Re: [syslog-ng] Syslog-ng not receiving messages

18 Nov 2010

      There is a very simple reason for this problem.

AF_PACKET / BPF / libpcap / tcpdump / *shark get their packet copies at 
L2. This way you can see non-IP traffic, loopback traffic, and other 
special stuff you would need.

But iptables processes packets at L3. Thus none of these packet dump 
tools prove the datagrams are really received at L4 or L7. For this you 
need an L3 / L4 / L7 tool like hping* or a version of netcat.

In general, think carefully about how the stack works when you are 
trying to find missing packets.

Good Luck,
Matthew.

On Wed, Nov 17, 2010 at 05:47:09PM -0600, keshava V wrote:
...
That's it. It is iptables. The moment I stopped iptables I see the syslog
messages written to the file. Now I can work on seggregating them based on
host IP the messages are coming from.
Thanks all for you help with this.
On Wed, Nov 17, 2010 at 5:42 PM, Patrick H. <syslogng@feystorm.net> wrote:
...
do you have any iptables rules? `iptables -nvL`  `iptables -nvL -t nat`
`iptables -nvL -t mangle`
About the only thing I can think of off the top of my head. There might be
some sysctl option to disable UDP, but I dont know it if it does exist.
Sent: Wed Nov 17 2010 16:39:57 GMT-0700 (Mountain Standard Time)
From: keshava V <mv.keshava@gmail.com> <mv.keshava@gmail.com>
To: Syslog-ng users' and developers' mailing list
<syslog-ng@lists.balabit.hu> <syslog-ng@lists.balabit.hu>
Subject: Re: [syslog-ng] Syslog-ng not receiving messages
Looks like it is getting blocked somewhere as you thought. How come tcpdump
output is seeing all the udp syslog-ng messages?
[root@aspsyslog ~]# /etc/init.d/syslog-ng start
Starting syslog-ng:                                        [  OK  ]
[root@aspsyslog ~]# /etc/init.d/syslog-ng stop
Stopping syslog-ng:                                        [  OK  ]
[root@aspsyslog ~]# nc -u -l 514
getting nothing...!
On Wed, Nov 17, 2010 at 5:34 PM, Patrick H. <syslogng@feystorm.net> wrote:
...
Ok, lets see if the problem is before it gets to syslog-ng or after. Shut
syslog-ng down and do 'nc -u -l 514' and see if it gets anything. That'll
dump out all traffic received. If it gets it, the problem is syslog-ng, if
it doesnt get it the traffic is getting blocked somehow.
Sent: Wed Nov 17 2010 16:30:12 GMT-0700 (Mountain Standard Time)
From: keshava V <mv.keshava@gmail.com> <mv.keshava@gmail.com>
To: Syslog-ng users' and developers' mailing list
<syslog-ng@lists.balabit.hu> <syslog-ng@lists.balabit.hu>
Subject: Re: [syslog-ng] Syslog-ng not receiving messages
syslog-ng is using 514 as expected.
[root@aspsyslog ~]# netstat -upnl | grep ":514"
udp        0      0 0.0.0.0:514                 0.0.0.0:*
8789/syslog-ng
Thanks
On Wed, Nov 17, 2010 at 5:27 PM, Patrick H. <syslogng@feystorm.net>wrote:
...
There isnt something already listening on udp 514 is there?
netstat -upnl | grep ":514"
Sent: Wed Nov 17 2010 16:23:44 GMT-0700 (Mountain Standard Time)
From: keshava V <mv.keshava@gmail.com> <mv.keshava@gmail.com>
To: Syslog-ng users' and developers' mailing list
<syslog-ng@lists.balabit.hu> <syslog-ng@lists.balabit.hu>
Subject: Re: [syslog-ng] Syslog-ng not receiving messages
Further,
I have tried setting the kernel parameters without any luck
[root@aspsyslog ~]# sysctl -w net.core.rmem_max=8388608
[root@aspsyslog ~]# sysctl -w net.core.rmem_default=1048576
[SNIP]
______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation:
http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.campin.net/syslog-ng/faq.html
------------------------------
______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.campin.net/syslog-ng/faq.html
______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation:
http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.campin.net/syslog-ng/faq.html
------------------------------
______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.campin.net/syslog-ng/faq.html
______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation:
http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.campin.net/syslog-ng/faq.html
...
______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.campin.net/syslog-ng/faq.html

Re: [syslog-ng] Syslog-ng not receiving messages

Matthew Hall