So I upgraded to syslog-ng 3.18 and it has syslog-ng-debun options. I was reading through the documentation and when I issue syslog-ng-debun -d -P 'port 12201' should I see anything on standard out because all that happen was it displayed the options for the command. That is all that happened when I issued the command below in this email. I tried to run syslog-ng-debun -r and that executed and created a tarball. syslog-ng-debun -d -P 'port 12201' Usage: syslog-ng-debun [OPTIONS] General Options: -r Run actual information gathering -h Show this help page -R [dir] Syslog-ng-PE's alternate install dir, instead of /opt/syslog-ng -W [dir] Work dir, where debug bundle will be placed -l "light" collect: Don't get data, which may disturb your sense about privacy, like process tree, fstab, etc. If you use with -d, then it will also enlighten that's params: -Fev Debug mode options: -d Debug with params: -Fedv --enable-core Warning! May increase disk io during the debug, and dumps huge amount of data! -D [params] Debug with custom params -w [sec] Wait [sec] seconds before start syslog's debug mode, and start realtime watching of it -t [sec] Timeout for noninteractive debug Packet capture options: -i [iface] Capture packets on specified interface -p Create packet capture with filter: port 514 or port 601 or port 53 -P [params] Create packet capture with custom filter -t [sec] Timeout for noninteractive debug Syscall tracing options: -s Trace syslog -t [sec] Timeout for noninteractive debug On Wed, Nov 7, 2018 at 7:22 PM PÁSZTOR György < pasztor@linux.gyakg.u-szeged.hu> wrote:
Hi,
"Rodney Bizzell" <hardworker30@gmail.com> írta 2018-11-07 15:14-kor:
I can try that but I echoed a message from the syslog server to the graylog server and that worked
What this exactly means that you "echoed" a message? echo -ne '{some json formatted graylog message}\0' | nc graylog.server 12201 ?
Can you please share the details? It's really hard to guess what you exactly thought of. And I don't have my magic crystal sphere with me to have a more reliable guess.
Have you run a tcpdump to check communication between syslog-ng and graylog? Could you please share the pcap file?
You only shared the debug messages of the syslog-ng initialization. But we haven't seen in your other mail what the debug mode says if you send in a message which should end up on the graylog server. Well, this is what debug mode is for: to debug situations like this.
At this point it could be also useful, if this test system doesn't contain any sensitive information, to start a debug bundle run, and share the result: When your config is ready, etc. just use these parameters for the debun command: syslog-ng-debun -d -P 'port 12201'
It will stop system's syslog-ng service, and restart that in debug mode and collect the data, and will wait for your input when to stop data collecting. So, while it runs in debug mode, on a second terminal please try to send a log message, what destined to reach the graylog server. Wait a couple of seconds. Then hit the enter on the first terminal where the data collection is running. It will pack the collected data into a tarball, and notify you where is the resulting file. Then please share that file with us.
I think that is the most straightforward way to solve this mistery.
Regards, Gyu
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq