Yes that is correct.  We have figured it out.  The ASA devices dropped their hostname/ip address in the syslog message.  Once the ASA admin changed things back we were able to capture the logs once again.

 

From: syslog-ng [mailto:syslog-ng-bounces@lists.balabit.hu] On Behalf Of Balazs Scheidler
Sent: Friday, May 1, 2020 10:22 PM
To: Syslog-ng users' and developers' mailing list <syslog-ng@lists.balabit.hu>
Subject: Re: [syslog-ng] Syslogs not writing to disk

 

These filters in your config are wired into all of the log paths:

 

filter f_awanra1 { host("x.x.x.x"); };

filter f_bwanra1 { host("x.x.x.x"); };

filter f_cwanra1 { host("x.x.x.x"); };

 

If I understand your config properly, if the source $HOST doesn't match these IP addresses it will be dropped.

 

On Fri, May 1, 2020, 20:17 Rose, Ed <Ed_Rose@mentor.com> wrote:

We separate them by host so that Splunk can monitor each directory and ingest those logs.  Splunk can set the hostname of each directory by setting a parameter in the inputs.conf.  For Splunk Enterprise Security correlation searches for SIEM we need to know which host owns which logs so we can narrow down our investigations.

 

-ed

 

From: syslog-ng [mailto:syslog-ng-bounces@lists.balabit.hu] On Behalf Of Balazs Scheidler
Sent: Friday, May 1, 2020 6:45 AM
To: Syslog-ng users' and developers' mailing list <syslog-ng@lists.balabit.hu>
Subject: Re: [syslog-ng] Syslogs not writing to disk

 

Honestly I don't see your exact use-case, I noticed you were using host() and they seemed as if they were IP addresses.

 

You can implement a wide set of policies using syslog-ng.

 

On Fri, May 1, 2020, 14:32 Rose, Ed <Ed_Rose@mentor.com> wrote:

But won’t using netmask defeat the whole purpose of separating out the logs?  Or will it still attempt to separate the devices by some arbitrary hostname that it does not exist?

 

 

From: syslog-ng [mailto:syslog-ng-bounces@lists.balabit.hu] On Behalf Of Balazs Scheidler
Sent: Friday, May 1, 2020 12:12 AM
To: Syslog-ng users' and developers' mailing list <syslog-ng@lists.balabit.hu>
Subject: Re: [syslog-ng] Syslogs not writing to disk

 

the host filter that you apply to the incoming traffic is matching against the $HOST macro, ie. the text within the message. This can be an IP address or a hostname depending on various settings.

 

Your messages don't contain a a hostname field, thus syslog-ng will try to "guess" it, normally based on the sending IP address but then would also potentially use DNS to resolve it to a name.

 

If you want to filter on IP address, I suggest the netmask() filter.

 

On Thu, Apr 30, 2020 at 7:34 PM Rose, Ed <Ed_Rose@mentor.com> wrote:

The tcpdump looks good and there doesn’t appear to be any drops.  I should also mention that the syslog servers are behind a Netscaler load balancer doing round robin load balancing between two different syslog-ng servers that are setup exactly the same.  I have about 10 different sources send logs to these syslog servers and all of them are writing to disk except this particular source (cisco_asa).

 

Thanks

Ed

 

 

 

10:24:21.525178 IP (tos 0x0, ttl 254, id 3483, offset 0, flags [none], proto UDP (17), length 190)

    x.x.x.x  > x.x.x.x: SYSLOG, length: 162

        Facility local4 (20), Severity debug (7)

        Msg: 2020-04-30T17:24:21Z: %ASA-7-734003: DAP: User blah, Addr x.x.x.x: Session Attribute endpoint.am["539"].description="Trend Micro OfficeScan Client"\0x0a

10:24:21.525179 IP (tos 0x0, ttl 254, id 15604, offset 0, flags [none], proto UDP (17), length 166)

    x.x.x.x > x.x.x.x: SYSLOG, length: 138

        Facility local4 (20), Severity debug (7)

        Msg: 2020-04-30T17:24:21Z: %ASA-7-734003: DAP: User blah, Addr x.x.x.x: Session Attribute endpoint.am["539"].version="12.0.5400"\0x0a

10:24:21.525368 IP (tos 0x0, ttl 254, id 19622, offset 0, flags [none], proto UDP (17), length 193)

    x.x.x.x > x.x.x.x: SYSLOG, length: 165

        Facility local4 (20), Severity debug (7)

        Msg: 2020-04-30T17:24:21Z: %ASA-7-734003: DAP: User blah, Addr x.x.x.x: Session Attribute endpoint.anyconnect.devicetype = "Dell Inc. Latitude 5290 2-in-1"\0x0a

 

From: syslog-ng [mailto:syslog-ng-bounces@lists.balabit.hu] On Behalf Of Balazs Scheidler
Sent: Thursday, April 30, 2020 10:50 AM
To: Syslog-ng users' and developers' mailing list <syslog-ng@lists.balabit.hu>
Subject: Re: [syslog-ng] Syslogs not writing to disk

 

Tcpdump shows data that is later dropped by the packet filter, so make sure that iptables lets the packets through.

 

Another potential culprit is selinux, check for violations in the kernel log.

 

 

On Thu, Apr 30, 2020, 16:20 Rose, Ed <Ed_Rose@mentor.com> wrote:

Hello All,

 

I have syslog-ng setup currently setup to write to disk and forward events on to a different syslog server.  Syslog isn’t writing to disk it seems.  I do not see any errors either, unless I am not looking in the right place for the errors.  Tcpdump –v host x.x.x.x shows data coming in from the host but a tail –f ${HOST}/log_${HOST} shows no logs going to disk.

 

Thanks

Ed

 

 

syslog-ng 3 (3.14.1)

Config version: 3.14

Installer-Version: 3.14.1

Revision:

Module-Directory: /usr/lib64/syslog-ng

Module-Path: /usr/lib64/syslog-ng

Available-Modules: afmongodb,sdjournal,linux-kmsg-format,appmodel,date,pseudofile,afamqp,syslogformat,csvparser,cef,tags-parser,affile,afsocket,afstomp,tfgetent,json-plugin,confgen,system-source,stardate,graphite,dbparser,afprog,xml,add-contextual-data,snmptrapd-parser,cryptofuncs,kvformat,disk-buffer,basicfuncs,afuser,map-value-pairs

Enable-Debug: off

Enable-GProf: off

Enable-Memtrace: off

Enable-IPv6: on

Enable-Spoof-Source: on

Enable-TCP-Wrapper: on

Enable-Linux-Caps: on

Enable-Systemd: on

 

 

filter f_awanra1 { host("x.x.x.x"); };

filter f_bwanra1 { host("x.x.x.x"); };

filter f_cwanra1 { host("x.x.x.x"); };

 

destination d_ciscoasa { file("/var/log2/gns/cisco_asa/${HOST}/log_${HOST}" create-dirs(yes) dir-perm(0755) dir-group(splunk) perm(0640) group(splunk)); };

 

destination d_uid1 { tcp("x.x.x.x"  port(514) ); };

destination d_uid2 { tcp("x.x.x.x"  port(514) ); };

destination d_uid3 { tcp("x.x.x.x"  port(514) ); };

destination d_uid4 { tcp("x.x.x.x"  port(514) ); };

 

log { source(s_net); filter(f_amywanra1); destination(d_ciscoasa); destination(d_uid1); destination(d_uid2); destination(d_uid3); destination(d_uid4); flags(final); };

log { source(s_net); filter(f_cnswanra1); destination(d_ciscoasa); destination(d_uid1); destination(d_uid2); destination(d_uid3); destination(d_uid4); flags(final); };

log { source(s_net); filter(f_demwanra1); destination(d_ciscoasa); destination(d_uid1); destination(d_uid2); destination(d_uid3); destination(d_uid4); flags(final); };

______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq

______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq



--

Bazsi

______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq

______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq