Re: [syslog-ng] Syslogs not writing to disk

Tcpdump shows data that is later dropped by the packet filter, so make sure that iptables lets the packets through. Another potential culprit is selinux, check for violations in the kernel log. On Thu, Apr 30, 2020, 16:20 Rose, Ed <Ed_Rose@mentor.com> wrote:

Hello All,

I have syslog-ng setup currently setup to write to disk and forward events on to a different syslog server. Syslog isn’t writing to disk it seems. I do not see any errors either, unless I am not looking in the right place for the errors. Tcpdump –v host x.x.x.x shows data coming in from the host but a tail –f ${HOST}/log_${HOST} shows no logs going to disk.

Thanks

Ed

syslog-ng 3 (3.14.1)

Config version: 3.14

Installer-Version: 3.14.1

Revision:

Module-Directory: /usr/lib64/syslog-ng

Module-Path: /usr/lib64/syslog-ng

Available-Modules: afmongodb,sdjournal,linux-kmsg-format,appmodel,date,pseudofile,afamqp,syslogformat,csvparser,cef,tags-parser,affile,afsocket,afstomp,tfgetent,json-plugin,confgen,system-source,stardate,graphite,dbparser,afprog,xml,add-contextual-data,snmptrapd-parser,cryptofuncs,kvformat,disk-buffer,basicfuncs,afuser,map-value-pairs

Enable-Debug: off

Enable-GProf: off

Enable-Memtrace: off

Enable-IPv6: on

Enable-Spoof-Source: on

Enable-TCP-Wrapper: on

Enable-Linux-Caps: on

Enable-Systemd: on

filter f_awanra1 { host("x.x.x.x"); };

filter f_bwanra1 { host("x.x.x.x"); };

filter f_cwanra1 { host("x.x.x.x"); };

destination d_ciscoasa { file("/var/log2/gns/cisco_asa/${HOST}/log_${HOST}" create-dirs(yes) dir-perm(0755) dir-group(splunk) perm(0640) group(splunk)); };

destination d_uid1 { tcp("x.x.x.x" port(514) ); };

destination d_uid2 { tcp("x.x.x.x" port(514) ); };

destination d_uid3 { tcp("x.x.x.x" port(514) ); };

destination d_uid4 { tcp("x.x.x.x" port(514) ); };

log { source(s_net); filter(f_amywanra1); destination(d_ciscoasa); destination(d_uid1); destination(d_uid2); destination(d_uid3); destination(d_uid4); flags(final); };

log { source(s_net); filter(f_cnswanra1); destination(d_ciscoasa); destination(d_uid1); destination(d_uid2); destination(d_uid3); destination(d_uid4); flags(final); };

log { source(s_net); filter(f_demwanra1); destination(d_ciscoasa); destination(d_uid1); destination(d_uid2); destination(d_uid3); destination(d_uid4); flags(final); };

______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq