Argh... Can someone tell me why a sniffer shows no traffic passing to the destination when using this config? I've tried everything I can think of...what am I doing wrong? ############################## # Loglogic dump ############################## options { sync(0); log_fifo_size(1024); chain_hostnames(no); use_fqdn(yes); use_dns(yes); dns_cache(yes); dns_cache_expire(300); dns_cache_expire_failed(10); dns_cache_size(1024); keep_hostname(yes); }; source snet { tcp(); udp(); }; filter f_loglogic { level(debug..emerg) and facility(local0, local1, local2, local3, local4, local6, local7); }; destination LogLogic { tcp("10.24.2.39" port(514) log_fifo_size(60000) template("<$PRI> $R_DATE $SOURCEIP $MSG\n") ); }; log { source(snet); filter(f_loglogic); destination(LogLogic); }; ############################## # END Loglogic dump ############################## When I telnet to my router and generate a SYS-5-CONFIG, I see the packet come into the server: #----Start capture tcpdump dst port 514 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes 10:17:33.211813 IP 10.26.31.2.52935 > syslog.net.syslog: SYSLOG local7.notice, length: 105 148 packets captured 297 packets received by filter 0 packets dropped by kernel #----End capture But when I try to sniff packets going to the destination server, I see nothing: /etc/init.d/syslog-ng restart * Stopping syslog-ng ... [ ok ] * Starting syslog-ng ... #----Start capture - note that the entries below are from syslog-ng restarting, so I know it establishes a connection... tcpdump dst host 10.24.2.39 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes 10:24:40.401037 IP syslog.net.56631 > .shell: F 1487912722:1487912722(0) ack 91904650 win 1460 <nop,nop,timestamp 866281169 157842259> 10:24:40.407670 IP syslog.net.56631 > .shell: . ack 2 win 1460 <nop,nop,timestamp 866281177 158151244> 10:24:43.014989 IP syslog.net.42848 > .shell: S 1805017512:1805017512(0) win 5840 <mss 1460,sackOK,timestamp 866283785 0,nop,wscale 2> 10:24:43.015885 IP syslog.net.42848 > .shell: . ack 425051406 win 1460 <nop,nop,timestamp 866283786 158153852> #----End capture What am I missing here? Thanks! Clayton
I found the problem - typo in config...sheesh ________________________________ From: syslog-ng-bounces@lists.balabit.hu [mailto:syslog-ng-bounces@lists.balabit.hu] On Behalf Of Dukes Clayton Sent: Thursday, September 28, 2006 10:29 AM To: Syslog-ng users' and developers' mailing list Subject: [syslog-ng] Forwarding to a Loglogic device Argh... Can someone tell me why a sniffer shows no traffic passing to the destination when using this config? I've tried everything I can think of...what am I doing wrong? ############################## # Loglogic dump ############################## options { sync(0); log_fifo_size(1024); chain_hostnames(no); use_fqdn(yes); use_dns(yes); dns_cache(yes); dns_cache_expire(300); dns_cache_expire_failed(10); dns_cache_size(1024); keep_hostname(yes); }; source snet { tcp(); udp(); }; filter f_loglogic { level(debug..emerg) and facility(local0, local1, local2, local3, local4, local6, local7); }; destination LogLogic { tcp("10.24.2.39" port(514) log_fifo_size(60000) template("<$PRI> $R_DATE $SOURCEIP $MSG\n") ); }; log { source(snet); filter(f_loglogic); destination(LogLogic); }; ############################## # END Loglogic dump ############################## When I telnet to my router and generate a SYS-5-CONFIG, I see the packet come into the server: #----Start capture tcpdump dst port 514 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes 10:17:33.211813 IP 10.26.31.2.52935 > syslog.net.syslog: SYSLOG local7.notice, length: 105 148 packets captured 297 packets received by filter 0 packets dropped by kernel #----End capture But when I try to sniff packets going to the destination server, I see nothing: /etc/init.d/syslog-ng restart * Stopping syslog-ng ... [ ok ] * Starting syslog-ng ... #----Start capture - note that the entries below are from syslog-ng restarting, so I know it establishes a connection... tcpdump dst host 10.24.2.39 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes 10:24:40.401037 IP syslog.net.56631 > .shell: F 1487912722:1487912722(0) ack 91904650 win 1460 <nop,nop,timestamp 866281169 157842259> 10:24:40.407670 IP syslog.net.56631 > .shell: . ack 2 win 1460 <nop,nop,timestamp 866281177 158151244> 10:24:43.014989 IP syslog.net.42848 > .shell: S 1805017512:1805017512(0) win 5840 <mss 1460,sackOK,timestamp 866283785 0,nop,wscale 2> 10:24:43.015885 IP syslog.net.42848 > .shell: . ack 425051406 win 1460 <nop,nop,timestamp 866283786 158153852> #----End capture What am I missing here? Thanks! Clayton
participants (1)
-
Dukes Clayton