Re: [syslog-ng] syslog-ng is ignoring a network source
Hello Laci, Thanks a lot! It turned out that my second firewall does not come through to netcat on port 514, even if I turned off the firewall completely. It's all running a Security Onion host and now I'm wondering if the IDS/IPS is fooling me and is blocking the traffic (but I don't notice any alerts related to the IP of the second firewall ...). However, any other ideas? Mit freundlichen Grüßen / Best regards Benjamin Bruns IT Security Manager CYPP GmbH Gotenstrasse 15 20097 Hamburg Germany Telefon: +49 40 237 34-285 Mobil: +49 160 3230 655 Mail: benjamin.bruns@cypp.de<mailto:benjamin.bruns@cypp.de> www.cypp.de<http://www.cypp.de/> | www.plathgroup.com<http://www.plathgroup.com/> Sitz der Gesellschaft: Hamburg HRB 132781 Amtsgericht Hamburg Ust-ID DE 298033875 Vertretungsberechtigter Geschäftsführerin: Maya von Holdt Dies ist eine vertrauliche Nachricht und nur für den Adressaten bestimmt. Es ist nicht erlaubt, diese Nachricht zu kopieren oder Dritten zugänglich zu machen. Sollten Sie diese Nachricht irrtümlich erhalten haben, benachrichtigen Sie den Versender bitte per E-Mail oder telefonisch und löschen Sie die Nachricht unverzüglich. This message is strictly confidential and intended solely for the use of the addressee. It is not allowed to copy or disseminate this message. Please notify the sender by e-mail or telephone if you have received this message by mistake and delete this message immediately. Von: syslog-ng <syslog-ng-bounces@lists.balabit.hu> Im Auftrag von Laszlo Szemere (lszemere) Gesendet: Freitag, 28. August 2020 13:41 An: Syslog-ng users' and developers' mailing list <syslog-ng@lists.balabit.hu> Betreff: Re: [syslog-ng] syslog-ng is ignoring a network source Hello Ben, nc -u -l -p 514 -u : use UDP -l : listen in server mode, instead of sending -p : defines port number (If you need, you can also specify the local IP address to bind to with the -s option.) Br, Laci ________________________________ From: syslog-ng <syslog-ng-bounces@lists.balabit.hu<mailto:syslog-ng-bounces@lists.balabit.hu>> on behalf of Bruns, Benjamin <Benjamin.Bruns@cypp.de<mailto:Benjamin.Bruns@cypp.de>> Sent: Friday, August 28, 2020 13:29 To: Syslog-ng users' and developers' mailing list <syslog-ng@lists.balabit.hu<mailto:syslog-ng@lists.balabit.hu>> Subject: Re: [syslog-ng] syslog-ng is ignoring a network source CAUTION: This email originated from outside of the organization. Do not follow guidance, click links, or open attachments unless you recognize the sender and know the content is safe. Hello Laci, how do I check that by using netcat? Cheers, Ben Von: syslog-ng <syslog-ng-bounces@lists.balabit.hu<mailto:syslog-ng-bounces@lists.balabit.hu>> Im Auftrag von Laszlo Szemere (lszemere) Gesendet: Freitag, 28. August 2020 12:21 An: Syslog-ng users' and developers' mailing list <syslog-ng@lists.balabit.hu<mailto:syslog-ng@lists.balabit.hu>> Betreff: Re: [syslog-ng] syslog-ng is ignoring a network source Hello Ben, our experience shows that having logs in Wireshark doesn't necessary means that they reach the applications. (Wireshark captures packets on the interface level.) So as a first step I would recommend to clarify that the logs from the second host indeed reaches Syslog-ng. (For UDP logs netcat usually is enough.) Once it is clear that those logs reaches the application level, we can focus on debugging Syslog-ng. By starting Syslog-ng with the following options, it would be much easier to examine the flow of messages: syslog-ng -Fdevt -F : start it in the foreground -d : debug mode -e : log messages to stderr -v : increases verbository -t : also enable trace messages Note: With these options enabled, Syslog-ng will produce a LOT of messages. So if you can turn off other logging sources temporary, than it will be much more easier to read those logs. At this point you should start to receive this kind of debug messages, which will indicate that Syslog-ng received the log messages from your host: [2020-08-28T10:09:43.289660] Incoming log entry; line='hello world'
From this point the easiest way is to start with a minimal config, and build up your final configuration step by step. Checking incoming logs in each steps.
Br, Laci ________________________________ From: syslog-ng <syslog-ng-bounces@lists.balabit.hu<mailto:syslog-ng-bounces@lists.balabit.hu>> on behalf of Bruns, Benjamin <Benjamin.Bruns@cypp.de<mailto:Benjamin.Bruns@cypp.de>> Sent: Friday, August 28, 2020 11:53 To: syslog-ng@lists.balabit.hu<mailto:syslog-ng@lists.balabit.hu> <syslog-ng@lists.balabit.hu<mailto:syslog-ng@lists.balabit.hu>> Subject: [syslog-ng] syslog-ng is ignoring a network source CAUTION: This email originated from outside of the organization. Do not follow guidance, click links, or open attachments unless you recognize the sender and know the content is safe. Hello! I try to send syslogs from two firewalls to my syslog-ng host. The first one worked immediately, but logs of the second firewall seems to be ignored. Both syslogs come in via UDP on port 514 and I can see them in Wireshark on my syslog-ng host, but they disappear for my second firewall in a black hole. Both have Logstash as their destination configured. Any ideas? Thanks in advance! Cheers, Ben
Hi Benjamin, Is it possible that you are dealing with a routing problem? Ie, the incoming packet not arriving to the interface where the system expects it based on the routing table? If that is the case, the traffic is silently dropped by the kernel. For more information about the topic, please see: https://www.thegeekdiary.com/how-to-interpret-linux-martian-source-messages/ Best Regards, János -- Janos SZIGETVARI RHCE, License no. 150-053-692 LinkedIn: linkedin.com/in/janosszigetvari __@__˚V˚ Make the switch to open (source) applications, protocols, formats now: - windows -> Linux, iexplore -> Firefox, msoffice -> LibreOffice - msn -> jabber protocol (Pidgin, Google Talk) - mp3 -> ogg, wmv -> ogg, jpg -> png, doc/xls/ppt -> odt/ods/odp Bruns, Benjamin <Benjamin.Bruns@cypp.de> ezt írta (időpont: 2020. aug. 28., P, 19:58):
Hello Laci,
Thanks a lot! It turned out that my second firewall does not come through to netcat on port 514, even if I turned off the firewall completely. It’s all running a Security Onion host and now I’m wondering if the IDS/IPS is fooling me and is blocking the traffic (but I don’t notice any alerts related to the IP of the second firewall …). However, any other ideas?
Mit freundlichen Grüßen / Best regards
Benjamin Bruns
IT Security Manager
CYPP GmbH
Gotenstrasse 15
20097 Hamburg
Germany
Telefon: +49 40 237 34-285
Mobil: +49 160 3230 655
Mail: benjamin.bruns@cypp.de
www.cypp.de | www.plathgroup.com
Sitz der Gesellschaft: Hamburg
HRB 132781 Amtsgericht Hamburg
Ust-ID DE 298033875
Vertretungsberechtigter Geschäftsführerin: Maya von Holdt
Dies ist eine vertrauliche Nachricht und nur für den Adressaten bestimmt. Es ist nicht erlaubt, diese Nachricht zu kopieren oder Dritten zugänglich zu machen. Sollten Sie diese Nachricht irrtümlich erhalten haben, benachrichtigen Sie den Versender bitte per E-Mail oder telefonisch und löschen Sie die Nachricht unverzüglich.
This message is strictly confidential and intended solely for the use of the addressee. It is not allowed to copy or disseminate this message. Please notify the sender by e-mail or telephone if you have received this message by mistake and delete this message immediately.
Von: syslog-ng <syslog-ng-bounces@lists.balabit.hu> Im Auftrag von Laszlo Szemere (lszemere) Gesendet: Freitag, 28. August 2020 13:41 An: Syslog-ng users' and developers' mailing list <syslog-ng@lists.balabit.hu> Betreff: Re: [syslog-ng] syslog-ng is ignoring a network source
Hello Ben,
nc -u -l -p 514
-u : use UDP
-l : listen in server mode, instead of sending
-p : defines port number
(If you need, you can also specify the local IP address to bind to with the -s option.)
Br,
Laci
________________________________
From: syslog-ng <syslog-ng-bounces@lists.balabit.hu> on behalf of Bruns, Benjamin <Benjamin.Bruns@cypp.de> Sent: Friday, August 28, 2020 13:29 To: Syslog-ng users' and developers' mailing list <syslog-ng@lists.balabit.hu> Subject: Re: [syslog-ng] syslog-ng is ignoring a network source
CAUTION: This email originated from outside of the organization. Do not follow guidance, click links, or open attachments unless you recognize the sender and know the content is safe.
Hello Laci,
how do I check that by using netcat?
Cheers, Ben
Von: syslog-ng <syslog-ng-bounces@lists.balabit.hu> Im Auftrag von Laszlo Szemere (lszemere) Gesendet: Freitag, 28. August 2020 12:21 An: Syslog-ng users' and developers' mailing list <syslog-ng@lists.balabit.hu> Betreff: Re: [syslog-ng] syslog-ng is ignoring a network source
Hello Ben,
our experience shows that having logs in Wireshark doesn't necessary means that they reach the applications. (Wireshark captures packets on the interface level.)
So as a first step I would recommend to clarify that the logs from the second host indeed reaches Syslog-ng. (For UDP logs netcat usually is enough.)
Once it is clear that those logs reaches the application level, we can focus on debugging Syslog-ng.
By starting Syslog-ng with the following options, it would be much easier to examine the flow of messages:
syslog-ng -Fdevt
-F : start it in the foreground
-d : debug mode
-e : log messages to stderr
-v : increases verbository
-t : also enable trace messages
Note: With these options enabled, Syslog-ng will produce a LOT of messages. So if you can turn off other logging sources temporary, than it will be much more easier to read those logs.
At this point you should start to receive this kind of debug messages, which will indicate that Syslog-ng received the log messages from your host:
[2020-08-28T10:09:43.289660] Incoming log entry; line='hello world'
From this point the easiest way is to start with a minimal config, and build up your final configuration step by step. Checking incoming logs in each steps.
Br,
Laci
________________________________
From: syslog-ng <syslog-ng-bounces@lists.balabit.hu> on behalf of Bruns, Benjamin <Benjamin.Bruns@cypp.de> Sent: Friday, August 28, 2020 11:53 To: syslog-ng@lists.balabit.hu <syslog-ng@lists.balabit.hu> Subject: [syslog-ng] syslog-ng is ignoring a network source
CAUTION: This email originated from outside of the organization. Do not follow guidance, click links, or open attachments unless you recognize the sender and know the content is safe.
Hello!
I try to send syslogs from two firewalls to my syslog-ng host. The first one worked immediately, but logs of the second firewall seems to be ignored. Both syslogs come in via UDP on port 514 and I can see them in Wireshark on my syslog-ng host, but they disappear for my second firewall in a black hole. Both have Logstash as their destination configured. Any ideas? Thanks in advance!
Cheers, Ben
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
Hello János, you made my day: Reverse Path Filtering was the issue! Your hint was not clear to me in the first place, but a friend of mine pointed me now in the same direction. I changed rp_filter from 1 to 2 for the receiving interface and now it works fine! Mit freundlichen Grüßen / Best regards Benjamin Bruns IT Security Manager CYPP GmbH Gotenstrasse 15 20097 Hamburg Germany Telefon: +49 40 237 34-285 Mobil: +49 160 3230 655 Mail: benjamin.bruns@cypp.de www.cypp.de | www.plathgroup.com Sitz der Gesellschaft: Hamburg HRB 132781 Amtsgericht Hamburg Ust-ID DE 298033875 Vertretungsberechtigter Geschäftsführerin: Maya von Holdt Dies ist eine vertrauliche Nachricht und nur für den Adressaten bestimmt. Es ist nicht erlaubt, diese Nachricht zu kopieren oder Dritten zugänglich zu machen. Sollten Sie diese Nachricht irrtümlich erhalten haben, benachrichtigen Sie den Versender bitte per E-Mail oder telefonisch und löschen Sie die Nachricht unverzüglich. This message is strictly confidential and intended solely for the use of the addressee. It is not allowed to copy or disseminate this message. Please notify the sender by e-mail or telephone if you have received this message by mistake and delete this message immediately. -----Ursprüngliche Nachricht----- Von: syslog-ng <syslog-ng-bounces@lists.balabit.hu> Im Auftrag von SZIGETVÁRI János Gesendet: Samstag, 29. August 2020 19:06 An: Syslog-ng users' and developers' mailing list <syslog-ng@lists.balabit.hu> Betreff: Re: [syslog-ng] syslog-ng is ignoring a network source Hi Benjamin, Is it possible that you are dealing with a routing problem? Ie, the incoming packet not arriving to the interface where the system expects it based on the routing table? If that is the case, the traffic is silently dropped by the kernel. For more information about the topic, please see: https://www.thegeekdiary.com/how-to-interpret-linux-martian-source-messages/ Best Regards, János -- Janos SZIGETVARI RHCE, License no. 150-053-692 LinkedIn: linkedin.com/in/janosszigetvari __@__˚V˚ Make the switch to open (source) applications, protocols, formats now: - windows -> Linux, iexplore -> Firefox, msoffice -> LibreOffice - msn -> jabber protocol (Pidgin, Google Talk) - mp3 -> ogg, wmv -> ogg, jpg -> png, doc/xls/ppt -> odt/ods/odp Bruns, Benjamin <Benjamin.Bruns@cypp.de> ezt írta (időpont: 2020. aug. 28., P, 19:58):
Hello Laci,
Thanks a lot! It turned out that my second firewall does not come through to netcat on port 514, even if I turned off the firewall completely. It’s all running a Security Onion host and now I’m wondering if the IDS/IPS is fooling me and is blocking the traffic (but I don’t notice any alerts related to the IP of the second firewall …). However, any other ideas?
Mit freundlichen Grüßen / Best regards
Benjamin Bruns
IT Security Manager
CYPP GmbH
Gotenstrasse 15
20097 Hamburg
Germany
Telefon: +49 40 237 34-285
Mobil: +49 160 3230 655
Mail: benjamin.bruns@cypp.de
www.cypp.de | www.plathgroup.com
Sitz der Gesellschaft: Hamburg
HRB 132781 Amtsgericht Hamburg
Ust-ID DE 298033875
Vertretungsberechtigter Geschäftsführerin: Maya von Holdt
Dies ist eine vertrauliche Nachricht und nur für den Adressaten bestimmt. Es ist nicht erlaubt, diese Nachricht zu kopieren oder Dritten zugänglich zu machen. Sollten Sie diese Nachricht irrtümlich erhalten haben, benachrichtigen Sie den Versender bitte per E-Mail oder telefonisch und löschen Sie die Nachricht unverzüglich.
This message is strictly confidential and intended solely for the use of the addressee. It is not allowed to copy or disseminate this message. Please notify the sender by e-mail or telephone if you have received this message by mistake and delete this message immediately.
Von: syslog-ng <syslog-ng-bounces@lists.balabit.hu> Im Auftrag von Laszlo Szemere (lszemere) Gesendet: Freitag, 28. August 2020 13:41 An: Syslog-ng users' and developers' mailing list <syslog-ng@lists.balabit.hu> Betreff: Re: [syslog-ng] syslog-ng is ignoring a network source
Hello Ben,
nc -u -l -p 514
-u : use UDP
-l : listen in server mode, instead of sending
-p : defines port number
(If you need, you can also specify the local IP address to bind to with the -s option.)
Br,
Laci
________________________________
From: syslog-ng <syslog-ng-bounces@lists.balabit.hu> on behalf of Bruns, Benjamin <Benjamin.Bruns@cypp.de> Sent: Friday, August 28, 2020 13:29 To: Syslog-ng users' and developers' mailing list <syslog-ng@lists.balabit.hu> Subject: Re: [syslog-ng] syslog-ng is ignoring a network source
CAUTION: This email originated from outside of the organization. Do not follow guidance, click links, or open attachments unless you recognize the sender and know the content is safe.
Hello Laci,
how do I check that by using netcat?
Cheers, Ben
Von: syslog-ng <syslog-ng-bounces@lists.balabit.hu> Im Auftrag von Laszlo Szemere (lszemere) Gesendet: Freitag, 28. August 2020 12:21 An: Syslog-ng users' and developers' mailing list <syslog-ng@lists.balabit.hu> Betreff: Re: [syslog-ng] syslog-ng is ignoring a network source
Hello Ben,
our experience shows that having logs in Wireshark doesn't necessary means that they reach the applications. (Wireshark captures packets on the interface level.)
So as a first step I would recommend to clarify that the logs from the second host indeed reaches Syslog-ng. (For UDP logs netcat usually is enough.)
Once it is clear that those logs reaches the application level, we can focus on debugging Syslog-ng.
By starting Syslog-ng with the following options, it would be much easier to examine the flow of messages:
syslog-ng -Fdevt
-F : start it in the foreground
-d : debug mode
-e : log messages to stderr
-v : increases verbository
-t : also enable trace messages
Note: With these options enabled, Syslog-ng will produce a LOT of messages. So if you can turn off other logging sources temporary, than it will be much more easier to read those logs.
At this point you should start to receive this kind of debug messages, which will indicate that Syslog-ng received the log messages from your host:
[2020-08-28T10:09:43.289660] Incoming log entry; line='hello world'
From this point the easiest way is to start with a minimal config, and build up your final configuration step by step. Checking incoming logs in each steps.
Br,
Laci
________________________________
From: syslog-ng <syslog-ng-bounces@lists.balabit.hu> on behalf of Bruns, Benjamin <Benjamin.Bruns@cypp.de> Sent: Friday, August 28, 2020 11:53 To: syslog-ng@lists.balabit.hu <syslog-ng@lists.balabit.hu> Subject: [syslog-ng] syslog-ng is ignoring a network source
CAUTION: This email originated from outside of the organization. Do not follow guidance, click links, or open attachments unless you recognize the sender and know the content is safe.
Hello!
I try to send syslogs from two firewalls to my syslog-ng host. The first one worked immediately, but logs of the second firewall seems to be ignored. Both syslogs come in via UDP on port 514 and I can see them in Wireshark on my syslog-ng host, but they disappear for my second firewall in a black hole. Both have Logstash as their destination configured. Any ideas? Thanks in advance!
Cheers, Ben
______________________________________________________________________ ________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
Hi Benjamin, I'm glad I could help! Best regards, János -- Janos SZIGETVARI RHCE, License no. 150-053-692 LinkedIn: linkedin.com/in/janosszigetvari __@__˚V˚ Make the switch to open (source) applications, protocols, formats now: - windows -> Linux, iexplore -> Firefox, msoffice -> LibreOffice - msn -> jabber protocol (Pidgin, Google Talk) - mp3 -> ogg, wmv -> ogg, jpg -> png, doc/xls/ppt -> odt/ods/odp Bruns, Benjamin <Benjamin.Bruns@cypp.de> ezt írta (időpont: 2020. szept. 1., K, 10:51):
Hello János,
you made my day: Reverse Path Filtering was the issue! Your hint was not clear to me in the first place, but a friend of mine pointed me now in the same direction. I changed rp_filter from 1 to 2 for the receiving interface and now it works fine!
Mit freundlichen Grüßen / Best regards
Benjamin Bruns IT Security Manager
CYPP GmbH Gotenstrasse 15 20097 Hamburg Germany
Telefon: +49 40 237 34-285 Mobil: +49 160 3230 655 Mail: benjamin.bruns@cypp.de
www.cypp.de | www.plathgroup.com
Sitz der Gesellschaft: Hamburg HRB 132781 Amtsgericht Hamburg Ust-ID DE 298033875 Vertretungsberechtigter Geschäftsführerin: Maya von Holdt
Dies ist eine vertrauliche Nachricht und nur für den Adressaten bestimmt. Es ist nicht erlaubt, diese Nachricht zu kopieren oder Dritten zugänglich zu machen. Sollten Sie diese Nachricht irrtümlich erhalten haben, benachrichtigen Sie den Versender bitte per E-Mail oder telefonisch und löschen Sie die Nachricht unverzüglich.
This message is strictly confidential and intended solely for the use of the addressee. It is not allowed to copy or disseminate this message. Please notify the sender by e-mail or telephone if you have received this message by mistake and delete this message immediately.
-----Ursprüngliche Nachricht----- Von: syslog-ng <syslog-ng-bounces@lists.balabit.hu> Im Auftrag von SZIGETVÁRI János Gesendet: Samstag, 29. August 2020 19:06 An: Syslog-ng users' and developers' mailing list <syslog-ng@lists.balabit.hu> Betreff: Re: [syslog-ng] syslog-ng is ignoring a network source
Hi Benjamin,
Is it possible that you are dealing with a routing problem? Ie, the incoming packet not arriving to the interface where the system expects it based on the routing table? If that is the case, the traffic is silently dropped by the kernel. For more information about the topic, please see: https://www.thegeekdiary.com/how-to-interpret-linux-martian-source-messages/
Best Regards, János -- Janos SZIGETVARI RHCE, License no. 150-053-692
LinkedIn: linkedin.com/in/janosszigetvari
__@__˚V˚ Make the switch to open (source) applications, protocols, formats now: - windows -> Linux, iexplore -> Firefox, msoffice -> LibreOffice - msn -> jabber protocol (Pidgin, Google Talk) - mp3 -> ogg, wmv -> ogg, jpg -> png, doc/xls/ppt -> odt/ods/odp
Bruns, Benjamin <Benjamin.Bruns@cypp.de> ezt írta (időpont: 2020. aug. 28., P, 19:58):
Hello Laci,
Thanks a lot! It turned out that my second firewall does not come through to netcat on port 514, even if I turned off the firewall completely. It’s all running a Security Onion host and now I’m wondering if the IDS/IPS is fooling me and is blocking the traffic (but I don’t notice any alerts related to the IP of the second firewall …). However, any other ideas?
Mit freundlichen Grüßen / Best regards
Benjamin Bruns
IT Security Manager
CYPP GmbH
Gotenstrasse 15
20097 Hamburg
Germany
Telefon: +49 40 237 34-285
Mobil: +49 160 3230 655
Mail: benjamin.bruns@cypp.de
www.cypp.de | www.plathgroup.com
Sitz der Gesellschaft: Hamburg
HRB 132781 Amtsgericht Hamburg
Ust-ID DE 298033875
Vertretungsberechtigter Geschäftsführerin: Maya von Holdt
Dies ist eine vertrauliche Nachricht und nur für den Adressaten bestimmt. Es ist nicht erlaubt, diese Nachricht zu kopieren oder Dritten zugänglich zu machen. Sollten Sie diese Nachricht irrtümlich erhalten haben, benachrichtigen Sie den Versender bitte per E-Mail oder telefonisch und löschen Sie die Nachricht unverzüglich.
This message is strictly confidential and intended solely for the use of the addressee. It is not allowed to copy or disseminate this message. Please notify the sender by e-mail or telephone if you have received this message by mistake and delete this message immediately.
Von: syslog-ng <syslog-ng-bounces@lists.balabit.hu> Im Auftrag von Laszlo Szemere (lszemere) Gesendet: Freitag, 28. August 2020 13:41 An: Syslog-ng users' and developers' mailing list <syslog-ng@lists.balabit.hu> Betreff: Re: [syslog-ng] syslog-ng is ignoring a network source
Hello Ben,
nc -u -l -p 514
-u : use UDP
-l : listen in server mode, instead of sending
-p : defines port number
(If you need, you can also specify the local IP address to bind to with the -s option.)
Br,
Laci
________________________________
From: syslog-ng <syslog-ng-bounces@lists.balabit.hu> on behalf of Bruns, Benjamin <Benjamin.Bruns@cypp.de> Sent: Friday, August 28, 2020 13:29 To: Syslog-ng users' and developers' mailing list <syslog-ng@lists.balabit.hu> Subject: Re: [syslog-ng] syslog-ng is ignoring a network source
CAUTION: This email originated from outside of the organization. Do not follow guidance, click links, or open attachments unless you recognize the sender and know the content is safe.
Hello Laci,
how do I check that by using netcat?
Cheers, Ben
Von: syslog-ng <syslog-ng-bounces@lists.balabit.hu> Im Auftrag von Laszlo Szemere (lszemere) Gesendet: Freitag, 28. August 2020 12:21 An: Syslog-ng users' and developers' mailing list <syslog-ng@lists.balabit.hu> Betreff: Re: [syslog-ng] syslog-ng is ignoring a network source
Hello Ben,
our experience shows that having logs in Wireshark doesn't necessary means that they reach the applications. (Wireshark captures packets on the interface level.)
So as a first step I would recommend to clarify that the logs from the second host indeed reaches Syslog-ng. (For UDP logs netcat usually is enough.)
Once it is clear that those logs reaches the application level, we can focus on debugging Syslog-ng.
By starting Syslog-ng with the following options, it would be much easier to examine the flow of messages:
syslog-ng -Fdevt
-F : start it in the foreground
-d : debug mode
-e : log messages to stderr
-v : increases verbository
-t : also enable trace messages
Note: With these options enabled, Syslog-ng will produce a LOT of messages. So if you can turn off other logging sources temporary, than it will be much more easier to read those logs.
At this point you should start to receive this kind of debug messages, which will indicate that Syslog-ng received the log messages from your host:
[2020-08-28T10:09:43.289660] Incoming log entry; line='hello world'
From this point the easiest way is to start with a minimal config, and build up your final configuration step by step. Checking incoming logs in each steps.
Br,
Laci
________________________________
From: syslog-ng <syslog-ng-bounces@lists.balabit.hu> on behalf of Bruns, Benjamin <Benjamin.Bruns@cypp.de> Sent: Friday, August 28, 2020 11:53 To: syslog-ng@lists.balabit.hu <syslog-ng@lists.balabit.hu> Subject: [syslog-ng] syslog-ng is ignoring a network source
CAUTION: This email originated from outside of the organization. Do not follow guidance, click links, or open attachments unless you recognize the sender and know the content is safe.
Hello!
I try to send syslogs from two firewalls to my syslog-ng host. The first one worked immediately, but logs of the second firewall seems to be ignored. Both syslogs come in via UDP on port 514 and I can see them in Wireshark on my syslog-ng host, but they disappear for my second firewall in a black hole. Both have Logstash as their destination configured. Any ideas? Thanks in advance!
Cheers, Ben
______________________________________________________________________ ________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
participants (2)
-
Bruns, Benjamin
-
SZIGETVÁRI János