mailing list <syslog-ng@lists.balabit.hu>
Subject: Re: [syslog-ng] Syslogs not writing to disk
Tcpdump shows data that is later dropped by the packet filter, so make sure that iptables lets the packets through.
Another potential culprit is selinux, check for violations in the kernel log.
On Thu, Apr 30, 2020, 16:20 Rose, Ed <Ed_Rose@mentor.com> wrote:
Hello All,
I have syslog-ng setup currently setup to write to disk and forward events on to a different syslog server. Syslog isn’t writing to disk it seems. I do not see any errors either, unless I am not looking in the right place for the errors. Tcpdump –v host x.x.x.x shows data coming in from the host but a tail –f ${HOST}/log_${HOST} shows no logs going to disk.
Thanks
Ed
syslog-ng 3 (3.14.1)
Config version: 3.14
Installer-Version: 3.14.1
Revision:
Module-Directory: /usr/lib64/syslog-ng
Module-Path: /usr/lib64/syslog-ng
Available-Modules: afmongodb,sdjournal,linux-kmsg-format,appmodel,date,pseudofile,afamqp,syslogformat,csvparser,cef,tags-parser,affile,afsocket,afstomp,tfgetent,json-plugin,confgen,system-source,stardate,graphite,dbparser,afprog,xml,add-contextual-data,snmptrapd-parser,cryptofuncs,kvformat,disk-buffer,basicfuncs,afuser,map-value-pairs
Enable-Debug: off
Enable-GProf: off
Enable-Memtrace: off
Enable-IPv6: on
Enable-Spoof-Source: on
Enable-TCP-Wrapper: on
Enable-Linux-Caps: on
Enable-Systemd: on
filter f_awanra1 { host("x.x.x.x"); };
filter f_bwanra1 { host("x.x.x.x"); };
filter f_cwanra1 { host("x.x.x.x"); };
destination d_ciscoasa { file("/var/log2/gns/cisco_asa/${HOST}/log_${HOST}" create-dirs(yes) dir-perm(0755) dir-group(splunk) perm(0640) group(splunk)); };
destination d_uid1 { tcp("x.x.x.x" port(514) ); };
destination d_uid2 { tcp("x.x.x.x" port(514) ); };
destination d_uid3 { tcp("x.x.x.x" port(514) ); };
destination d_uid4 { tcp("x.x.x.x" port(514) ); };
log { source(s_net); filter(f_amywanra1); destination(d_ciscoasa); destination(d_uid1); destination(d_uid2); destination(d_uid3); destination(d_uid4); flags(final); };
log { source(s_net); filter(f_cnswanra1); destination(d_ciscoasa); destination(d_uid1); destination(d_uid2); destination(d_uid3); destination(d_uid4); flags(final); };
log { source(s_net); filter(f_demwanra1); destination(d_ciscoasa); destination(d_uid1); destination(d_uid2); destination(d_uid3); destination(d_uid4); flags(final); };
______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq