Hi, I have configured a syslog-ng server to capture network logs. I can able to fetch network logs of three devices. But in fourth network device I can able to see packets are get polling into the syslog server in port 514 by using tcpdump command but I cannot find the network device in syslogng front end. Syslog OS : CentOS release 6.5 (Final) Syslog Version : syslog-ng 3.2.5 Along with this mail I have attached configuration file of syslogng server. Please help me to resolve this issue. Regards, N.B.RIAZ AHMED (9047166496) https://www.csscorp.com/email-disclaimer
are you sure the packet filter accepts that kind of traffic? your configuration seems to treat all such hosts equivalently. On Tue, Aug 5, 2014 at 8:21 AM, Riyas Ahamed <Riyas.Ahamed@csscorp.com> wrote:
Hi,
I have configured a syslog-ng server to capture network logs. I can able to fetch network logs of three devices.
But in fourth network device I can able to see packets are get polling into the syslog server in port 514 by using tcpdump command but I cannot find the network device in syslogng front end.
Syslog OS : CentOS release 6.5 (Final)
Syslog Version : syslog-ng 3.2.5
Along with this mail I have attached configuration file of syslogng server.
Please help me to resolve this issue.
Regards,
*N.B.RIAZ AHMED*
*(9047166496 <%289047166496>)*
https://www.csscorp.com/email-disclaimer
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
-- Bazsi
Hi Team, Iam sure packet filter accepts that kind of traffic because iptables and selinux are in disabled mode but still I cannot find the network device in syslogng front end. Please help me. Thanks Riaz Ahmed <mailto:7581178|manimaran.sundaresan@csscorp.com> ________________________________ From: syslog-ng-bounces@lists.balabit.hu [syslog-ng-bounces@lists.balabit.hu] on behalf of Balazs Scheidler [bazsi77@gmail.com] Sent: Tuesday, August 05, 2014 7:29 PM To: Syslog-ng users' and developers' mailing list Subject: Re: [syslog-ng] FW: Syslog Problem are you sure the packet filter accepts that kind of traffic? your configuration seems to treat all such hosts equivalently. On Tue, Aug 5, 2014 at 8:21 AM, Riyas Ahamed <Riyas.Ahamed@csscorp.com<mailto:Riyas.Ahamed@csscorp.com>> wrote: Hi, I have configured a syslog-ng server to capture network logs. I can able to fetch network logs of three devices. But in fourth network device I can able to see packets are get polling into the syslog server in port 514 by using tcpdump command but I cannot find the network device in syslogng front end. Syslog OS : CentOS release 6.5 (Final) Syslog Version : syslog-ng 3.2.5 Along with this mail I have attached configuration file of syslogng server. Please help me to resolve this issue. Regards, N.B.RIAZ AHMED (9047166496<tel:%289047166496>) https://www.csscorp.com/email-disclaimer ______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq -- Bazsi https://www.csscorp.com/email-disclaimer
Do you have a fallback destination defined? (flags(fallback)) I had a case where I couldn't find my log lines and it turnted out to be that the source was sending some weird facility that never matched any of my filters. On 08/06/2014 05:58 AM, Riyas Ahamed wrote:
Hi Team,
Iam sure packet filter accepts that kind of traffic because iptables and selinux are in disabled mode but still I cannot find the network device in syslogng front end.
Please help me.
Thanks Riaz Ahmed <mailto:7581178|manimaran.sundaresan@csscorp.com> -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- *From:* syslog-ng-bounces@lists.balabit.hu [syslog-ng-bounces@lists.balabit.hu] on behalf of Balazs Scheidler [bazsi77@gmail.com] *Sent:* Tuesday, August 05, 2014 7:29 PM *To:* Syslog-ng users' and developers' mailing list *Subject:* Re: [syslog-ng] FW: Syslog Problem
are you sure the packet filter accepts that kind of traffic? your configuration seems to treat all such hosts equivalently.
