As I stated before, I ran tcpdump to monitor the network traffic leaving the client system and then attempted to generate some logs, there was no network traffic beyond SSH and some VMware stuff, so I know it wasn't networking, at least not yet, as the syslog-ng client daemon was not even generating network traffic. Anyway, I did figure out the issue. I was editing the wrong conf file, silly me! I was editing /etc/syslog-ng.conf when I should have been editing /opt/syslog-ng/etc/syslog-ng.conf. A coworker showed me this, proving that I had just been staring at the problem for too long to be able to see the answer ;) Thank you for your help guys! It helped us get the gears in our heads moving again! On Dec 21, 2010, at 17:09, Alan McKinnon wrote:
Your config appears correct - I use a similar setup on a wide variety of logging clients using all sorts of versions of sysloggers.
So I imagine your problem is more network and less syslog. You don't mention basic networking tests you might have done, such as can you ping the log host and can you telnet to the port and get a sensible result? I'd like to establish that packets can at least go from client to server. And don't forget to check silly things /etc/hosts - I once had a server listed there with address 127.0.0.1..... that took an awfully long time to find. [I see your config implies you send to an ip not a hostname. But still, basic checks are good.]
Apparently, though unproven, at 00:03 on Wednesday 22 December 2010, Jarrett Lee did opine thusly:
This is the client side that I'm having issues with, not the syslog server, or loghost, side. Does it really need network configuration information in the source statement? I thought that was on the server side to show it which interface/port to listen on for clients.
On Dec 21, 2010, at 16:59, Clayton Dukes wrote:
Looks like you need to define UDP or TCP (or both) in your src statement.
Here's a short (hopefully helpful) link to a video for syslog-ng configuration: http://www.logzilla.info/SearchResults.asp?Cat=49
<http://www.logzilla.info/SearchResults.asp?Cat=49>Full disclosure, LogZilla is my log analysis software, but hopefully the video helps.
______________________________________________________________
Clayton Dukes ______________________________________________________________
On Tue, Dec 21, 2010 at 4:43 PM, Jarrett Lee <jarrett.lee@oversightsystems.com<mailto:jarrett.lee@oversightsystems.com>
wrote: I have syslog-ng 3.0.9 (also tried 3.0.8) on a CentOS 5.5 system, firewall (iptables) turned off, and SELinux disabled. For some reason it refuses to send logs to my log host, though it will put them in my messages file. I've even broken out tcpdump to monitor the port while generating logs to see if I can see any network traffic generated, but it's crickets on the wire.
Anybody have this problem? Is there something I'm missing, perhaps I've been looking at it for too long and need fresh eyes? I've had this working before on other platforms, Solaris and other distros of Linux, but this time it's kicking my butt...
Here's my syslog-ng.conf (with IP and port redacted): #### BEGIN syslog-ng.conf #### @version: 3.0
options { };
source src { internal(); unix-stream("/dev/log"); file("/proc/kmsg" program_override("kernel: ")); };
destination local { file("/var/log/messages"); }; destination loghost { tcp("IPADDR" port(PORT)); };
log { source(src); destination(local); }; log { source(src); destination(loghost); }; #### END syslog-ng.conf ####
Thanks, Jarrett
Jarrett Lee, UNIX Administrator OVERSIGHT SYSTEMS | www.oversightsystems.com<http://www.oversightsystems.com/> __________________________________________________________________________ ____ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
___________________________________________________________________________ ___ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
-- alan dot mckinnon at gmail dot com