Perfect - you know the packets are getting there - so that's done.

Now take a look at what creates the logging - As a test, try taking out the filter. 

It is a bit confusing, but HOST, HOST_FROM and FULLHOST_FROM are very different (you can read the details here)
https://www.balabit.com/documents/syslog-ng-ose-latest-guides/en/syslog-ng-ose-guide-admin/html/reference-macros.html

You might find that HOST_FROM works better if the logs come directly from the FWs to the syslog server.

But if you take out the filter and it creates the files - you will know where to work.

Best,
Jim


On Fri, Feb 24, 2017 at 10:06 AM, Tim Tyler <tyler@beloit.edu> wrote:

Syslog-ng experts.

  I am very new to syslog-ng.  I installed syslog-ng on a fresh Redhat 7.3 server.   It defaults working with internal logging.  So I configured my firewall to send syslog with facility set to log_user.  I turned on Wireshark on the syslog-ng server and observed the firewall sending traffic to the server on udp 514. 

 

But the syslog server never created the directory structure and logs.  I disabled the redhat firewall just to eliminate it as a possibility.  Still no logging.  So I don’t know what I am doing wrong at this point. I don’t know if this is a permission problem or some other configuration issue.  I found someone that had posted a very basic syslog-ng configuration for firewalls.  So I copied It into a firewall.conf I put in conf.d.  Can anyone see what might be wrong with it?

 

####################

options {

        create_dirs(yes);

        owner(root);

        group(root);

        perm(0640);

        dir_owner(root);

        dir_group(root);

        dir_perm(0750);

};

 

 

##################################################

source s_udp {

        udp(port(514));

};

 

#Template for a new firewall in the firewalls.conf file

#Entries to be changed: NAMEOFTHEFIREWALL and IPOFTHEFIREWALL

 

##################################################

filter f_NAMEOFTHEFIREWALL {

        host("192.168.30.1");

};

destination d_NAMEOFTHEFIREWALL {

        file("/var/log/firewalls/PA/$YEAR/$MONTH/$YEAR-$MONTH-$DAY.PA.log");

};

log {

        source(s_udp);

        filter(f_NAMEOFTHEFIREWALL);

        destination(d_NAMEOFTHEFIREWALL);

};

 

 

Tim Tyler

Network Engineer

Beloit College

 


______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq