Further,
I have tried setting the kernel parameters without any luck

[root@aspsyslog ~]# sysctl -w net.core.rmem_max=8388608
[root@aspsyslog ~]# sysctl -w net.core.rmem_default=1048576




On Wed, Nov 17, 2010 at 5:19 PM, keshava V <mv.keshava@gmail.com> wrote:
I am receiving messages on udp port 514 and nothing on tcp 514. 

17:15:50.816216 IP 10.140.141.7.syslog > aspsyslog.syslog: SYSLOG local4.debug, length: 88
17:15:50.819013 IP 10.140.141.7.syslog > aspsyslog.syslog: SYSLOG local4.info, length: 191
17:15:50.817631 IP 10.140.141.6.syslog > aspsyslog.syslog: SYSLOG local4.info, length: 182
17:15:50.820751 IP 10.140.141.6.syslog > aspsyslog.syslog: SYSLOG local4.info, length: 166
17:15:50.837713 IP 10.140.141.7.syslog > aspsyslog.syslog: SYSLOG local4.alert, length: 126
17:15:50.837730 IP 10.140.141.6.syslog > aspsyslog.syslog: SYSLOG local4.alert, length: 126
17:15:50.898519 IP 10.140.141.6.syslog > aspsyslog.syslog: SYSLOG local4.info, length: 181
17:15:50.903282 IP 10.41.42.254.syslog > aspsyslog.syslog: SYSLOG local4.debug, length: 112

I am running syslog-ng in debug mode and this is what is being sent to stdout

[root@aspsyslog ~]#  /opt/syslog-ng/sbin/syslog-ng  -d -v
Running application hooks; hook='1'
Running application hooks; hook='3'

syslog-ng starting up; version='3.1.2'
Incoming log entry; line='<6>device eth0 entered promiscuous mode'
Initializing destination file writer; template='/var/log/messages_syslog-ng.log', filename='/var/log/messages_syslog-ng.log'
Incoming log entry; line='<6>device eth0 left promiscuous mode'
Incoming log entry; line='<6>device eth0 entered promiscuous mode'
Incoming log entry; line='<6>device eth0 left promiscuous mode'
Incoming log entry; line='<6>device eth0 entered promiscuous mode'





On Wed, Nov 17, 2010 at 5:14 PM, keshava V <mv.keshava@gmail.com> wrote:
We had a old syslog-ng server which was completely configured and working fine which died. I am using the same IP address so I can confidently say that firewall is open and all the messages are arriving at the new server. syslog is writing messages to the destination but the messages coming on udp/tcp 514. I am trying to get it to write to one file and if that works then to filter all the messages later by host.

I have attached the tcpdump output here and see info, debug messages making it to this server

17:03:47.495842 IP aspsyslog.filenet-cm > neo.domain: 32289+ PTR? 41.34.73.10.in-addr.arpa. (42)
17:03:47.496324 IP 10.140.141.6.syslog > aspsyslog.syslog: SYSLOG local4.info, length: 182
17:03:47.496373 IP 10.140.141.7.syslog > aspsyslog.syslog: SYSLOG local4.info, length: 164
17:03:47.496395 IP 10.140.141.7.syslog > aspsyslog.syslog: SYSLOG local4.info, length: 164
17:03:47.496530 IP neo.domain > aspsyslog.filenet-cm: 32289 NXDomain* 0/1/0 (128)
17:03:47.497113 IP aspsyslog.ssh > nim.42783: P 48256:49264(1008) ack 97 win 53 <nop,nop,timestamp 93630177 1310858340>
17:03:47.497603 IP 10.140.141.6.syslog > aspsyslog.syslog: SYSLOG local4.info, length: 166
17:03:47.497635 IP nim.42783 > aspsyslog.ssh: . ack 49264 win 32761 <nop,nop,timestamp 1310858341 93630124>
17:03:47.506126 IP 10.140.141.6.syslog > aspsyslog.syslog: SYSLOG local4.debug, length: 86
17:03:47.506169 IP 10.140.141.6.syslog > aspsyslog.syslog: SYSLOG local4.info, length: 189
17:03:47.521584 IP 10.140.130.20.filenet-pa > aspsyslog.syslog: SYSLOG daemon.info, length: 107
17:03:47.521615 IP aspsyslog. > 10.140.130.20: ICMP host aspsyslog. unreachable - admin prohibited, length 143
17:03:47.521907 IP aspsyslog.filenet-cm > neo.domain: 57020+ PTR? 20.130.140.10.in-addr.arpa. (44)
17:03:47.522331 IP 10.140.141.6.syslog > aspsyslog.syslog: SYSLOG local4.info, length: 182
17:03:47.522504 IP neo.domain > aspsyslog.filenet-cm: 57020 NXDomain* 0/1/0 (132)
17:03:47.523087 IP aspsyslog.ssh > nim.42783: P 49264:50416(1152) ack 97 win 53 <nop,nop,timestamp 93630203 1310858341>
17:03:47.523574 IP 10.140.141.6.syslog > aspsyslog.syslog: SYSLOG local4.info, length: 166
17:03:47.549950 IP 10.140.141.7.syslog > aspsyslog.syslog: SYSLOG local4.info, length: 164
17:03:47.549973 IP 10.140.141.7.syslog > aspsyslog.syslog: SYSLOG local4.info, length: 164
17:03:47.552109 IP 10.73.34.45.32822 > aspsyslog.syslog: SYSLOG daemon.info, length: 109
17:03:47.552136 IP aspsyslog. > 10.73.34.45: ICMP host aspsyslog. unreachable - admin prohibited, length 145
17:03:47.552410 IP aspsyslog.filenet-cm > neo.domain: 41657+ PTR? 45.34.73.10.in-addr.arpa. (42)
17:03:47.552852 IP 10.140.141.6.syslog > aspsyslog.syslog: SYSLOG local4.info, length: 182
17:03:47.553052 IP neo.domain > aspsyslog.filenet-cm: 41657 NXDomain* 0/1/0 (128)
17:03:47.553576 IP aspsyslog.ssh > nim.42783: P 50416:51392(976) ack 97 win 53 <nop,nop,timestamp 93630233 1310858341>
17:03:47.554127 IP 10.140.141.6.syslog > aspsyslog.syslog: SYSLOG local4.info, length: 166
17:03:47.558864 IP 10.140.141.8.syslog > aspsyslog.syslog: SYSLOG local4.info, length: 177
17:03:47.558998 IP 10.140.141.9.syslog > aspsyslog.syslog: SYSLOG local4.info, length: 188
17:03:47.559027 IP aspsyslog. > 10.140.141.9: ICMP host aspsyslog. unreachable - admin prohibited, length 224
17:03:47.559031 IP 10.140.141.9.syslog > aspsyslog.syslog: SYSLOG local4.info, length: 188
17:03:47.595714 IP axprod20.filenet-rpc > aspsyslog.syslog: SYSLOG daemon.info, length: 108
17:03:47.595820 arp who-has axprod20. tell aspsyslog.
17:03:47.596053 IP aspsyslog.filenet-cm > neo.domain: 65192+ PTR? 25.130.140.10.in-addr.arpa. (44)
17:03:47.596226 IP aspsyslog. > axprod20.: ICMP host aspsyslog. unreachable - admin prohibited, length 144
17:03:47.596434 IP 10.140.141.6.syslog > aspsyslog.syslog: SYSLOG local4.info, length: 182
17:03:47.596540 IP 10.140.141.7.syslog > aspsyslog.syslog: SYSLOG local4.info, length: 164
17:03:47.596549 IP 10.140.141.7.syslog > aspsyslog.syslog: SYSLOG local4.debug, length: 86

On Wed, Nov 17, 2010 at 5:02 PM, Worsham, Michael <mworsham@scires.com> wrote:

Try running the syslog-ng application in debug mode: “syslog-ng –d –v” and see what the output is to the screen for the UDP connection and destination attempts.

