Have you disabled any other syslog servers that might be listening on UDP 514? Rsyslog, etc? (ps aux | grep syslog) Try (temporarily) disabling SELINUX and keep firewall turned off. See if you can start syslog-ng in the foreground and see what you get (syslog-ng –Fed)

 

 

 

Syslog-ng experts.

  I am very new to syslog-ng.  I installed syslog-ng on a fresh Redhat 7.3 server.   It defaults working with internal logging.  So I configured my firewall to send syslog with facility set to log_user.  I turned on Wireshark on the syslog-ng server and observed the firewall sending traffic to the server on udp 514. 

 

But the syslog server never created the directory structure and logs.  I disabled the redhat firewall just to eliminate it as a possibility.  Still no logging.  So I don’t know what I am doing wrong at this point. I don’t know if this is a permission problem or some other configuration issue.  I found someone that had posted a very basic syslog-ng configuration for firewalls.  So I copied It into a firewall.conf I put in conf.d.  Can anyone see what might be wrong with it?

 

####################

options {

        create_dirs(yes);

        owner(root);

        group(root);

        perm(0640);

        dir_owner(root);

        dir_group(root);

        dir_perm(0750);

};

 

 

##################################################

source s_udp {

        udp(port(514));

};

 

#Template for a new firewall in the firewalls.conf file

#Entries to be changed: NAMEOFTHEFIREWALL and IPOFTHEFIREWALL

 

##################################################

filter f_NAMEOFTHEFIREWALL {

        host("192.168.30.1");

};

destination d_NAMEOFTHEFIREWALL {

        file("/var/log/firewalls/PA/$YEAR/$MONTH/$YEAR-$MONTH-$DAY.PA.log");

};

log {

        source(s_udp);

        filter(f_NAMEOFTHEFIREWALL);

        destination(d_NAMEOFTHEFIREWALL);

};

 

 

Tim Tyler

Network Engineer

Beloit College