On Tue, Aug 5, 2014 at 8:21 AM, Riyas Ahamed <Riyas.Ahamed@csscorp.com <mailto:Riyas.Ahamed@csscorp.com>> wrote:
Hi,____
__ __
I have configured a syslog-ng server to capture network logs. I can able to fetch network logs of three devices. ____
__ __
But in fourth network device I can able to see packets are get polling into the syslog server in port 514 by using tcpdump command but I cannot find the network device in syslogng front end. ____
__ __
Syslog OS : CentOS release 6.5 (Final)____
__ __
Syslog Version : syslog-ng 3.2.5____
__ __
Along with this mail I have attached configuration file of syslogng server.____
__ __
Please help me to resolve this issue.____
__ __
Regards,____
*N.B.RIAZ AHMED____*
*(9047166496 <tel:%289047166496>)____*
__ __
__ __
https://www.csscorp.com/email-disclaimer
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
-- Bazsi https://www.csscorp.com/email-disclaimer
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
-- Evan Rempel erempel@uvic.ca Senior Systems Administrator 250.721.7691 Data Centre Services, University Systems, University of Victoria
Hi, Could you please tell me how to check fallback destination? I have attached in this mail configuration file of syslog-ng. Please help me to come from this problem. Thanks Riaz Ahmed ________________________________________ From: syslog-ng-bounces@lists.balabit.hu [syslog-ng-bounces@lists.balabit.hu] on behalf of Evan Rempel [erempel@uvic.ca] Sent: Wednesday, August 06, 2014 7:00 PM To: syslog-ng@lists.balabit.hu Subject: Re: [syslog-ng] FW: Syslog Problem Do you have a fallback destination defined? (flags(fallback)) I had a case where I couldn't find my log lines and it turnted out to be that the source was sending some weird facility that never matched any of my filters. On 08/06/2014 05:58 AM, Riyas Ahamed wrote:
Hi Team,
Iam sure packet filter accepts that kind of traffic because iptables and selinux are in disabled mode but still I cannot find the network device in syslogng front end.
Please help me.
Thanks Riaz Ahmed <mailto:7581178|manimaran.sundaresan@csscorp.com> -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- *From:* syslog-ng-bounces@lists.balabit.hu [syslog-ng-bounces@lists.balabit.hu] on behalf of Balazs Scheidler [bazsi77@gmail.com] *Sent:* Tuesday, August 05, 2014 7:29 PM *To:* Syslog-ng users' and developers' mailing list *Subject:* Re: [syslog-ng] FW: Syslog Problem
are you sure the packet filter accepts that kind of traffic? your configuration seems to treat all such hosts equivalently.
On Tue, Aug 5, 2014 at 8:21 AM, Riyas Ahamed <Riyas.Ahamed@csscorp.com <mailto:Riyas.Ahamed@csscorp.com>> wrote:
Hi,____
__ __
I have configured a syslog-ng server to capture network logs. I can able to fetch network logs of three devices. ____
__ __
But in fourth network device I can able to see packets are get polling into the syslog server in port 514 by using tcpdump command but I cannot find the network device in syslogng front end. ____
__ __
Syslog OS : CentOS release 6.5 (Final)____
__ __
Syslog Version : syslog-ng 3.2.5____
__ __
Along with this mail I have attached configuration file of syslogng server.____
__ __
Please help me to resolve this issue.____
__ __
Regards,____
*N.B.RIAZ AHMED____*
*(9047166496 <tel:%289047166496>)____*
__ __
__ __
https://www.csscorp.com/email-disclaimer
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
-- Bazsi https://www.csscorp.com/email-disclaimer
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
-- Evan Rempel erempel@uvic.ca Senior Systems Administrator 250.721.7691 Data Centre Services, University Systems, University of Victoria ______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq https://www.csscorp.com/email-disclaimer
Wow, I should have looked more closely at your config before I added my comments. You don't need a fallback because you are not filtering your s_network source. You are using a mysql database as your back end. This complicates things greatly. I recommend using a file destination to ensure you are getting everything that you expect. Only then would I (not me actually) be comfortable with storing the data into mysql. Under load I have seen mysql silently drop records. No errors of any kind in front or backend of the database services. you couldn't pay me to use mysql :-( On 08/06/2014 07:57 AM, Riyas Ahamed wrote:
Hi,
Could you please tell me how to check fallback destination?
I have attached in this mail configuration file of syslog-ng.
Please help me to come from this problem.
Thanks Riaz Ahmed
________________________________________ From: syslog-ng-bounces@lists.balabit.hu [syslog-ng-bounces@lists.balabit.hu] on behalf of Evan Rempel [erempel@uvic.ca] Sent: Wednesday, August 06, 2014 7:00 PM To: syslog-ng@lists.balabit.hu Subject: Re: [syslog-ng] FW: Syslog Problem
Do you have a fallback destination defined? (flags(fallback))
I had a case where I couldn't find my log lines and it turnted out to be that the source was sending some weird facility that never matched any of my filters.
On 08/06/2014 05:58 AM, Riyas Ahamed wrote:
Hi Team,
Iam sure packet filter accepts that kind of traffic because iptables and selinux are in disabled mode but still I cannot find the network device in syslogng front end.
Please help me.
Thanks Riaz Ahmed <mailto:7581178|manimaran.sundaresan@csscorp.com> -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- *From:* syslog-ng-bounces@lists.balabit.hu [syslog-ng-bounces@lists.balabit.hu] on behalf of Balazs Scheidler [bazsi77@gmail.com] *Sent:* Tuesday, August 05, 2014 7:29 PM *To:* Syslog-ng users' and developers' mailing list *Subject:* Re: [syslog-ng] FW: Syslog Problem
are you sure the packet filter accepts that kind of traffic? your configuration seems to treat all such hosts equivalently.
On Tue, Aug 5, 2014 at 8:21 AM, Riyas Ahamed <Riyas.Ahamed@csscorp.com <mailto:Riyas.Ahamed@csscorp.com>> wrote:
Hi,____
__ __
I have configured a syslog-ng server to capture network logs. I can able to fetch network logs of three devices. ____
__ __
But in fourth network device I can able to see packets are get polling into the syslog server in port 514 by using tcpdump command but I cannot find the network device in syslogng front end. ____
__ __
Syslog OS : CentOS release 6.5 (Final)____
__ __
Syslog Version : syslog-ng 3.2.5____
__ __
Along with this mail I have attached configuration file of syslogng server.____
__ __
Please help me to resolve this issue.____
__ __
Regards,____
*N.B.RIAZ AHMED____*
*(9047166496 <tel:%289047166496>)____*
__ __
__ __
https://www.csscorp.com/email-disclaimer
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
-- Bazsi https://www.csscorp.com/email-disclaimer
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
-- Evan Rempel erempel@uvic.ca Senior Systems Administrator 250.721.7691 Data Centre Services, University Systems, University of Victoria ______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
https://www.csscorp.com/email-disclaimer
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
-- Evan Rempel erempel@uvic.ca Senior Systems Administrator 250.721.7691 Data Centre Services, University Systems, University of Victoria
Hi, Could you please tell me how to check under load mysql silently drop records. And could you please tell me what is the solution for this problem? Look forward your timely help would be highly appreciated!!! Thanks Riaz Ahmed ________________________________________ From: syslog-ng-bounces@lists.balabit.hu [syslog-ng-bounces@lists.balabit.hu] on behalf of Evan Rempel [erempel@uvic.ca] Sent: Wednesday, August 06, 2014 8:38 PM To: Syslog-ng users' and developers' mailing list Subject: Re: [syslog-ng] FW: Syslog Problem Wow, I should have looked more closely at your config before I added my comments. You don't need a fallback because you are not filtering your s_network source. You are using a mysql database as your back end. This complicates things greatly. I recommend using a file destination to ensure you are getting everything that you expect. Only then would I (not me actually) be comfortable with storing the data into mysql. Under load I have seen mysql silently drop records. No errors of any kind in front or backend of the database services. you couldn't pay me to use mysql :-( On 08/06/2014 07:57 AM, Riyas Ahamed wrote:
Hi,
Could you please tell me how to check fallback destination?
I have attached in this mail configuration file of syslog-ng.
Please help me to come from this problem.
Thanks Riaz Ahmed
________________________________________ From: syslog-ng-bounces@lists.balabit.hu [syslog-ng-bounces@lists.balabit.hu] on behalf of Evan Rempel [erempel@uvic.ca] Sent: Wednesday, August 06, 2014 7:00 PM To: syslog-ng@lists.balabit.hu Subject: Re: [syslog-ng] FW: Syslog Problem
Do you have a fallback destination defined? (flags(fallback))
I had a case where I couldn't find my log lines and it turnted out to be that the source was sending some weird facility that never matched any of my filters.
On 08/06/2014 05:58 AM, Riyas Ahamed wrote:
Hi Team,
Iam sure packet filter accepts that kind of traffic because iptables and selinux are in disabled mode but still I cannot find the network device in syslogng front end.
Please help me.
Thanks Riaz Ahmed <mailto:7581178|manimaran.sundaresan@csscorp.com> -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- *From:* syslog-ng-bounces@lists.balabit.hu [syslog-ng-bounces@lists.balabit.hu] on behalf of Balazs Scheidler [bazsi77@gmail.com] *Sent:* Tuesday, August 05, 2014 7:29 PM *To:* Syslog-ng users' and developers' mailing list *Subject:* Re: [syslog-ng] FW: Syslog Problem
are you sure the packet filter accepts that kind of traffic? your configuration seems to treat all such hosts equivalently.
On Tue, Aug 5, 2014 at 8:21 AM, Riyas Ahamed <Riyas.Ahamed@csscorp.com <mailto:Riyas.Ahamed@csscorp.com>> wrote:
Hi,____
__ __
I have configured a syslog-ng server to capture network logs. I can able to fetch network logs of three devices. ____
__ __
But in fourth network device I can able to see packets are get polling into the syslog server in port 514 by using tcpdump command but I cannot find the network device in syslogng front end. ____
__ __
Syslog OS : CentOS release 6.5 (Final)____
__ __
Syslog Version : syslog-ng 3.2.5____
__ __
Along with this mail I have attached configuration file of syslogng server.____
__ __
Please help me to resolve this issue.____
__ __
Regards,____
*N.B.RIAZ AHMED____*
*(9047166496 <tel:%289047166496>)____*
__ __
__ __
https://www.csscorp.com/email-disclaimer
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
-- Bazsi https://www.csscorp.com/email-disclaimer
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
-- Evan Rempel erempel@uvic.ca Senior Systems Administrator 250.721.7691 Data Centre Services, University Systems, University of Victoria ______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
https://www.csscorp.com/email-disclaimer
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
-- Evan Rempel erempel@uvic.ca Senior Systems Administrator 250.721.7691 Data Centre Services, University Systems, University of Victoria ______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq https://www.csscorp.com/email-disclaimer
Could you please tell me how to check under load mysql silently drop records
There is no record that this occurs. You need to have an authoritative source of what should be in the database, and then look to see what is actually in the database.
And could you please tell me what is the solution for this problem?
To be honest, I wasn't very interested in the solution. The database should not have don that to begin with. Depending on load and version of mysql the problem would go away, or return. I never found a solution because I didn't look to hard for one.
I suggest using a much simplified syslog-ng.conf for testing. Try something like this: options { check_hostname(yes); # check if the hostname contains valid characters use_dns(no); # do not resolve names for speed dns_cache(no); # no DNS cache since we do not resolve names keep_hostname(yes); # keep hostnames to enable related macros chain_hostnames(no); # do not track / forward syslog forwarder chain # options related to file and directories create_dirs(yes); }; destination d_separatedbyhosts { file("/data/syslog-ng/$YEAR/$MONTH/$DAY/$HOST_FROM/$HOST_FROM.$FACILITY.$PRIORITY.$YEAR.$MONTH.$DAY"); }; The destination will automatically split out the data, creating separate directories and files for *anything* received. I would also suggest a simpler network source (for testing) source s_network { udp(); tcp(); }; log { source(s_network); destination(d_separatedbyhosts); }; Then when you see a packet come in *TO* the syslog-ng box with tcpdump, you can immediately verify whether or not it is logged. Once that is working, you can move back to your desired configuration file (and if something breaks, you know you are at least getting the logs). Jim ---- Riyas Ahamed <Riyas.Ahamed@csscorp.com> wrote:
Hi,
I have configured a syslog-ng server to capture network logs. I can able to fetch network logs of three devices.
But in fourth network device I can able to see packets are get polling into the syslog server in port 514 by using tcpdump command but I cannot find the network device in syslogng front end.
Syslog OS : CentOS release 6.5 (Final)
Syslog Version : syslog-ng 3.2.5
Along with this mail I have attached configuration file of syslogng server.
Please help me to resolve this issue.
Regards, N.B.RIAZ AHMED (9047166496)
participants (4)
-
Balazs Scheidler
-
Evan Rempel
-
jrhendri@roadrunner.com
-
Riyas Ahamed