On Wed, Sep 12, 2012 at 11:39 AM, Sandor Geller <Sandor.Geller@morganstanley.com> wrote:
Hi,

I don't see anything obvious. Could you check whether there are other
apps listening on 172.30.6.70:514 ? In other words grep for 514 in the
netstat output not for syslog. Are there packet filter rules dropping
incoming traffic?

Regards,

Sandor
______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq


@ Sandor Geller

Thanks for your response. The port 514 is for syslog-ng as it is defined in the services file :

~# cat /etc/services | grep 514
shell        514/tcp        cmd        # no passwords used
syslog-ng    514/udp

~# netstat -a --numeric-ports | grep 514
tcp        0      0 0.0.0.0:514             0.0.0.0:*               LISTEN    
udp        0      0 0.0.0.0:514             0.0.0.0:*                         
unix  3      [ ]         STREAM     CONNECTED     1514    

As you can see there is only the syslog-ng running on that port.


On Wed, Sep 12, 2012 at 11:45 AM, Gergely Nagy <algernon@balabit.hu> wrote:
Alex Clone <alexandros.clone@gmail.com> writes:

> *~# tcpdump -i eth0 udp 'port 514' -v
> tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535
> bytes
> 06:05:58.669992 IP (tos 0x0, ttl 254, id 20209, offset 0, flags [none],
> proto UDP (17), length 82)
>     172.29.1.6.syslog-ng > 172.30.6.70.syslog-ng: SYSLOG, length: 54
>     Facility local4 (20), Severity debug (7)
>     Msg: %ASA-7-609001: Built local-host WAN:172.30.254.4\0x0a
> 06:05:58.670134 IP (tos 0x0, ttl 254, id 52, offset 0, flags [none], proto
> UDP (17), length 85)
>     172.29.1.6.syslog-ng > 172.30.6.70.syslog-ng: SYSLOG, length: 57
>     Facility local4 (20), Severity debug (7)
>     Msg: %ASA-7-609001: Built local-host outside:172.26.10.4\0x0a
> ………..*

These look like CISCO logs, which do not conform to the format syslog-ng
expects, and as such, they're not recognised and not processed either.

If you just want to store them as-is, I'd recommend using the
flags(no-parse) setting in the s_network source, like this:

 source s_network {
         tcp(flags(no-parse));
         udp(flags(no-parse));
 };

--
|8]

______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq


@ Gergely Nagy

Thanks for your response and your recommendation. I change the source block to the one that you mail me. The result is exactly the same. Syslog-ng cannot read the stream.

By the way, when I tried to log local data using the internal(); option to the source block, syslog-ng worked perfectly. All the data logged to the given file. So, the problem, I have to solve, is why syslog-ng cannot read the interface eth0 (udp).

Thanks in advance,
Alex