Syslog-ng not receiving messages
Hi I am new to syslog-ng and I have gone through other post to see if I can get a resolution to my problem. Syslog is not writing to the destination file any messages received on udp() or tcp(). I have made sure that syslog server is receiving the syslog messages as seen from the tcpdump 15:09:55.422423 IP 10.140.141.6.syslog > aspsyslog.sungardebs.com.syslog: SYSLOG local4.warning, length: 153 15:09:55.434638 IP 10.140.141.6.syslog > aspsyslog.sungardebs.com.syslog: SYSLOG local4.info, length: 184 15:09:55.470383 IP 10.140.141.6.syslog > aspsyslog.sungardebs.com.syslog: SYSLOG local4.info, length: 176 15:09:55.473519 IP 10.140.141.6.syslog > aspsyslog.sungardebs.com.syslog: SYSLOG local4.info, length: 190 15:09:55.493361 IP 10.140.141.6.syslog > aspsyslog.sungardebs.com.syslog: SYSLOG local4.info, length: 180 15:09:55.493748 IP aspsyslog.sungardebs.com.ssh > nim.sungardebs.com.42703: P 128608:129696(1088) ack 289 win 461 <nop,nop,timestamp 88706531 1310848493> 15:09:55.495519 IP 10.140.141.9.syslog > aspsyslog.sungardebs.com.syslog: SYSLOG local4.info, length: 188 15:09:55.495548 IP 10.140.141.9.syslog > aspsyslog.sungardebs.com.syslog: SYSLOG local4.debug, length: 90 15:09:55.495556 IP 10.140.141.9.syslog > aspsyslog.sungardebs.com.syslog: SYSLOG local4.debug, length: 85 15:09:55.521115 IP 10.140.141.6.syslog > aspsyslog.sungardebs.com.syslog: SYSLOG local4.debug, length: 87 15:09:55.521188 IP 10.140.141.6.syslog > aspsyslog.sungardebs.com.syslog: SYSLOG local4.info, length: 188 15:09:55.522041 IP 10.140.141.6.syslog > aspsyslog.sungardebs.com.syslog: SYSLOG local4.info, length: 175 15:09:55.522212 IP 10.140.141.7.syslog > aspsyslog.sungardebs.com.syslog: SYSLOG local4.info, length: 164 Here is how my syslog-ng config looks. @version: 3.0 #Default configuration file for syslog-ng. # # For a description of syslog-ng configuration file directives, please read # the syslog-ng Administrator's guide at: # # http://www.balabit.com/dl/html/syslog-ng-admin-guide_en.html/bk01-toc.html # options { chain_hostnames(no); create_dirs (no); dir_perm(0755); dns_cache(no); keep_hostname(yes); log_fifo_size(2048); log_msg_size(1024); log_iw_size (500); long_hostnames(on); perm(0644); stats_freq(3600); flush_lines(100); time_reopen (10); use_dns(no); use_fqdn(yes); # max_connections(100); }; source s_all { udp(so_rcvbuf(2048576)); tcp(); unix-stream("/dev/log"); internal(); file("/proc/kmsg"); }; destination d_file_normal {file("/var/log/messages_syslog-ng.log"); }; log { source(s_all); destination (d_file_normal); }; Any help would be greatly appreciated. Thanks
Hm, maybe a permissions issue with writing? Try putting in /tmp/somefile as the destination and see if that works. Also, you should verify that messages are in fact arriving on the server using tcpdump. On Wed, Nov 17, 2010 at 3:44 PM, keshava Veerabhadraiah <mv.keshava@gmail.com> wrote:
Hi I am new to syslog-ng and I have gone through other post to see if I can get a resolution to my problem. Syslog is not writing to the destination file any messages received on udp() or tcp(). I have made sure that syslog server is receiving the syslog messages as seen from the tcpdump
15:09:55.422423 IP 10.140.141.6.syslog > aspsyslog.sungardebs.com.syslog: SYSLOG local4.warning, length: 153 15:09:55.434638 IP 10.140.141.6.syslog > aspsyslog.sungardebs.com.syslog: SYSLOG local4.info, length: 184 15:09:55.470383 IP 10.140.141.6.syslog > aspsyslog.sungardebs.com.syslog: SYSLOG local4.info, length: 176 15:09:55.473519 IP 10.140.141.6.syslog > aspsyslog.sungardebs.com.syslog: SYSLOG local4.info, length: 190 15:09:55.493361 IP 10.140.141.6.syslog > aspsyslog.sungardebs.com.syslog: SYSLOG local4.info, length: 180 15:09:55.493748 IP aspsyslog.sungardebs.com.ssh > nim.sungardebs.com.42703: P 128608:129696(1088) ack 289 win 461 <nop,nop,timestamp 88706531 1310848493> 15:09:55.495519 IP 10.140.141.9.syslog > aspsyslog.sungardebs.com.syslog: SYSLOG local4.info, length: 188 15:09:55.495548 IP 10.140.141.9.syslog > aspsyslog.sungardebs.com.syslog: SYSLOG local4.debug, length: 90 15:09:55.495556 IP 10.140.141.9.syslog > aspsyslog.sungardebs.com.syslog: SYSLOG local4.debug, length: 85 15:09:55.521115 IP 10.140.141.6.syslog > aspsyslog.sungardebs.com.syslog: SYSLOG local4.debug, length: 87 15:09:55.521188 IP 10.140.141.6.syslog > aspsyslog.sungardebs.com.syslog: SYSLOG local4.info, length: 188 15:09:55.522041 IP 10.140.141.6.syslog > aspsyslog.sungardebs.com.syslog: SYSLOG local4.info, length: 175 15:09:55.522212 IP 10.140.141.7.syslog > aspsyslog.sungardebs.com.syslog: SYSLOG local4.info, length: 164
Here is how my syslog-ng config looks.
@version: 3.0 #Default configuration file for syslog-ng. # # For a description of syslog-ng configuration file directives, please read # the syslog-ng Administrator's guide at: # # http://www.balabit.com/dl/html/syslog-ng-admin-guide_en.html/bk01-toc.html #
options { chain_hostnames(no); create_dirs (no); dir_perm(0755); dns_cache(no); keep_hostname(yes); log_fifo_size(2048); log_msg_size(1024); log_iw_size (500); long_hostnames(on); perm(0644); stats_freq(3600); flush_lines(100); time_reopen (10); use_dns(no); use_fqdn(yes); # max_connections(100);
};
source s_all { udp(so_rcvbuf(2048576)); tcp(); unix-stream("/dev/log"); internal(); file("/proc/kmsg"); };
destination d_file_normal {file("/var/log/messages_syslog-ng.log"); };
log { source(s_all); destination (d_file_normal); };
Any help would be greatly appreciated.
Thanks
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
Messages from kernel, syslog-ng are being written but not the ones coming on udp 514 to the destination file as seen below. [root@aspsyslog ~]# ls -ltr /var/log/messages_syslog-ng.log -rw-r--r-- 1 root root 24645 2010-11-17 15:32 /var/log/messages_syslog-ng.log Nov 17 14:28:55 s_all@aspsyslog syslog-ng[4460]: Configuration reload request received, reloading configuration; Nov 17 14:29:40 s_all@aspsyslog syslog-ng[4460]: Configuration reload request received, reloading configuration; Nov 17 14:30:09 s_all@aspsyslog syslog-ng[4460]: Configuration reload request received, reloading configuration; Nov 17 14:36:33 s_all@aspsyslog syslog-ng[4460]: Termination requested via signal, terminating; Nov 17 14:36:33 s_all@aspsyslog syslog-ng[4460]: syslog-ng shutting down; version='3.1.2' Nov 17 14:36:40 s_all@aspsyslog syslog-ng[8051]: syslog-ng starting up; version='3.1.2' Nov 17 14:40:49 s_all@aspsyslog syslog-ng[8051]: Configuration reload request received, reloading configuration; Nov 17 14:47:07 s_all@aspsyslog syslog-ng[8051]: Termination requested via signal, terminating; Nov 17 14:47:07 s_all@aspsyslog syslog-ng[8051]: syslog-ng shutting down; version='3.1.2' Nov 17 14:55:43 s_all@aspsyslog kernel: device eth0 entered promiscuous mode Nov 17 14:56:09 s_all@aspsyslog kernel: device eth0 left promiscuous mode Nov 17 14:58:04 s_all@aspsyslog kernel: device eth0 entered promiscuous mode Nov 17 14:58:11 s_all@aspsyslog kernel: device eth0 left promiscuous mode On Wed, Nov 17, 2010 at 4:29 PM, Martin Holste <mcholste@gmail.com> wrote:
Hm, maybe a permissions issue with writing? Try putting in /tmp/somefile as the destination and see if that works. Also, you should verify that messages are in fact arriving on the server using tcpdump.
On Wed, Nov 17, 2010 at 3:44 PM, keshava Veerabhadraiah <mv.keshava@gmail.com> wrote:
Hi I am new to syslog-ng and I have gone through other post to see if I can get a resolution to my problem. Syslog is not writing to the destination file any messages received on udp() or tcp(). I have made sure that syslog server is receiving the syslog messages as seen from the tcpdump
15:09:55.422423 IP 10.140.141.6.syslog > aspsyslog.sungardebs.com.syslog: SYSLOG local4.warning, length: 153 15:09:55.434638 IP 10.140.141.6.syslog > aspsyslog.sungardebs.com.syslog: SYSLOG local4.info, length: 184 15:09:55.470383 IP 10.140.141.6.syslog > aspsyslog.sungardebs.com.syslog: SYSLOG local4.info, length: 176 15:09:55.473519 IP 10.140.141.6.syslog > aspsyslog.sungardebs.com.syslog: SYSLOG local4.info, length: 190 15:09:55.493361 IP 10.140.141.6.syslog > aspsyslog.sungardebs.com.syslog: SYSLOG local4.info, length: 180 15:09:55.493748 IP aspsyslog.sungardebs.com.ssh > nim.sungardebs.com.42703: P 128608:129696(1088) ack 289 win 461 <nop,nop,timestamp 88706531 1310848493> 15:09:55.495519 IP 10.140.141.9.syslog > aspsyslog.sungardebs.com.syslog: SYSLOG local4.info, length: 188 15:09:55.495548 IP 10.140.141.9.syslog > aspsyslog.sungardebs.com.syslog: SYSLOG local4.debug, length: 90 15:09:55.495556 IP 10.140.141.9.syslog > aspsyslog.sungardebs.com.syslog: SYSLOG local4.debug, length: 85 15:09:55.521115 IP 10.140.141.6.syslog > aspsyslog.sungardebs.com.syslog: SYSLOG local4.debug, length: 87 15:09:55.521188 IP 10.140.141.6.syslog > aspsyslog.sungardebs.com.syslog: SYSLOG local4.info, length: 188 15:09:55.522041 IP 10.140.141.6.syslog > aspsyslog.sungardebs.com.syslog: SYSLOG local4.info, length: 175 15:09:55.522212 IP 10.140.141.7.syslog > aspsyslog.sungardebs.com.syslog: SYSLOG local4.info, length: 164
Here is how my syslog-ng config looks.
@version: 3.0 #Default configuration file for syslog-ng. # # For a description of syslog-ng configuration file directives, please read # the syslog-ng Administrator's guide at: # # http://www.balabit.com/dl/html/syslog-ng-admin-guide_en.html/bk01-toc.html #
options { chain_hostnames(no); create_dirs (no); dir_perm(0755); dns_cache(no); keep_hostname(yes); log_fifo_size(2048); log_msg_size(1024); log_iw_size (500); long_hostnames(on); perm(0644); stats_freq(3600); flush_lines(100); time_reopen (10); use_dns(no); use_fqdn(yes); # max_connections(100);
};
source s_all { udp(so_rcvbuf(2048576)); tcp(); unix-stream("/dev/log"); internal(); file("/proc/kmsg"); };
destination d_file_normal {file("/var/log/messages_syslog-ng.log"); };
log { source(s_all); destination (d_file_normal); };
Any help would be greatly appreciated.
Thanks
______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
Here is the syslog-stat if it helps in any way to debug this further. Nov 17 13:20:23 s_all@aspsyslog syslog-ng[4460]: Log statistics; processed='global(payload_reallocs)=0', processed='src.internal(s_all#3)=91', stamp='src.internal(s_all#3)=1290021623', processed='global(msg_clones)=0', processed='source(s_all)=92', processed='global(sdata_updates)=0', processed='destination(d_file_normal)=97', processed='center(received)=0', processed='center(queued)=0' On Wed, Nov 17, 2010 at 4:59 PM, keshava V <mv.keshava@gmail.com> wrote:
Messages from kernel, syslog-ng are being written but not the ones coming on udp 514 to the destination file as seen below.
[root@aspsyslog ~]# ls -ltr /var/log/messages_syslog-ng.log -rw-r--r-- 1 root root 24645 2010-11-17 15:32 /var/log/messages_syslog-ng.log
Nov 17 14:28:55 s_all@aspsyslog syslog-ng[4460]: Configuration reload request received, reloading configuration; Nov 17 14:29:40 s_all@aspsyslog syslog-ng[4460]: Configuration reload request received, reloading configuration; Nov 17 14:30:09 s_all@aspsyslog syslog-ng[4460]: Configuration reload request received, reloading configuration; Nov 17 14:36:33 s_all@aspsyslog syslog-ng[4460]: Termination requested via signal, terminating; Nov 17 14:36:33 s_all@aspsyslog syslog-ng[4460]: syslog-ng shutting down; version='3.1.2' Nov 17 14:36:40 s_all@aspsyslog syslog-ng[8051]: syslog-ng starting up; version='3.1.2' Nov 17 14:40:49 s_all@aspsyslog syslog-ng[8051]: Configuration reload request received, reloading configuration; Nov 17 14:47:07 s_all@aspsyslog syslog-ng[8051]: Termination requested via signal, terminating; Nov 17 14:47:07 s_all@aspsyslog syslog-ng[8051]: syslog-ng shutting down; version='3.1.2' Nov 17 14:55:43 s_all@aspsyslog kernel: device eth0 entered promiscuous mode Nov 17 14:56:09 s_all@aspsyslog kernel: device eth0 left promiscuous mode Nov 17 14:58:04 s_all@aspsyslog kernel: device eth0 entered promiscuous mode Nov 17 14:58:11 s_all@aspsyslog kernel: device eth0 left promiscuous mode
On Wed, Nov 17, 2010 at 4:29 PM, Martin Holste <mcholste@gmail.com> wrote:
Hm, maybe a permissions issue with writing? Try putting in /tmp/somefile as the destination and see if that works. Also, you should verify that messages are in fact arriving on the server using tcpdump.
On Wed, Nov 17, 2010 at 3:44 PM, keshava Veerabhadraiah <mv.keshava@gmail.com> wrote:
Hi I am new to syslog-ng and I have gone through other post to see if I can get a resolution to my problem. Syslog is not writing to the destination file any messages received on udp() or tcp(). I have made sure that syslog server is receiving the syslog messages as seen from the tcpdump
15:09:55.422423 IP 10.140.141.6.syslog > aspsyslog.sungardebs.com.syslog: SYSLOG local4.warning, length: 153 15:09:55.434638 IP 10.140.141.6.syslog > aspsyslog.sungardebs.com.syslog: SYSLOG local4.info, length: 184 15:09:55.470383 IP 10.140.141.6.syslog > aspsyslog.sungardebs.com.syslog: SYSLOG local4.info, length: 176 15:09:55.473519 IP 10.140.141.6.syslog > aspsyslog.sungardebs.com.syslog: SYSLOG local4.info, length: 190 15:09:55.493361 IP 10.140.141.6.syslog > aspsyslog.sungardebs.com.syslog: SYSLOG local4.info, length: 180 15:09:55.493748 IP aspsyslog.sungardebs.com.ssh > nim.sungardebs.com.42703: P 128608:129696(1088) ack 289 win 461 <nop,nop,timestamp 88706531 1310848493> 15:09:55.495519 IP 10.140.141.9.syslog > aspsyslog.sungardebs.com.syslog: SYSLOG local4.info, length: 188 15:09:55.495548 IP 10.140.141.9.syslog > aspsyslog.sungardebs.com.syslog: SYSLOG local4.debug, length: 90 15:09:55.495556 IP 10.140.141.9.syslog > aspsyslog.sungardebs.com.syslog: SYSLOG local4.debug, length: 85 15:09:55.521115 IP 10.140.141.6.syslog > aspsyslog.sungardebs.com.syslog: SYSLOG local4.debug, length: 87 15:09:55.521188 IP 10.140.141.6.syslog > aspsyslog.sungardebs.com.syslog: SYSLOG local4.info, length: 188 15:09:55.522041 IP 10.140.141.6.syslog > aspsyslog.sungardebs.com.syslog: SYSLOG local4.info, length: 175 15:09:55.522212 IP 10.140.141.7.syslog > aspsyslog.sungardebs.com.syslog: SYSLOG local4.info, length: 164
Here is how my syslog-ng config looks.
@version: 3.0 #Default configuration file for syslog-ng. # # For a description of syslog-ng configuration file directives, please read # the syslog-ng Administrator's guide at: # # http://www.balabit.com/dl/html/syslog-ng-admin-guide_en.html/bk01-toc.html #
options { chain_hostnames(no); create_dirs (no); dir_perm(0755); dns_cache(no); keep_hostname(yes); log_fifo_size(2048); log_msg_size(1024); log_iw_size (500); long_hostnames(on); perm(0644); stats_freq(3600); flush_lines(100); time_reopen (10); use_dns(no); use_fqdn(yes); # max_connections(100);
};
source s_all { udp(so_rcvbuf(2048576)); tcp(); unix-stream("/dev/log"); internal(); file("/proc/kmsg"); };
destination d_file_normal {file("/var/log/messages_syslog-ng.log"); };
log { source(s_all); destination (d_file_normal); };
Any help would be greatly appreciated.
Thanks
______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
Try running the syslog-ng application in debug mode: "syslog-ng -d -v" and see what the output is to the screen for the UDP connection and destination attempts. From: syslog-ng-bounces@lists.balabit.hu [mailto:syslog-ng-bounces@lists.balabit.hu] On Behalf Of keshava V Sent: Wednesday, November 17, 2010 5:59 PM To: Syslog-ng users' and developers' mailing list Subject: Re: [syslog-ng] Syslog-ng not receiving messages Messages from kernel, syslog-ng are being written but not the ones coming on udp 514 to the destination file as seen below. [root@aspsyslog ~]# ls -ltr /var/log/messages_syslog-ng.log -rw-r--r-- 1 root root 24645 2010-11-17 15:32 /var/log/messages_syslog-ng.log Nov 17 14:28:55 s_all@aspsyslog syslog-ng[4460]: Configuration reload request received, reloading configuration; Nov 17 14:29:40 s_all@aspsyslog syslog-ng[4460]: Configuration reload request received, reloading configuration; Nov 17 14:30:09 s_all@aspsyslog syslog-ng[4460]: Configuration reload request received, reloading configuration; Nov 17 14:36:33 s_all@aspsyslog syslog-ng[4460]: Termination requested via signal, terminating; Nov 17 14:36:33 s_all@aspsyslog syslog-ng[4460]: syslog-ng shutting down; version='3.1.2' Nov 17 14:36:40 s_all@aspsyslog syslog-ng[8051]: syslog-ng starting up; version='3.1.2' Nov 17 14:40:49 s_all@aspsyslog syslog-ng[8051]: Configuration reload request received, reloading configuration; Nov 17 14:47:07 s_all@aspsyslog syslog-ng[8051]: Termination requested via signal, terminating; Nov 17 14:47:07 s_all@aspsyslog syslog-ng[8051]: syslog-ng shutting down; version='3.1.2' Nov 17 14:55:43 s_all@aspsyslog kernel: device eth0 entered promiscuous mode Nov 17 14:56:09 s_all@aspsyslog kernel: device eth0 left promiscuous mode Nov 17 14:58:04 s_all@aspsyslog kernel: device eth0 entered promiscuous mode Nov 17 14:58:11 s_all@aspsyslog kernel: device eth0 left promiscuous mode On Wed, Nov 17, 2010 at 4:29 PM, Martin Holste <mcholste@gmail.com<mailto:mcholste@gmail.com>> wrote: Hm, maybe a permissions issue with writing? Try putting in /tmp/somefile as the destination and see if that works. Also, you should verify that messages are in fact arriving on the server using tcpdump. On Wed, Nov 17, 2010 at 3:44 PM, keshava Veerabhadraiah <mv.keshava@gmail.com<mailto:mv.keshava@gmail.com>> wrote:
Hi I am new to syslog-ng and I have gone through other post to see if I can get a resolution to my problem. Syslog is not writing to the destination file any messages received on udp() or tcp(). I have made sure that syslog server is receiving the syslog messages as seen from the tcpdump
15:09:55.422423 IP 10.140.141.6.syslog > aspsyslog.sungardebs.com.syslog: SYSLOG local4.warning, length: 153 15:09:55.434638 IP 10.140.141.6.syslog > aspsyslog.sungardebs.com.syslog: SYSLOG local4.info<http://local4.info>, length: 184 15:09:55.470383 IP 10.140.141.6.syslog > aspsyslog.sungardebs.com.syslog: SYSLOG local4.info<http://local4.info>, length: 176 15:09:55.473519 IP 10.140.141.6.syslog > aspsyslog.sungardebs.com.syslog: SYSLOG local4.info<http://local4.info>, length: 190 15:09:55.493361 IP 10.140.141.6.syslog > aspsyslog.sungardebs.com.syslog: SYSLOG local4.info<http://local4.info>, length: 180 15:09:55.493748 IP aspsyslog.sungardebs.com.ssh > nim.sungardebs.com.42703: P 128608:129696(1088) ack 289 win 461 <nop,nop,timestamp 88706531 1310848493> 15:09:55.495519 IP 10.140.141.9.syslog > aspsyslog.sungardebs.com.syslog: SYSLOG local4.info<http://local4.info>, length: 188 15:09:55.495548 IP 10.140.141.9.syslog > aspsyslog.sungardebs.com.syslog: SYSLOG local4.debug, length: 90 15:09:55.495556 IP 10.140.141.9.syslog > aspsyslog.sungardebs.com.syslog: SYSLOG local4.debug, length: 85 15:09:55.521115 IP 10.140.141.6.syslog > aspsyslog.sungardebs.com.syslog: SYSLOG local4.debug, length: 87 15:09:55.521188 IP 10.140.141.6.syslog > aspsyslog.sungardebs.com.syslog: SYSLOG local4.info<http://local4.info>, length: 188 15:09:55.522041 IP 10.140.141.6.syslog > aspsyslog.sungardebs.com.syslog: SYSLOG local4.info<http://local4.info>, length: 175 15:09:55.522212 IP 10.140.141.7.syslog > aspsyslog.sungardebs.com.syslog: SYSLOG local4.info<http://local4.info>, length: 164
Here is how my syslog-ng config looks.
@version: 3.0 #Default configuration file for syslog-ng. # # For a description of syslog-ng configuration file directives, please read # the syslog-ng Administrator's guide at: # # http://www.balabit.com/dl/html/syslog-ng-admin-guide_en.html/bk01-toc.html #
options { chain_hostnames(no); create_dirs (no); dir_perm(0755); dns_cache(no); keep_hostname(yes); log_fifo_size(2048); log_msg_size(1024); log_iw_size (500); long_hostnames(on); perm(0644); stats_freq(3600); flush_lines(100); time_reopen (10); use_dns(no); use_fqdn(yes); # max_connections(100);
};
source s_all { udp(so_rcvbuf(2048576)); tcp(); unix-stream("/dev/log"); internal(); file("/proc/kmsg"); };
destination d_file_normal {file("/var/log/messages_syslog-ng.log"); };
log { source(s_all); destination (d_file_normal); };
Any help would be greatly appreciated.
Thanks
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html ________________________________ CONFIDENTIALITY NOTICE: This email and any attachments are intended solely for the use of the named recipient(s). This email may contain confidential and/or proprietary information of Scientific Research Corporation. If you are not a named recipient, you are prohibited from reviewing, copying, using, disclosing or distributing to others the information in this email and attachments. If you believe you have received this email in error, please notify the sender immediately and permanently delete the email, any attachments, and all copies thereof from any drives or storage media and destroy any printouts of the email or attachments. EXPORT COMPLIANCE NOTICE: This email and any attachments may contain technical data subject to U.S export restrictions under the International Traffic in Arms Regulations (ITAR) or the Export Administration Regulations (EAR). Export or transfer of this technical data and/or related information to any foreign person(s) or entity(ies), either within the U.S. or outside of the U.S., may require advance export authorization by the appropriate U.S. Government agency prior to export or transfer. In addition, technical data may not be exported or transferred to certain countries or specified designated nationals identified by U.S. embargo controls without prior export authorization. By accepting this email and any attachments, all recipients confirm that they understand and will comply with all applicable ITAR, EAR and embargo compliance requirements.
Also try: tcpdump udp port 514 to make sure udp is being received - not being blocked by a firewall or something. ______________________________________________________________ Clayton Dukes ______________________________________________________________ On Wed, Nov 17, 2010 at 6:02 PM, Worsham, Michael <mworsham@scires.com>wrote:
Try running the syslog-ng application in debug mode: “syslog-ng –d –v” and see what the output is to the screen for the UDP connection and destination attempts.
*From:* syslog-ng-bounces@lists.balabit.hu [mailto: syslog-ng-bounces@lists.balabit.hu] *On Behalf Of *keshava V *Sent:* Wednesday, November 17, 2010 5:59 PM *To:* Syslog-ng users' and developers' mailing list *Subject:* Re: [syslog-ng] Syslog-ng not receiving messages
Messages from kernel, syslog-ng are being written but not the ones coming on udp 514 to the destination file as seen below.
[root@aspsyslog ~]# ls -ltr /var/log/messages_syslog-ng.log -rw-r--r-- 1 root root 24645 2010-11-17 15:32 /var/log/messages_syslog-ng.log
Nov 17 14:28:55 s_all@aspsyslog syslog-ng[4460]: Configuration reload request received, reloading configuration; Nov 17 14:29:40 s_all@aspsyslog syslog-ng[4460]: Configuration reload request received, reloading configuration; Nov 17 14:30:09 s_all@aspsyslog syslog-ng[4460]: Configuration reload request received, reloading configuration; Nov 17 14:36:33 s_all@aspsyslog syslog-ng[4460]: Termination requested via signal, terminating; Nov 17 14:36:33 s_all@aspsyslog syslog-ng[4460]: syslog-ng shutting down; version='3.1.2' Nov 17 14:36:40 s_all@aspsyslog syslog-ng[8051]: syslog-ng starting up; version='3.1.2' Nov 17 14:40:49 s_all@aspsyslog syslog-ng[8051]: Configuration reload request received, reloading configuration; Nov 17 14:47:07 s_all@aspsyslog syslog-ng[8051]: Termination requested via signal, terminating; Nov 17 14:47:07 s_all@aspsyslog syslog-ng[8051]: syslog-ng shutting down; version='3.1.2' Nov 17 14:55:43 s_all@aspsyslog kernel: device eth0 entered promiscuous mode Nov 17 14:56:09 s_all@aspsyslog kernel: device eth0 left promiscuous mode Nov 17 14:58:04 s_all@aspsyslog kernel: device eth0 entered promiscuous mode Nov 17 14:58:11 s_all@aspsyslog kernel: device eth0 left promiscuous mode
On Wed, Nov 17, 2010 at 4:29 PM, Martin Holste <mcholste@gmail.com> wrote:
Hm, maybe a permissions issue with writing? Try putting in /tmp/somefile as the destination and see if that works. Also, you should verify that messages are in fact arriving on the server using tcpdump.
On Wed, Nov 17, 2010 at 3:44 PM, keshava Veerabhadraiah <mv.keshava@gmail.com> wrote:
Hi I am new to syslog-ng and I have gone through other post to see if I can get a resolution to my problem. Syslog is not writing to the destination file any messages received on udp() or tcp(). I have made sure that syslog server is receiving the syslog messages as seen from the tcpdump
15:09:55.422423 IP 10.140.141.6.syslog > aspsyslog.sungardebs.com.syslog: SYSLOG local4.warning, length: 153 15:09:55.434638 IP 10.140.141.6.syslog > aspsyslog.sungardebs.com.syslog: SYSLOG local4.info, length: 184 15:09:55.470383 IP 10.140.141.6.syslog > aspsyslog.sungardebs.com.syslog: SYSLOG local4.info, length: 176 15:09:55.473519 IP 10.140.141.6.syslog > aspsyslog.sungardebs.com.syslog: SYSLOG local4.info, length: 190 15:09:55.493361 IP 10.140.141.6.syslog > aspsyslog.sungardebs.com.syslog: SYSLOG local4.info, length: 180 15:09:55.493748 IP aspsyslog.sungardebs.com.ssh > nim.sungardebs.com.42703: P 128608:129696(1088) ack 289 win 461 <nop,nop,timestamp 88706531 1310848493> 15:09:55.495519 IP 10.140.141.9.syslog > aspsyslog.sungardebs.com.syslog: SYSLOG local4.info, length: 188 15:09:55.495548 IP 10.140.141.9.syslog > aspsyslog.sungardebs.com.syslog: SYSLOG local4.debug, length: 90 15:09:55.495556 IP 10.140.141.9.syslog > aspsyslog.sungardebs.com.syslog: SYSLOG local4.debug, length: 85 15:09:55.521115 IP 10.140.141.6.syslog > aspsyslog.sungardebs.com.syslog: SYSLOG local4.debug, length: 87 15:09:55.521188 IP 10.140.141.6.syslog > aspsyslog.sungardebs.com.syslog: SYSLOG local4.info, length: 188 15:09:55.522041 IP 10.140.141.6.syslog > aspsyslog.sungardebs.com.syslog: SYSLOG local4.info, length: 175 15:09:55.522212 IP 10.140.141.7.syslog > aspsyslog.sungardebs.com.syslog: SYSLOG local4.info, length: 164
Here is how my syslog-ng config looks.
