Hello All,
I have syslog-ng setup currently setup to write to disk and forward events on to a different syslog server. Syslog isn’t writing to disk it seems. I do not see any errors either, unless I am not looking in the right place for the errors.
Tcpdump –v host x.x.x.x shows data coming in from the host but a tail –f ${HOST}/log_${HOST} shows no logs going to disk.
Thanks
Ed
syslog-ng 3 (3.14.1)
Config version: 3.14
Installer-Version: 3.14.1
Revision:
Module-Directory: /usr/lib64/syslog-ng
Module-Path: /usr/lib64/syslog-ng
Available-Modules: afmongodb,sdjournal,linux-kmsg-format,appmodel,date,pseudofile,afamqp,syslogformat,csvparser,cef,tags-parser,affile,afsocket,afstomp,tfgetent,json-plugin,confgen,system-source,stardate,graphite,dbparser,afprog,xml,add-contextual-data,snmptrapd-parser,cryptofuncs,kvformat,disk-buffer,basicfuncs,afuser,map-value-pairs
Enable-Debug: off
Enable-GProf: off
Enable-Memtrace: off
Enable-IPv6: on
Enable-Spoof-Source: on
Enable-TCP-Wrapper: on
Enable-Linux-Caps: on
Enable-Systemd: on
filter f_awanra1 { host("x.x.x.x"); };
filter f_bwanra1 { host("x.x.x.x"); };
filter f_cwanra1 { host("x.x.x.x"); };
destination d_ciscoasa { file("/var/log2/gns/cisco_asa/${HOST}/log_${HOST}" create-dirs(yes) dir-perm(0755) dir-group(splunk) perm(0640) group(splunk)); };
destination d_uid1 { tcp("x.x.x.x" port(514) ); };
destination d_uid2 { tcp("x.x.x.x" port(514) ); };
destination d_uid3 { tcp("x.x.x.x" port(514) ); };
destination d_uid4 { tcp("x.x.x.x" port(514) ); };
log { source(s_net); filter(f_amywanra1); destination(d_ciscoasa); destination(d_uid1); destination(d_uid2); destination(d_uid3); destination(d_uid4); flags(final); };
log { source(s_net); filter(f_cnswanra1); destination(d_ciscoasa); destination(d_uid1); destination(d_uid2); destination(d_uid3); destination(d_uid4); flags(final); };
log { source(s_net); filter(f_demwanra1); destination(d_ciscoasa); destination(d_uid1); destination(d_uid2); destination(d_uid3); destination(d_uid4); flags(final); };