Hello! Can someone help me with network logging with syslog-ng : # rpm -q syslog-ng syslog-ng-3.25.1.239.g0535e8a-1.el7.x86_64 # rpm -qf /etc/os-release centos-release-7-7.1908.0.el7.centos.x86_64 server is centos 7 x86_64 vm /etc/syslog-ng/syslog-ng.conf is in the default configuration (no changes made from rpm package installed), have additional configuration in : # cat conf.d/mtcaptive.conf source s_mtcaptive { network( ip("0.0.0.0") port(3514) transport("udp")); }; destination d_mtcaptive { file("/var/log/mt-captive-remote"); }; log { source(s_mtcaptive); destination(d_mtcaptive); }; If i try to log a test message with logger on a localhost (where syslog-ng runs): [root@localhost syslog-ng]# logger -d -i -n 172.16.3.50 -P 3514 "test from localhost" it does work and appears in /var/log/mt-captive-remote : $ tail -1 /var/log/mt-captive-remote Feb 19 06:15:01 172.16.3.50 root[11326]: test from localhost But if i try the same command on a nearby host (vm2, same L2 network, but different IP network), it does not logged, but udp packet with test messages is received by host: [root@vm2 ~]# logger -d -i -n 172.16.3.50 -P 3514 "test from vm2" back to syslog-ng host: # ngrep -d ens224 -n 10 "test from" "udp and port 3514" interface: ens224 (172.16.3.0/255.255.255.0) filter: ( udp and port 3514 ) and ((ip || ip6) || (vlan && (ip || ip6))) match: test from ########################################################################################################################################################################################################################## U 100.64.128.5:24046 -> 172.16.3.50:3514 #218 <5>Feb 19 06:20:27 root[31663]: test from vm2. #####################################################################################################^Cexit 319 received, 1 matched looking at socket status on syslog-ng host: # ss -unlp | grep 3514 UNCONN 0 0 *:3514 *:* users:(("syslog-ng",pid=11198,fd=23)) no firewall or iptables rules (default all ACCEPT). Can someone suggest why syslog-ng does not log remote messages to my destination file? Thanks.
Dear Anatoly, I would recommend you to stop the syslog-ng service, and start it in the foreground, in debug mode, with: # syslog-ng -Fedv Or possibly direct all its output to a file, and then try sending in the test logs, and subsequently check the debug output to see whether syslog-ng has received the logs. (It will report all incoming logs, so in the debug output you should see it even if it's not written to the destination file for some reason.) Also in the debug output you should see any file creation related error messages, if there are any. If you don't see your test logs in the debug output, then the cause is likely something outside of syslog-ng's scope. BTW do you have SELinux enabled? (I would not think so though, because syslog-ng was allowed to bind to UDP/3514, a non-standard port, which SELinux would prevent, if in enforcing mode.) Best Regards, János -- Janos SZIGETVARI RHCE, License no. 150-053-692 <https://www.redhat.com/rhtapps/verify/?certId=150-053-692> LinkedIn: linkedin.com/in/janosszigetvari __@__˚V˚ Make the switch to open (source) applications, protocols, formats now: - windows -> Linux, iexplore -> Firefox, msoffice -> LibreOffice - msn -> jabber protocol (Pidgin, Google Talk) - mp3 -> ogg, wmv -> ogg, jpg -> png, doc/xls/ppt -> odt/ods/odp Anatoly Pugachev <matorola@gmail.com> ezt írta (időpont: 2020. febr. 19., Sze, 12:29):
Hello!
Can someone help me with network logging with syslog-ng :
# rpm -q syslog-ng syslog-ng-3.25.1.239.g0535e8a-1.el7.x86_64
# rpm -qf /etc/os-release centos-release-7-7.1908.0.el7.centos.x86_64
server is centos 7 x86_64 vm
/etc/syslog-ng/syslog-ng.conf is in the default configuration (no changes made from rpm package installed), have additional configuration in :
# cat conf.d/mtcaptive.conf source s_mtcaptive { network( ip("0.0.0.0") port(3514) transport("udp")); }; destination d_mtcaptive { file("/var/log/mt-captive-remote"); }; log { source(s_mtcaptive); destination(d_mtcaptive); };
If i try to log a test message with logger on a localhost (where syslog-ng runs):
[root@localhost syslog-ng]# logger -d -i -n 172.16.3.50 -P 3514 "test from localhost"
it does work and appears in /var/log/mt-captive-remote :
$ tail -1 /var/log/mt-captive-remote Feb 19 06:15:01 172.16.3.50 root[11326]: test from localhost
But if i try the same command on a nearby host (vm2, same L2 network, but different IP network), it does not logged, but udp packet with test messages is received by host:
[root@vm2 ~]# logger -d -i -n 172.16.3.50 -P 3514 "test from vm2"
back to syslog-ng host:
# ngrep -d ens224 -n 10 "test from" "udp and port 3514" interface: ens224 (172.16.3.0/255.255.255.0) filter: ( udp and port 3514 ) and ((ip || ip6) || (vlan && (ip || ip6))) match: test from
########################################################################################################################################################################################################################## U 100.64.128.5:24046 -> 172.16.3.50:3514 #218 <5>Feb 19 06:20:27 root[31663]: test from vm2.
#####################################################################################################^Cexit 319 received, 1 matched
looking at socket status on syslog-ng host:
# ss -unlp | grep 3514 UNCONN 0 0 *:3514 *:* users:(("syslog-ng",pid=11198,fd=23))
no firewall or iptables rules (default all ACCEPT).
Can someone suggest why syslog-ng does not log remote messages to my destination file?
Thanks.
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
On Wed, Feb 19, 2020 at 2:50 PM SZIGETVÁRI János <jszigetvari@gmail.com> wrote:
Dear Anatoly,
I would recommend you to stop the syslog-ng service, and start it in the foreground, in debug mode, with: # syslog-ng -Fedv
Or possibly direct all its output to a file, and then try sending in the test logs, and subsequently check the debug output to see whether syslog-ng has received the logs. (It will report all incoming logs, so in the debug output you should see it even if it's not written to the destination file for some reason.) Also in the debug output you should see any file creation related error messages, if there are any. If you don't see your test logs in the debug output, then the cause is likely something outside of syslog-ng's scope.
BTW do you have SELinux enabled? (I would not think so though, because syslog-ng was allowed to bind to UDP/3514, a non-standard port, which SELinux would prevent, if in enforcing mode.)
Best Regards, János -- Janos SZIGETVARI RHCE, License no. 150-053-692
Anatoly Pugachev <matorola@gmail.com> ezt írta (időpont: 2020. febr. 19., Sze, 12:29):
Hello!
Can someone help me with network logging with syslog-ng :
# rpm -q syslog-ng syslog-ng-3.25.1.239.g0535e8a-1.el7.x86_64
# rpm -qf /etc/os-release centos-release-7-7.1908.0.el7.centos.x86_64
server is centos 7 x86_64 vm
/etc/syslog-ng/syslog-ng.conf is in the default configuration (no changes made from rpm package installed), have additional configuration in :
# cat conf.d/mtcaptive.conf source s_mtcaptive { network( ip("0.0.0.0") port(3514) transport("udp")); }; destination d_mtcaptive { file("/var/log/mt-captive-remote"); }; log { source(s_mtcaptive); destination(d_mtcaptive); };
If i try to log a test message with logger on a localhost (where syslog-ng runs):
[root@localhost syslog-ng]# logger -d -i -n 172.16.3.50 -P 3514 "test from localhost"
it does work and appears in /var/log/mt-captive-remote :
$ tail -1 /var/log/mt-captive-remote Feb 19 06:15:01 172.16.3.50 root[11326]: test from localhost
But if i try the same command on a nearby host (vm2, same L2 network, but different IP network), it does not logged, but udp packet with test messages is received by host:
[root@vm2 ~]# logger -d -i -n 172.16.3.50 -P 3514 "test from vm2"
back to syslog-ng host:
# ngrep -d ens224 -n 10 "test from" "udp and port 3514" interface: ens224 (172.16.3.0/255.255.255.0) filter: ( udp and port 3514 ) and ((ip || ip6) || (vlan && (ip || ip6))) match: test from ########################################################################################################################################################################################################################## U 100.64.128.5:24046 -> 172.16.3.50:3514 #218 <5>Feb 19 06:20:27 root[31663]: test from vm2. #####################################################################################################^Cexit 319 received, 1 matched
looking at socket status on syslog-ng host:
# ss -unlp | grep 3514 UNCONN 0 0 *:3514 *:* users:(("syslog-ng",pid=11198,fd=23))
no firewall or iptables rules (default all ACCEPT).
Can someone suggest why syslog-ng does not log remote messages to my destination file?
Thanks.
Janos, here's attached syslog-ng-Fedv-log.txt.gz with a log of running syslog-ng with debug options (Fedv) . selinux is disabled. Command sequence: [root@localhost ~]# getenforce Disabled [root@localhost ~]# systemctl stop syslog.socket [root@localhost ~]# systemctl stop syslog-ng [root@localhost ~]# ps ax | grep syslog 11997 pts/0 S+ 0:00 grep --color=auto syslog [root@localhost ~]# cd /etc/syslog-ng/ [root@localhost syslog-ng]# syslog-ng -s -f syslog-ng.conf [root@localhost syslog-ng]# echo $? 0 [root@localhost syslog-ng]# syslog-ng -Fedv (start logging and open another terminal window) [root@localhost ~]# logger -d -i -n 172.16.3.50 -P 3514 "test from localhost" [root@vm2 ~]# logger -d -i -n 172.16.3.50 -P 3514 "test from vm2" back to running syslog-ng log and stop it (CTRL-C on syslog-ng -Fedv )
Hi Anatoly, Thank you for the debug log! It clearly shows that syslog-ng does not get the remote log at all. Could you please run the syslog-ng-debun script with the following parameters, and send me the resulting tgz file? # syslog-ng-debun -r -P "port 3514" -D "-Fedv" -t 90 This will run syslog-ng in debug mode for 90 seconds, and will also create a network traffic dump of the syslog traffic. Please try sending the test logs from the other VM while it is running. Thanks, János -- Janos SZIGETVARI RHCE, License no. 150-053-692 <https://www.redhat.com/rhtapps/verify/?certId=150-053-692> LinkedIn: linkedin.com/in/janosszigetvari __@__˚V˚ Make the switch to open (source) applications, protocols, formats now: - windows -> Linux, iexplore -> Firefox, msoffice -> LibreOffice - msn -> jabber protocol (Pidgin, Google Talk) - mp3 -> ogg, wmv -> ogg, jpg -> png, doc/xls/ppt -> odt/ods/odp Anatoly Pugachev <matorola@gmail.com> ezt írta (időpont: 2020. febr. 19., Sze, 16:02):
On Wed, Feb 19, 2020 at 2:50 PM SZIGETVÁRI János <jszigetvari@gmail.com> wrote:
Dear Anatoly,
I would recommend you to stop the syslog-ng service, and start it in the
foreground, in debug mode, with:
# syslog-ng -Fedv
Or possibly direct all its output to a file, and then try sending in the test logs, and subsequently check the debug output to see whether syslog-ng has received the logs. (It will report all incoming logs, so in the debug output you should see it even if it's not written to the destination file for some reason.) Also in the debug output you should see any file creation related error messages, if there are any. If you don't see your test logs in the debug output, then the cause is likely something outside of syslog-ng's scope.
BTW do you have SELinux enabled? (I would not think so though, because syslog-ng was allowed to bind to UDP/3514, a non-standard port, which SELinux would prevent, if in enforcing mode.)
Best Regards, János -- Janos SZIGETVARI RHCE, License no. 150-053-692
Anatoly Pugachev <matorola@gmail.com> ezt írta (időpont: 2020. febr. 19., Sze, 12:29):
Hello!
Can someone help me with network logging with syslog-ng :
# rpm -q syslog-ng syslog-ng-3.25.1.239.g0535e8a-1.el7.x86_64
# rpm -qf /etc/os-release centos-release-7-7.1908.0.el7.centos.x86_64
server is centos 7 x86_64 vm
/etc/syslog-ng/syslog-ng.conf is in the default configuration (no changes made from rpm package installed), have additional configuration in :
# cat conf.d/mtcaptive.conf source s_mtcaptive { network( ip("0.0.0.0") port(3514) transport("udp")); }; destination d_mtcaptive { file("/var/log/mt-captive-remote"); }; log { source(s_mtcaptive); destination(d_mtcaptive); };
If i try to log a test message with logger on a localhost (where syslog-ng runs):
[root@localhost syslog-ng]# logger -d -i -n 172.16.3.50 -P 3514 "test from localhost"
it does work and appears in /var/log/mt-captive-remote :
$ tail -1 /var/log/mt-captive-remote Feb 19 06:15:01 172.16.3.50 root[11326]: test from localhost
But if i try the same command on a nearby host (vm2, same L2 network, but different IP network), it does not logged, but udp packet with test messages is received by host:
[root@vm2 ~]# logger -d -i -n 172.16.3.50 -P 3514 "test from vm2"
back to syslog-ng host:
# ngrep -d ens224 -n 10 "test from" "udp and port 3514" interface: ens224 (172.16.3.0/255.255.255.0) filter: ( udp and port 3514 ) and ((ip || ip6) || (vlan && (ip || ip6))) match: test from
##########################################################################################################################################################################################################################
U 100.64.128.5:24046 -> 172.16.3.50:3514 #218 <5>Feb 19 06:20:27 root[31663]: test from vm2.
#####################################################################################################^Cexit
319 received, 1 matched
looking at socket status on syslog-ng host:
# ss -unlp | grep 3514 UNCONN 0 0 *:3514 *:* users:(("syslog-ng",pid=11198,fd=23))
no firewall or iptables rules (default all ACCEPT).
Can someone suggest why syslog-ng does not log remote messages to my destination file?
Thanks.
Janos,
here's attached syslog-ng-Fedv-log.txt.gz with a log of running syslog-ng with debug options (Fedv) . selinux is disabled.
Command sequence:
[root@localhost ~]# getenforce Disabled
[root@localhost ~]# systemctl stop syslog.socket
[root@localhost ~]# systemctl stop syslog-ng
[root@localhost ~]# ps ax | grep syslog 11997 pts/0 S+ 0:00 grep --color=auto syslog
[root@localhost ~]# cd /etc/syslog-ng/
[root@localhost syslog-ng]# syslog-ng -s -f syslog-ng.conf [root@localhost syslog-ng]# echo $? 0
[root@localhost syslog-ng]# syslog-ng -Fedv
(start logging and open another terminal window)
[root@localhost ~]# logger -d -i -n 172.16.3.50 -P 3514 "test from localhost"
[root@vm2 ~]# logger -d -i -n 172.16.3.50 -P 3514 "test from vm2"
back to running syslog-ng log and stop it (CTRL-C on syslog-ng -Fedv )
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
participants (2)
-
Anatoly Pugachev
-
SZIGETVÁRI János