On Wed, Feb 19, 2020 at 2:50 PM SZIGETVÁRI János <jszigetvari@gmail.com> wrote:
Dear Anatoly,
I would recommend you to stop the syslog-ng service, and start it in the foreground, in debug mode, with: # syslog-ng -Fedv
Or possibly direct all its output to a file, and then try sending in the test logs, and subsequently check the debug output to see whether syslog-ng has received the logs. (It will report all incoming logs, so in the debug output you should see it even if it's not written to the destination file for some reason.) Also in the debug output you should see any file creation related error messages, if there are any. If you don't see your test logs in the debug output, then the cause is likely something outside of syslog-ng's scope.
BTW do you have SELinux enabled? (I would not think so though, because syslog-ng was allowed to bind to UDP/3514, a non-standard port, which SELinux would prevent, if in enforcing mode.)
Best Regards, János -- Janos SZIGETVARI RHCE, License no. 150-053-692
Anatoly Pugachev <matorola@gmail.com> ezt írta (időpont: 2020. febr. 19., Sze, 12:29):
Hello!
Can someone help me with network logging with syslog-ng :
# rpm -q syslog-ng syslog-ng-3.25.1.239.g0535e8a-1.el7.x86_64
# rpm -qf /etc/os-release centos-release-7-7.1908.0.el7.centos.x86_64
server is centos 7 x86_64 vm
/etc/syslog-ng/syslog-ng.conf is in the default configuration (no changes made from rpm package installed), have additional configuration in :
# cat conf.d/mtcaptive.conf source s_mtcaptive { network( ip("0.0.0.0") port(3514) transport("udp")); }; destination d_mtcaptive { file("/var/log/mt-captive-remote"); }; log { source(s_mtcaptive); destination(d_mtcaptive); };
If i try to log a test message with logger on a localhost (where syslog-ng runs):
[root@localhost syslog-ng]# logger -d -i -n 172.16.3.50 -P 3514 "test from localhost"
it does work and appears in /var/log/mt-captive-remote :
$ tail -1 /var/log/mt-captive-remote Feb 19 06:15:01 172.16.3.50 root[11326]: test from localhost
But if i try the same command on a nearby host (vm2, same L2 network, but different IP network), it does not logged, but udp packet with test messages is received by host:
[root@vm2 ~]# logger -d -i -n 172.16.3.50 -P 3514 "test from vm2"
back to syslog-ng host:
# ngrep -d ens224 -n 10 "test from" "udp and port 3514" interface: ens224 (172.16.3.0/255.255.255.0) filter: ( udp and port 3514 ) and ((ip || ip6) || (vlan && (ip || ip6))) match: test from ########################################################################################################################################################################################################################## U 100.64.128.5:24046 -> 172.16.3.50:3514 #218 <5>Feb 19 06:20:27 root[31663]: test from vm2. #####################################################################################################^Cexit 319 received, 1 matched
looking at socket status on syslog-ng host:
# ss -unlp | grep 3514 UNCONN 0 0 *:3514 *:* users:(("syslog-ng",pid=11198,fd=23))
no firewall or iptables rules (default all ACCEPT).
Can someone suggest why syslog-ng does not log remote messages to my destination file?
Thanks.
Janos, here's attached syslog-ng-Fedv-log.txt.gz with a log of running syslog-ng with debug options (Fedv) . selinux is disabled. Command sequence: [root@localhost ~]# getenforce Disabled [root@localhost ~]# systemctl stop syslog.socket [root@localhost ~]# systemctl stop syslog-ng [root@localhost ~]# ps ax | grep syslog 11997 pts/0 S+ 0:00 grep --color=auto syslog [root@localhost ~]# cd /etc/syslog-ng/ [root@localhost syslog-ng]# syslog-ng -s -f syslog-ng.conf [root@localhost syslog-ng]# echo $? 0 [root@localhost syslog-ng]# syslog-ng -Fedv (start logging and open another terminal window) [root@localhost ~]# logger -d -i -n 172.16.3.50 -P 3514 "test from localhost" [root@vm2 ~]# logger -d -i -n 172.16.3.50 -P 3514 "test from vm2" back to running syslog-ng log and stop it (CTRL-C on syslog-ng -Fedv )