When I’m not seeing any data I start with tcpdump to make sure it’s actually getting to the log host and review the packet dump for a possible issue. There is also a debug, trace function in syslog-ng but in heavy traffic environments like yours I start with tcpdump with a mac or ip filter. On Feb 18, 2014, at 3:12 PM, Chris Moody <chris@node-nine.com> wrote:
Hello.
First off, thanks a __TON__ for syslog-ng. I've sworn by this awesome code for years now. I've built all sorts of logging infrastructure with it.
I seem to have hit on something though that's got me scratching my head and lacking for explanation. Perhaps I've just been staring at it and debugging it too long and am missing something obvious.
I've got an installation with a couple thousand network devices logging successfully to output spools on our log aggretor. This is rockin' and works beautifully. I've got things configured whereby each network source logs to it's own individual spool file with the source-ip as the spool name.
I'm running into a case though where I have a Cisco switch sending logs to my log aggregator but the log-server isn't writing the output to the device's spool file. It is working however for many many more devices just like this switch.
I've confirmed via tcpdump that this log traffic does actually hit the box, but it never gets recorded into the log spool for that network device.
Since the host is -super- busy receiving logs from other gear enterprise-wide, I have to treat it very gingerly, so can't enable too much debugging...but I'm really confused why the logs wouldn't show up in the log spool..
Here's some bits of the config that are relevant: ===== options { keep_hostname(yes); use_dns(no); use_fqdn(no); stats_freq(600); stats_level(2); # Allow large messages log_msg_size(65536); };
# ===================== # UDP Packet Source source s_udp { udp(); };
# ===================== # TCP Packet Source source s_tcp { tcp(ip(aaa.bbb.ccc.ddd) port(514) max-connections(50000)); };
# ===================== destination net_perhost { file("/data/log/per-host/$HOST" owner(root) group(nwadmin) perm(0775) ); };
# ===================== log { source(s_tcp); source(s_udp); destination(net_perhost); }; =====
I've checked around for perhaps a different spool name, thinking perhaps the data was getting recognized as something other than it's source-ip, but haven't seen anything.
Any thoughts?
Cheers, -Chris ______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq