That's it. It is iptables. The moment I stopped iptables I see the syslog messages written to the file. Now I can work on seggregating them based on host IP the messages are coming from. Thanks all for you help with this. On Wed, Nov 17, 2010 at 5:42 PM, Patrick H. <syslogng@feystorm.net> wrote:
do you have any iptables rules? `iptables -nvL` `iptables -nvL -t nat` `iptables -nvL -t mangle` About the only thing I can think of off the top of my head. There might be some sysctl option to disable UDP, but I dont know it if it does exist.
Sent: Wed Nov 17 2010 16:39:57 GMT-0700 (Mountain Standard Time)
From: keshava V <mv.keshava@gmail.com> <mv.keshava@gmail.com> To: Syslog-ng users' and developers' mailing list <syslog-ng@lists.balabit.hu> <syslog-ng@lists.balabit.hu> Subject: Re: [syslog-ng] Syslog-ng not receiving messages
Looks like it is getting blocked somewhere as you thought. How come tcpdump output is seeing all the udp syslog-ng messages?
[root@aspsyslog ~]# /etc/init.d/syslog-ng start Starting syslog-ng: [ OK ] [root@aspsyslog ~]# /etc/init.d/syslog-ng stop Stopping syslog-ng: [ OK ] [root@aspsyslog ~]# nc -u -l 514
getting nothing...!
On Wed, Nov 17, 2010 at 5:34 PM, Patrick H. <syslogng@feystorm.net> wrote:
Ok, lets see if the problem is before it gets to syslog-ng or after. Shut syslog-ng down and do 'nc -u -l 514' and see if it gets anything. That'll dump out all traffic received. If it gets it, the problem is syslog-ng, if it doesnt get it the traffic is getting blocked somehow.
Sent: Wed Nov 17 2010 16:30:12 GMT-0700 (Mountain Standard Time)
From: keshava V <mv.keshava@gmail.com> <mv.keshava@gmail.com> To: Syslog-ng users' and developers' mailing list <syslog-ng@lists.balabit.hu> <syslog-ng@lists.balabit.hu> Subject: Re: [syslog-ng] Syslog-ng not receiving messages
syslog-ng is using 514 as expected.
[root@aspsyslog ~]# netstat -upnl | grep ":514" udp 0 0 0.0.0.0:514 0.0.0.0:* 8789/syslog-ng
Thanks
On Wed, Nov 17, 2010 at 5:27 PM, Patrick H. <syslogng@feystorm.net>wrote:
There isnt something already listening on udp 514 is there? netstat -upnl | grep ":514"
Sent: Wed Nov 17 2010 16:23:44 GMT-0700 (Mountain Standard Time) From: keshava V <mv.keshava@gmail.com> <mv.keshava@gmail.com> To: Syslog-ng users' and developers' mailing list <syslog-ng@lists.balabit.hu> <syslog-ng@lists.balabit.hu> Subject: Re: [syslog-ng] Syslog-ng not receiving messages
Further,
I have tried setting the kernel parameters without any luck
[root@aspsyslog ~]# sysctl -w net.core.rmem_max=8388608 [root@aspsyslog ~]# sysctl -w net.core.rmem_default=1048576
[SNIP]
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
------------------------------
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
------------------------------
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html