Hello Everyone, I installed syslog-ng on a new machine, however in initial tests, there was no collection of UDP packages by syslog-ng. Here are some points I checked: sudo netstat -plunt | grep -e PID -e syslog Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:601 0.0.0.0:* LISTEN 16169/syslog-ng udp 0 0 10.96.145.42:514 0.0.0.0:* 16169/syslog-ng netstat -anu | grep 514 udp 0 0 10.96.145.42:514 0.0.0.0:* [cgnat@mgalnxa01 etc]$ sudo systemctl status syslog-ng -l ● syslog-ng.service - System Logger Daemon Loaded: loaded (/usr/lib/systemd/system/syslog-ng.service; enabled; vendor preset: enabled) Active: active (running) since Wed 2020-03-25 12:38:08 -03; 5min ago Process: 114207 ExecReload=/bin/kill -HUP $MAINPID (code=exited, status=0/SUCCESS) Main PID: 16169 (syslog-ng) CGroup: /system.slice/syslog-ng.service └─16169 /opt/syslog-ng/libexec/syslog-ng -F --enable-core Mar 25 12:38:08 mgalnxa01 systemd[1]: Starting System Logger Daemon... Here is an example of the package received via tcpdump, but it was not captured by syslog-ng: 10:46:13.529331 IP (tos 0x20, ttl 251, id 33055, offset 0, flags [none], proto UDP (17), length 243) 10.96.145.98.syslog > mgalnxa01.9514: [udp sum ok] SYSLOG, length: 215 Facility user (1), Severity info (6) Msg: Mar 24 13:46:13 2020 RTCGNMGA0103 RT_NAT: RT_SRC_NAT_PBA_ALLOC: Subscriber 100.64.1.6 used/maximum [2/2] blocks, allocates port block [47104-47167] from 177.51.116.146 in source pool PUBLIC-NAT-POOL-1 lsys_id: 0 0x0000: 3c31 343e 4d61 7220 3234 2031 333a 3436 0x0010: 3a31 3320 3230 3230 2052 5443 474e 4d47 0x0020: 4130 3130 3320 5254 5f4e 4154 3a20 5254 0x0030: 5f53 5243 5f4e 4154 5f50 4241 5f41 4c4c 0x0040: 4f43 3a20 5375 6273 6372 6962 6572 2031 0x0050: 3030 2e36 342e 312e 3620 7573 6564 2f6d 0x0060: 6178 696d 756d 205b 322f 325d 2062 6c6f 0x0070: 636b 732c 2061 6c6c 6f63 6174 6573 2070 0x0080: 6f72 7420 626c 6f63 6b20 5b34 3731 3034 0x0090: 2d34 3731 3637 5d20 6672 6f6d 2031 3737 0x00a0: 2e35 312e 3131 362e 3134 3620 696e 2073 0x00b0: 6f75 7263 6520 706f 6f6c 2050 5542 4c49 0x00c0: 432d 4e41 542d 504f 4f4c 2d31 206c 7379 0x00d0: 735f 6964 3a20 30 What I need to analyze / verify, for syslog-ng will capture this type of package and convert it to a file. Atenciosamente, WILLIAM LUIZ R V SILVA Mediation Ericsson Rua Maria Preste Maia, 300 02879-130, Brazil Phone +55 11 2760-3785 Mobile +55 11 97979-9886 wsilva_ericsson@timbrasil.com.br<mailto:wsilva_ericsson@timbrasil.com.br> www.ericsson.com<http://www.ericsson.com/> [Descricao: Descricao: Ericsson]<http://www.ericsson.com/> Esta mensagem, incluindo seus anexos, pode conter informacoes privilegiadas e/ou de carater confidencial, nao podendo ser retransmitida sem autorizacao do remetente. Se voce nao e o destinatario ou pessoa autorizada para recebe-la, informamos que o seu uso, divulgacao, copia ou arquivamento sao proibidos. Portanto, se voce recebeu esta mensagem por engano, por favor nos informe respondendo imediatamente a este e-mail e delete o seu conteudo. This message, including its attachments, may contain privileged or confidential information, and it must not be fowarded without the express authorization of the sender. If you are not the intended recipient, we hereby inform you that the use, disclosure, copy or filing are forbidden. So, if you received this message as a mistake, please inform us by answering this e-mail and deleting its contents Questo messaggio, inclusi gli allegati, potrebbe contenere informazioni privilegiate e/o riservate, e non deve essere ritrasmesse senza l'autorizzazione del mittente. Se non siete il destinatario o la persona autorizzata a riceverlo, informiamo che il suo utilizzo, diffusione, copia o archiviazione sono proibite. Quindi, se avete ricevuto questo messaggio per errore, per cortesia ci informi rispondendo immediatamente a questa email e cancelli il suo contenuto