 

 

From: syslog-ng-bounces@lists.balabit.hu [mailto:syslog-ng-bounces@lists.balabit.hu] On Behalf Of keshava V
Sent: Wednesday, November 17, 2010 5:59 PM
To: Syslog-ng users' and developers' mailing list
Subject: Re: [syslog-ng] Syslog-ng not receiving messages

 

Messages from kernel, syslog-ng are being written but not the ones coming on udp 514  to the destination file as seen below.

[root@aspsyslog ~]# ls -ltr /var/log/messages_syslog-ng.log
-rw-r--r-- 1 root root 24645 2010-11-17 15:32 /var/log/messages_syslog-ng.log

Nov 17 14:28:55 s_all@aspsyslog syslog-ng[4460]: Configuration reload request received, reloading configuration;
Nov 17 14:29:40 s_all@aspsyslog syslog-ng[4460]: Configuration reload request received, reloading configuration;
Nov 17 14:30:09 s_all@aspsyslog syslog-ng[4460]: Configuration reload request received, reloading configuration;
Nov 17 14:36:33 s_all@aspsyslog syslog-ng[4460]: Termination requested via signal, terminating;
Nov 17 14:36:33 s_all@aspsyslog syslog-ng[4460]: syslog-ng shutting down; version='3.1.2'
Nov 17 14:36:40 s_all@aspsyslog syslog-ng[8051]: syslog-ng starting up; version='3.1.2'
Nov 17 14:40:49 s_all@aspsyslog syslog-ng[8051]: Configuration reload request received, reloading configuration;
Nov 17 14:47:07 s_all@aspsyslog syslog-ng[8051]: Termination requested via signal, terminating;
Nov 17 14:47:07 s_all@aspsyslog syslog-ng[8051]: syslog-ng shutting down; version='3.1.2'
Nov 17 14:55:43 s_all@aspsyslog kernel: device eth0 entered promiscuous mode
Nov 17 14:56:09 s_all@aspsyslog kernel: device eth0 left promiscuous mode
Nov 17 14:58:04 s_all@aspsyslog kernel: device eth0 entered promiscuous mode
Nov 17 14:58:11 s_all@aspsyslog kernel: device eth0 left promiscuous mode



On Wed, Nov 17, 2010 at 4:29 PM, Martin Holste <mcholste@gmail.com> wrote:

Hm, maybe a permissions issue with writing?  Try putting in
/tmp/somefile as the destination and see if that works.  Also, you
should verify that messages are in fact arriving on the server using
tcpdump.


On Wed, Nov 17, 2010 at 3:44 PM, keshava Veerabhadraiah
<mv.keshava@gmail.com> wrote:
> Hi
> I am new to syslog-ng and I have gone through other post to see if  I can
> get a resolution to my problem.
> Syslog is not writing to the destination file any messages received on udp()
> or tcp().
> I have made sure that syslog server is receiving the syslog messages as seen
> from the tcpdump
>
>
> 15:09:55.422423 IP 10.140.141.6.syslog > aspsyslog.sungardebs.com.syslog:
> SYSLOG local4.warning, length: 153
> 15:09:55.434638 IP 10.140.141.6.syslog > aspsyslog.sungardebs.com.syslog:
> SYSLOG local4.info, length: 184
> 15:09:55.470383 IP 10.140.141.6.syslog > aspsyslog.sungardebs.com.syslog:
> SYSLOG local4.info, length: 176
> 15:09:55.473519 IP 10.140.141.6.syslog > aspsyslog.sungardebs.com.syslog:
> SYSLOG local4.info, length: 190
> 15:09:55.493361 IP 10.140.141.6.syslog > aspsyslog.sungardebs.com.syslog:
> SYSLOG local4.info, length: 180
> 15:09:55.493748 IP aspsyslog.sungardebs.com.ssh > nim.sungardebs.com.42703:
> P 128608:129696(1088) ack 289 win 461 <nop,nop,timestamp 88706531
> 1310848493>
> 15:09:55.495519 IP 10.140.141.9.syslog > aspsyslog.sungardebs.com.syslog:
> SYSLOG local4.info, length: 188
> 15:09:55.495548 IP 10.140.141.9.syslog > aspsyslog.sungardebs.com.syslog:
> SYSLOG local4.debug, length: 90
> 15:09:55.495556 IP 10.140.141.9.syslog > aspsyslog.sungardebs.com.syslog:
> SYSLOG local4.debug, length: 85
> 15:09:55.521115 IP 10.140.141.6.syslog > aspsyslog.sungardebs.com.syslog:
> SYSLOG local4.debug, length: 87
> 15:09:55.521188 IP 10.140.141.6.syslog > aspsyslog.sungardebs.com.syslog:
> SYSLOG local4.info, length: 188
> 15:09:55.522041 IP 10.140.141.6.syslog > aspsyslog.sungardebs.com.syslog:
> SYSLOG local4.info, length: 175
> 15:09:55.522212 IP 10.140.141.7.syslog > aspsyslog.sungardebs.com.syslog:
> SYSLOG local4.info, length: 164
>
>
>
> Here is how my syslog-ng config looks.
>
> @version: 3.0
> #Default configuration file for syslog-ng.
> #
> # For a description of syslog-ng configuration file directives, please read
> # the syslog-ng Administrator's guide at:
> #
> # http://www.balabit.com/dl/html/syslog-ng-admin-guide_en.html/bk01-toc.html
> #
>
> options {
>     chain_hostnames(no);
>     create_dirs (no);
>     dir_perm(0755);
>     dns_cache(no);
>     keep_hostname(yes);
>     log_fifo_size(2048);
>     log_msg_size(1024);
>     log_iw_size (500);
>     long_hostnames(on);
>     perm(0644);
>     stats_freq(3600);
>     flush_lines(100);
>     time_reopen (10);
>     use_dns(no);
>     use_fqdn(yes);
> #    max_connections(100);
>
> };
>
> source s_all {
> udp(so_rcvbuf(2048576));
> tcp();
> unix-stream("/dev/log");
> internal();
> file("/proc/kmsg");
> };
>
> destination d_file_normal {file("/var/log/messages_syslog-ng.log"); };
>
> log { source(s_all); destination (d_file_normal); };
>
>
> Any help would be greatly appreciated.
>
> Thanks
>
>
>
>
>
>

> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation:
> http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.campin.net/syslog-ng/faq.html
>
>
>
______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.campin.net/syslog-ng/faq.html

 


CONFIDENTIALITY NOTICE: This email and any attachments are intended solely for the use of the named recipient(s). This email may contain confidential and/or proprietary information of Scientific Research Corporation. If you are not a named recipient, you are prohibited from reviewing, copying, using, disclosing or distributing to others the information in this email and attachments. If you believe you have received this email in error, please notify the sender immediately and permanently delete the email, any attachments, and all copies thereof from any drives or storage media and destroy any printouts of the email or attachments.

EXPORT COMPLIANCE NOTICE: This email and any attachments may contain technical data subject to U.S export restrictions under the International Traffic in Arms Regulations (ITAR) or the Export Administration Regulations (EAR). Export or transfer of this technical data and/or related information to any foreign person(s) or entity(ies), either within the U.S. or outside of the U.S., may require advance export authorization by the appropriate U.S. Government agency prior to export or transfer. In addition, technical data may not be exported or transferred to certain countries or specified designated nationals identified by U.S. embargo controls without prior export authorization. By accepting this email and any attachments, all recipients confirm that they understand and will comply with all applicable ITAR, EAR and embargo compliance requirements.

______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.campin.net/syslog-ng/faq.html