@version: 3.0 #Default configuration file for syslog-ng. # # For a description of syslog-ng configuration file directives, please read # the syslog-ng Administrator's guide at: # # http://www.balabit.com/dl/html/syslog-ng-admin-guide_en.html/bk01-toc.html #
options { chain_hostnames(no); create_dirs (no); dir_perm(0755); dns_cache(no); keep_hostname(yes); log_fifo_size(2048); log_msg_size(1024); log_iw_size (500); long_hostnames(on); perm(0644); stats_freq(3600); flush_lines(100); time_reopen (10); use_dns(no); use_fqdn(yes); # max_connections(100);
};
source s_all { udp(so_rcvbuf(2048576)); tcp(); unix-stream("/dev/log"); internal(); file("/proc/kmsg"); };
destination d_file_normal {file("/var/log/messages_syslog-ng.log"); };
log { source(s_all); destination (d_file_normal); };
Any help would be greatly appreciated.
Thanks
______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
------------------------------ CONFIDENTIALITY NOTICE: This email and any attachments are intended solely for the use of the named recipient(s). This email may contain confidential and/or proprietary information of Scientific Research Corporation. If you are not a named recipient, you are prohibited from reviewing, copying, using, disclosing or distributing to others the information in this email and attachments. If you believe you have received this email in error, please notify the sender immediately and permanently delete the email, any attachments, and all copies thereof from any drives or storage media and destroy any printouts of the email or attachments.
EXPORT COMPLIANCE NOTICE: This email and any attachments may contain technical data subject to U.S export restrictions under the International Traffic in Arms Regulations (ITAR) or the Export Administration Regulations (EAR). Export or transfer of this technical data and/or related information to any foreign person(s) or entity(ies), either within the U.S. or outside of the U.S., may require advance export authorization by the appropriate U.S. Government agency prior to export or transfer. In addition, technical data may not be exported or transferred to certain countries or specified designated nationals identified by U.S. embargo controls without prior export authorization. By accepting this email and any attachments, all recipients confirm that they understand and will comply with all applicable ITAR, EAR and embargo compliance requirements.
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
We had a old syslog-ng server which was completely configured and working fine which died. I am using the same IP address so I can confidently say that firewall is open and all the messages are arriving at the new server. syslog is writing messages to the destination but the messages coming on udp/tcp 514. I am trying to get it to write to one file and if that works then to filter all the messages later by host. I have attached the tcpdump output here and see info, debug messages making it to this server 17:03:47.495842 IP aspsyslog.filenet-cm > neo.domain: 32289+ PTR? 41.34.73.10.in-addr.arpa. (42) 17:03:47.496324 IP 10.140.141.6.syslog > aspsyslog.syslog: SYSLOG local4.info, length: 182 17:03:47.496373 IP 10.140.141.7.syslog > aspsyslog.syslog: SYSLOG local4.info, length: 164 17:03:47.496395 IP 10.140.141.7.syslog > aspsyslog.syslog: SYSLOG local4.info, length: 164 17:03:47.496530 IP neo.domain > aspsyslog.filenet-cm: 32289 NXDomain* 0/1/0 (128) 17:03:47.497113 IP aspsyslog.ssh > nim.42783: P 48256:49264(1008) ack 97 win 53 <nop,nop,timestamp 93630177 1310858340> 17:03:47.497603 IP 10.140.141.6.syslog > aspsyslog.syslog: SYSLOG local4.info, length: 166 17:03:47.497635 IP nim.42783 > aspsyslog.ssh: . ack 49264 win 32761 <nop,nop,timestamp 1310858341 93630124> 17:03:47.506126 IP 10.140.141.6.syslog > aspsyslog.syslog: SYSLOG local4.debug, length: 86 17:03:47.506169 IP 10.140.141.6.syslog > aspsyslog.syslog: SYSLOG local4.info, length: 189 17:03:47.521584 IP 10.140.130.20.filenet-pa > aspsyslog.syslog: SYSLOG daemon.info, length: 107 17:03:47.521615 IP aspsyslog. > 10.140.130.20: ICMP host aspsyslog. unreachable - admin prohibited, length 143 17:03:47.521907 IP aspsyslog.filenet-cm > neo.domain: 57020+ PTR? 20.130.140.10.in-addr.arpa. (44) 17:03:47.522331 IP 10.140.141.6.syslog > aspsyslog.syslog: SYSLOG local4.info, length: 182 17:03:47.522504 IP neo.domain > aspsyslog.filenet-cm: 57020 NXDomain* 0/1/0 (132) 17:03:47.523087 IP aspsyslog.ssh > nim.42783: P 49264:50416(1152) ack 97 win 53 <nop,nop,timestamp 93630203 1310858341> 17:03:47.523574 IP 10.140.141.6.syslog > aspsyslog.syslog: SYSLOG local4.info, length: 166 17:03:47.549950 IP 10.140.141.7.syslog > aspsyslog.syslog: SYSLOG local4.info, length: 164 17:03:47.549973 IP 10.140.141.7.syslog > aspsyslog.syslog: SYSLOG local4.info, length: 164 17:03:47.552109 IP 10.73.34.45.32822 > aspsyslog.syslog: SYSLOG daemon.info, length: 109 17:03:47.552136 IP aspsyslog. > 10.73.34.45: ICMP host aspsyslog. unreachable - admin prohibited, length 145 17:03:47.552410 IP aspsyslog.filenet-cm > neo.domain: 41657+ PTR? 45.34.73.10.in-addr.arpa. (42) 17:03:47.552852 IP 10.140.141.6.syslog > aspsyslog.syslog: SYSLOG local4.info, length: 182 17:03:47.553052 IP neo.domain > aspsyslog.filenet-cm: 41657 NXDomain* 0/1/0 (128) 17:03:47.553576 IP aspsyslog.ssh > nim.42783: P 50416:51392(976) ack 97 win 53 <nop,nop,timestamp 93630233 1310858341> 17:03:47.554127 IP 10.140.141.6.syslog > aspsyslog.syslog: SYSLOG local4.info, length: 166 17:03:47.558864 IP 10.140.141.8.syslog > aspsyslog.syslog: SYSLOG local4.info, length: 177 17:03:47.558998 IP 10.140.141.9.syslog > aspsyslog.syslog: SYSLOG local4.info, length: 188 17:03:47.559027 IP aspsyslog. > 10.140.141.9: ICMP host aspsyslog. unreachable - admin prohibited, length 224 17:03:47.559031 IP 10.140.141.9.syslog > aspsyslog.syslog: SYSLOG local4.info, length: 188 17:03:47.595714 IP axprod20.filenet-rpc > aspsyslog.syslog: SYSLOG daemon.info, length: 108 17:03:47.595820 arp who-has axprod20. tell aspsyslog. 17:03:47.596053 IP aspsyslog.filenet-cm > neo.domain: 65192+ PTR? 25.130.140.10.in-addr.arpa. (44) 17:03:47.596226 IP aspsyslog. > axprod20.: ICMP host aspsyslog. unreachable - admin prohibited, length 144 17:03:47.596434 IP 10.140.141.6.syslog > aspsyslog.syslog: SYSLOG local4.info, length: 182 17:03:47.596540 IP 10.140.141.7.syslog > aspsyslog.syslog: SYSLOG local4.info, length: 164 17:03:47.596549 IP 10.140.141.7.syslog > aspsyslog.syslog: SYSLOG local4.debug, length: 86 On Wed, Nov 17, 2010 at 5:02 PM, Worsham, Michael <mworsham@scires.com>wrote:
Try running the syslog-ng application in debug mode: “syslog-ng –d –v” and see what the output is to the screen for the UDP connection and destination attempts.
*From:* syslog-ng-bounces@lists.balabit.hu [mailto: syslog-ng-bounces@lists.balabit.hu] *On Behalf Of *keshava V *Sent:* Wednesday, November 17, 2010 5:59 PM *To:* Syslog-ng users' and developers' mailing list *Subject:* Re: [syslog-ng] Syslog-ng not receiving messages
Messages from kernel, syslog-ng are being written but not the ones coming on udp 514 to the destination file as seen below.
[root@aspsyslog ~]# ls -ltr /var/log/messages_syslog-ng.log -rw-r--r-- 1 root root 24645 2010-11-17 15:32 /var/log/messages_syslog-ng.log
Nov 17 14:28:55 s_all@aspsyslog syslog-ng[4460]: Configuration reload request received, reloading configuration; Nov 17 14:29:40 s_all@aspsyslog syslog-ng[4460]: Configuration reload request received, reloading configuration; Nov 17 14:30:09 s_all@aspsyslog syslog-ng[4460]: Configuration reload request received, reloading configuration; Nov 17 14:36:33 s_all@aspsyslog syslog-ng[4460]: Termination requested via signal, terminating; Nov 17 14:36:33 s_all@aspsyslog syslog-ng[4460]: syslog-ng shutting down; version='3.1.2' Nov 17 14:36:40 s_all@aspsyslog syslog-ng[8051]: syslog-ng starting up; version='3.1.2' Nov 17 14:40:49 s_all@aspsyslog syslog-ng[8051]: Configuration reload request received, reloading configuration; Nov 17 14:47:07 s_all@aspsyslog syslog-ng[8051]: Termination requested via signal, terminating; Nov 17 14:47:07 s_all@aspsyslog syslog-ng[8051]: syslog-ng shutting down; version='3.1.2' Nov 17 14:55:43 s_all@aspsyslog kernel: device eth0 entered promiscuous mode Nov 17 14:56:09 s_all@aspsyslog kernel: device eth0 left promiscuous mode Nov 17 14:58:04 s_all@aspsyslog kernel: device eth0 entered promiscuous mode Nov 17 14:58:11 s_all@aspsyslog kernel: device eth0 left promiscuous mode
On Wed, Nov 17, 2010 at 4:29 PM, Martin Holste <mcholste@gmail.com> wrote:
Hm, maybe a permissions issue with writing? Try putting in /tmp/somefile as the destination and see if that works. Also, you should verify that messages are in fact arriving on the server using tcpdump.
On Wed, Nov 17, 2010 at 3:44 PM, keshava Veerabhadraiah <mv.keshava@gmail.com> wrote:
Hi I am new to syslog-ng and I have gone through other post to see if I can get a resolution to my problem. Syslog is not writing to the destination file any messages received on udp() or tcp(). I have made sure that syslog server is receiving the syslog messages as seen from the tcpdump
15:09:55.422423 IP 10.140.141.6.syslog > aspsyslog.sungardebs.com.syslog: SYSLOG local4.warning, length: 153 15:09:55.434638 IP 10.140.141.6.syslog > aspsyslog.sungardebs.com.syslog: SYSLOG local4.info, length: 184 15:09:55.470383 IP 10.140.141.6.syslog > aspsyslog.sungardebs.com.syslog: SYSLOG local4.info, length: 176 15:09:55.473519 IP 10.140.141.6.syslog > aspsyslog.sungardebs.com.syslog: SYSLOG local4.info, length: 190 15:09:55.493361 IP 10.140.141.6.syslog > aspsyslog.sungardebs.com.syslog: SYSLOG local4.info, length: 180 15:09:55.493748 IP aspsyslog.sungardebs.com.ssh > nim.sungardebs.com.42703: P 128608:129696(1088) ack 289 win 461 <nop,nop,timestamp 88706531 1310848493> 15:09:55.495519 IP 10.140.141.9.syslog > aspsyslog.sungardebs.com.syslog: SYSLOG local4.info, length: 188 15:09:55.495548 IP 10.140.141.9.syslog > aspsyslog.sungardebs.com.syslog: SYSLOG local4.debug, length: 90 15:09:55.495556 IP 10.140.141.9.syslog > aspsyslog.sungardebs.com.syslog: SYSLOG local4.debug, length: 85 15:09:55.521115 IP 10.140.141.6.syslog > aspsyslog.sungardebs.com.syslog: SYSLOG local4.debug, length: 87 15:09:55.521188 IP 10.140.141.6.syslog > aspsyslog.sungardebs.com.syslog: SYSLOG local4.info, length: 188 15:09:55.522041 IP 10.140.141.6.syslog > aspsyslog.sungardebs.com.syslog: SYSLOG local4.info, length: 175 15:09:55.522212 IP 10.140.141.7.syslog > aspsyslog.sungardebs.com.syslog: SYSLOG local4.info, length: 164
Here is how my syslog-ng config looks.
@version: 3.0 #Default configuration file for syslog-ng. # # For a description of syslog-ng configuration file directives, please read # the syslog-ng Administrator's guide at: # # http://www.balabit.com/dl/html/syslog-ng-admin-guide_en.html/bk01-toc.html #
options { chain_hostnames(no); create_dirs (no); dir_perm(0755); dns_cache(no); keep_hostname(yes); log_fifo_size(2048); log_msg_size(1024); log_iw_size (500); long_hostnames(on); perm(0644); stats_freq(3600); flush_lines(100); time_reopen (10); use_dns(no); use_fqdn(yes); # max_connections(100);
};
source s_all { udp(so_rcvbuf(2048576)); tcp(); unix-stream("/dev/log"); internal(); file("/proc/kmsg"); };
destination d_file_normal {file("/var/log/messages_syslog-ng.log"); };
log { source(s_all); destination (d_file_normal); };
Any help would be greatly appreciated.
Thanks
______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
------------------------------ CONFIDENTIALITY NOTICE: This email and any attachments are intended solely for the use of the named recipient(s). This email may contain confidential and/or proprietary information of Scientific Research Corporation. If you are not a named recipient, you are prohibited from reviewing, copying, using, disclosing or distributing to others the information in this email and attachments. If you believe you have received this email in error, please notify the sender immediately and permanently delete the email, any attachments, and all copies thereof from any drives or storage media and destroy any printouts of the email or attachments.
EXPORT COMPLIANCE NOTICE: This email and any attachments may contain technical data subject to U.S export restrictions under the International Traffic in Arms Regulations (ITAR) or the Export Administration Regulations (EAR). Export or transfer of this technical data and/or related information to any foreign person(s) or entity(ies), either within the U.S. or outside of the U.S., may require advance export authorization by the appropriate U.S. Government agency prior to export or transfer. In addition, technical data may not be exported or transferred to certain countries or specified designated nationals identified by U.S. embargo controls without prior export authorization. By accepting this email and any attachments, all recipients confirm that they understand and will comply with all applicable ITAR, EAR and embargo compliance requirements.
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
I am receiving messages on udp port 514 and nothing on tcp 514. 17:15:50.816216 IP 10.140.141.7.syslog > aspsyslog.syslog: SYSLOG local4.debug, length: 88 17:15:50.819013 IP 10.140.141.7.syslog > aspsyslog.syslog: SYSLOG local4.info, length: 191 17:15:50.817631 IP 10.140.141.6.syslog > aspsyslog.syslog: SYSLOG local4.info, length: 182 17:15:50.820751 IP 10.140.141.6.syslog > aspsyslog.syslog: SYSLOG local4.info, length: 166 17:15:50.837713 IP 10.140.141.7.syslog > aspsyslog.syslog: SYSLOG local4.alert, length: 126 17:15:50.837730 IP 10.140.141.6.syslog > aspsyslog.syslog: SYSLOG local4.alert, length: 126 17:15:50.898519 IP 10.140.141.6.syslog > aspsyslog.syslog: SYSLOG local4.info, length: 181 17:15:50.903282 IP 10.41.42.254.syslog > aspsyslog.syslog: SYSLOG local4.debug, length: 112 I am running syslog-ng in debug mode and this is what is being sent to stdout [root@aspsyslog ~]# /opt/syslog-ng/sbin/syslog-ng -d -v Running application hooks; hook='1' Running application hooks; hook='3' syslog-ng starting up; version='3.1.2' Incoming log entry; line='<6>device eth0 entered promiscuous mode' Initializing destination file writer; template='/var/log/messages_syslog-ng.log', filename='/var/log/messages_syslog-ng.log' Incoming log entry; line='<6>device eth0 left promiscuous mode' Incoming log entry; line='<6>device eth0 entered promiscuous mode' Incoming log entry; line='<6>device eth0 left promiscuous mode' Incoming log entry; line='<6>device eth0 entered promiscuous mode' On Wed, Nov 17, 2010 at 5:14 PM, keshava V <mv.keshava@gmail.com> wrote:
We had a old syslog-ng server which was completely configured and working fine which died. I am using the same IP address so I can confidently say that firewall is open and all the messages are arriving at the new server. syslog is writing messages to the destination but the messages coming on udp/tcp 514. I am trying to get it to write to one file and if that works then to filter all the messages later by host.
I have attached the tcpdump output here and see info, debug messages making it to this server
17:03:47.495842 IP aspsyslog.filenet-cm > neo.domain: 32289+ PTR? 41.34.73.10.in-addr.arpa. (42) 17:03:47.496324 IP 10.140.141.6.syslog > aspsyslog.syslog: SYSLOG local4.info, length: 182 17:03:47.496373 IP 10.140.141.7.syslog > aspsyslog.syslog: SYSLOG local4.info, length: 164 17:03:47.496395 IP 10.140.141.7.syslog > aspsyslog.syslog: SYSLOG local4.info, length: 164 17:03:47.496530 IP neo.domain > aspsyslog.filenet-cm: 32289 NXDomain* 0/1/0 (128) 17:03:47.497113 IP aspsyslog.ssh > nim.42783: P 48256:49264(1008) ack 97 win 53 <nop,nop,timestamp 93630177 1310858340> 17:03:47.497603 IP 10.140.141.6.syslog > aspsyslog.syslog: SYSLOG local4.info, length: 166 17:03:47.497635 IP nim.42783 > aspsyslog.ssh: . ack 49264 win 32761 <nop,nop,timestamp 1310858341 93630124> 17:03:47.506126 IP 10.140.141.6.syslog > aspsyslog.syslog: SYSLOG local4.debug, length: 86 17:03:47.506169 IP 10.140.141.6.syslog > aspsyslog.syslog: SYSLOG local4.info, length: 189 17:03:47.521584 IP 10.140.130.20.filenet-pa > aspsyslog.syslog: SYSLOG daemon.info, length: 107 17:03:47.521615 IP aspsyslog. > 10.140.130.20: ICMP host aspsyslog. unreachable - admin prohibited, length 143 17:03:47.521907 IP aspsyslog.filenet-cm > neo.domain: 57020+ PTR? 20.130.140.10.in-addr.arpa. (44) 17:03:47.522331 IP 10.140.141.6.syslog > aspsyslog.syslog: SYSLOG local4.info, length: 182 17:03:47.522504 IP neo.domain > aspsyslog.filenet-cm: 57020 NXDomain* 0/1/0 (132) 17:03:47.523087 IP aspsyslog.ssh > nim.42783: P 49264:50416(1152) ack 97 win 53 <nop,nop,timestamp 93630203 1310858341> 17:03:47.523574 IP 10.140.141.6.syslog > aspsyslog.syslog: SYSLOG local4.info, length: 166 17:03:47.549950 IP 10.140.141.7.syslog > aspsyslog.syslog: SYSLOG local4.info, length: 164 17:03:47.549973 IP 10.140.141.7.syslog > aspsyslog.syslog: SYSLOG local4.info, length: 164 17:03:47.552109 IP 10.73.34.45.32822 > aspsyslog.syslog: SYSLOG daemon.info, length: 109 17:03:47.552136 IP aspsyslog. > 10.73.34.45: ICMP host aspsyslog. unreachable - admin prohibited, length 145 17:03:47.552410 IP aspsyslog.filenet-cm > neo.domain: 41657+ PTR? 45.34.73.10.in-addr.arpa. (42) 17:03:47.552852 IP 10.140.141.6.syslog > aspsyslog.syslog: SYSLOG local4.info, length: 182 17:03:47.553052 IP neo.domain > aspsyslog.filenet-cm: 41657 NXDomain* 0/1/0 (128) 17:03:47.553576 IP aspsyslog.ssh > nim.42783: P 50416:51392(976) ack 97 win 53 <nop,nop,timestamp 93630233 1310858341> 17:03:47.554127 IP 10.140.141.6.syslog > aspsyslog.syslog: SYSLOG local4.info, length: 166 17:03:47.558864 IP 10.140.141.8.syslog > aspsyslog.syslog: SYSLOG local4.info, length: 177 17:03:47.558998 IP 10.140.141.9.syslog > aspsyslog.syslog: SYSLOG local4.info, length: 188 17:03:47.559027 IP aspsyslog. > 10.140.141.9: ICMP host aspsyslog. unreachable - admin prohibited, length 224 17:03:47.559031 IP 10.140.141.9.syslog > aspsyslog.syslog: SYSLOG local4.info, length: 188 17:03:47.595714 IP axprod20.filenet-rpc > aspsyslog.syslog: SYSLOG daemon.info, length: 108 17:03:47.595820 arp who-has axprod20. tell aspsyslog. 17:03:47.596053 IP aspsyslog.filenet-cm > neo.domain: 65192+ PTR? 25.130.140.10.in-addr.arpa. (44) 17:03:47.596226 IP aspsyslog. > axprod20.: ICMP host aspsyslog. unreachable - admin prohibited, length 144 17:03:47.596434 IP 10.140.141.6.syslog > aspsyslog.syslog: SYSLOG local4.info, length: 182 17:03:47.596540 IP 10.140.141.7.syslog > aspsyslog.syslog: SYSLOG local4.info, length: 164 17:03:47.596549 IP 10.140.141.7.syslog > aspsyslog.syslog: SYSLOG local4.debug, length: 86
On Wed, Nov 17, 2010 at 5:02 PM, Worsham, Michael <mworsham@scires.com>wrote:
Try running the syslog-ng application in debug mode: “syslog-ng –d –v” and see what the output is to the screen for the UDP connection and destination attempts.
*From:* syslog-ng-bounces@lists.balabit.hu [mailto: syslog-ng-bounces@lists.balabit.hu] *On Behalf Of *keshava V *Sent:* Wednesday, November 17, 2010 5:59 PM *To:* Syslog-ng users' and developers' mailing list *Subject:* Re: [syslog-ng] Syslog-ng not receiving messages
Messages from kernel, syslog-ng are being written but not the ones coming on udp 514 to the destination file as seen below.
[root@aspsyslog ~]# ls -ltr /var/log/messages_syslog-ng.log -rw-r--r-- 1 root root 24645 2010-11-17 15:32 /var/log/messages_syslog-ng.log
Nov 17 14:28:55 s_all@aspsyslog syslog-ng[4460]: Configuration reload request received, reloading configuration; Nov 17 14:29:40 s_all@aspsyslog syslog-ng[4460]: Configuration reload request received, reloading configuration; Nov 17 14:30:09 s_all@aspsyslog syslog-ng[4460]: Configuration reload request received, reloading configuration; Nov 17 14:36:33 s_all@aspsyslog syslog-ng[4460]: Termination requested via signal, terminating; Nov 17 14:36:33 s_all@aspsyslog syslog-ng[4460]: syslog-ng shutting down; version='3.1.2' Nov 17 14:36:40 s_all@aspsyslog syslog-ng[8051]: syslog-ng starting up; version='3.1.2' Nov 17 14:40:49 s_all@aspsyslog syslog-ng[8051]: Configuration reload request received, reloading configuration; Nov 17 14:47:07 s_all@aspsyslog syslog-ng[8051]: Termination requested via signal, terminating; Nov 17 14:47:07 s_all@aspsyslog syslog-ng[8051]: syslog-ng shutting down; version='3.1.2' Nov 17 14:55:43 s_all@aspsyslog kernel: device eth0 entered promiscuous mode Nov 17 14:56:09 s_all@aspsyslog kernel: device eth0 left promiscuous mode Nov 17 14:58:04 s_all@aspsyslog kernel: device eth0 entered promiscuous mode Nov 17 14:58:11 s_all@aspsyslog kernel: device eth0 left promiscuous mode
On Wed, Nov 17, 2010 at 4:29 PM, Martin Holste <mcholste@gmail.com> wrote:
Hm, maybe a permissions issue with writing? Try putting in /tmp/somefile as the destination and see if that works. Also, you should verify that messages are in fact arriving on the server using tcpdump.
On Wed, Nov 17, 2010 at 3:44 PM, keshava Veerabhadraiah <mv.keshava@gmail.com> wrote:
Hi I am new to syslog-ng and I have gone through other post to see if I can get a resolution to my problem. Syslog is not writing to the destination file any messages received on udp() or tcp(). I have made sure that syslog server is receiving the syslog messages as seen from the tcpdump
15:09:55.422423 IP 10.140.141.6.syslog > aspsyslog.sungardebs.com.syslog: SYSLOG local4.warning, length: 153 15:09:55.434638 IP 10.140.141.6.syslog > aspsyslog.sungardebs.com.syslog: SYSLOG local4.info, length: 184 15:09:55.470383 IP 10.140.141.6.syslog > aspsyslog.sungardebs.com.syslog: SYSLOG local4.info, length: 176 15:09:55.473519 IP 10.140.141.6.syslog > aspsyslog.sungardebs.com.syslog: SYSLOG local4.info, length: 190 15:09:55.493361 IP 10.140.141.6.syslog > aspsyslog.sungardebs.com.syslog: SYSLOG local4.info, length: 180 15:09:55.493748 IP aspsyslog.sungardebs.com.ssh > nim.sungardebs.com.42703: P 128608:129696(1088) ack 289 win 461 <nop,nop,timestamp 88706531 1310848493> 15:09:55.495519 IP 10.140.141.9.syslog > aspsyslog.sungardebs.com.syslog: SYSLOG local4.info, length: 188 15:09:55.495548 IP 10.140.141.9.syslog > aspsyslog.sungardebs.com.syslog: SYSLOG local4.debug, length: 90 15:09:55.495556 IP 10.140.141.9.syslog > aspsyslog.sungardebs.com.syslog: SYSLOG local4.debug, length: 85 15:09:55.521115 IP 10.140.141.6.syslog > aspsyslog.sungardebs.com.syslog: SYSLOG local4.debug, length: 87 15:09:55.521188 IP 10.140.141.6.syslog > aspsyslog.sungardebs.com.syslog: SYSLOG local4.info, length: 188 15:09:55.522041 IP 10.140.141.6.syslog > aspsyslog.sungardebs.com.syslog: SYSLOG local4.info, length: 175 15:09:55.522212 IP 10.140.141.7.syslog > aspsyslog.sungardebs.com.syslog: SYSLOG local4.info, length: 164
Here is how my syslog-ng config looks.
@version: 3.0 #Default configuration file for syslog-ng. # # For a description of syslog-ng configuration file directives, please read # the syslog-ng Administrator's guide at: # # http://www.balabit.com/dl/html/syslog-ng-admin-guide_en.html/bk01-toc.html #
options { chain_hostnames(no); create_dirs (no); dir_perm(0755); dns_cache(no); keep_hostname(yes); log_fifo_size(2048); log_msg_size(1024); log_iw_size (500); long_hostnames(on); perm(0644); stats_freq(3600); flush_lines(100); time_reopen (10); use_dns(no); use_fqdn(yes); # max_connections(100);
};
source s_all { udp(so_rcvbuf(2048576)); tcp(); unix-stream("/dev/log"); internal(); file("/proc/kmsg"); };
destination d_file_normal {file("/var/log/messages_syslog-ng.log"); };
log { source(s_all); destination (d_file_normal); };
Any help would be greatly appreciated.
Thanks
______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
------------------------------ CONFIDENTIALITY NOTICE: This email and any attachments are intended solely for the use of the named recipient(s). This email may contain confidential and/or proprietary information of Scientific Research Corporation. If you are not a named recipient, you are prohibited from reviewing, copying, using, disclosing or distributing to others the information in this email and attachments. If you believe you have received this email in error, please notify the sender immediately and permanently delete the email, any attachments, and all copies thereof from any drives or storage media and destroy any printouts of the email or attachments.
EXPORT COMPLIANCE NOTICE: This email and any attachments may contain technical data subject to U.S export restrictions under the International Traffic in Arms Regulations (ITAR) or the Export Administration Regulations (EAR). Export or transfer of this technical data and/or related information to any foreign person(s) or entity(ies), either within the U.S. or outside of the U.S., may require advance export authorization by the appropriate U.S. Government agency prior to export or transfer. In addition, technical data may not be exported or transferred to certain countries or specified designated nationals identified by U.S. embargo controls without prior export authorization. By accepting this email and any attachments, all recipients confirm that they understand and will comply with all applicable ITAR, EAR and embargo compliance requirements.
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
Further, I have tried setting the kernel parameters without any luck [root@aspsyslog ~]# sysctl -w net.core.rmem_max=8388608 [root@aspsyslog ~]# sysctl -w net.core.rmem_default=1048576 On Wed, Nov 17, 2010 at 5:19 PM, keshava V <mv.keshava@gmail.com> wrote:
I am receiving messages on udp port 514 and nothing on tcp 514.
17:15:50.816216 IP 10.140.141.7.syslog > aspsyslog.syslog: SYSLOG local4.debug, length: 88 17:15:50.819013 IP 10.140.141.7.syslog > aspsyslog.syslog: SYSLOG local4.info, length: 191 17:15:50.817631 IP 10.140.141.6.syslog > aspsyslog.syslog: SYSLOG local4.info, length: 182 17:15:50.820751 IP 10.140.141.6.syslog > aspsyslog.syslog: SYSLOG local4.info, length: 166 17:15:50.837713 IP 10.140.141.7.syslog > aspsyslog.syslog: SYSLOG local4.alert, length: 126 17:15:50.837730 IP 10.140.141.6.syslog > aspsyslog.syslog: SYSLOG local4.alert, length: 126 17:15:50.898519 IP 10.140.141.6.syslog > aspsyslog.syslog: SYSLOG local4.info, length: 181 17:15:50.903282 IP 10.41.42.254.syslog > aspsyslog.syslog: SYSLOG local4.debug, length: 112
I am running syslog-ng in debug mode and this is what is being sent to stdout
[root@aspsyslog ~]# /opt/syslog-ng/sbin/syslog-ng -d -v Running application hooks; hook='1' Running application hooks; hook='3'
syslog-ng starting up; version='3.1.2' Incoming log entry; line='<6>device eth0 entered promiscuous mode' Initializing destination file writer; template='/var/log/messages_syslog-ng.log', filename='/var/log/messages_syslog-ng.log' Incoming log entry; line='<6>device eth0 left promiscuous mode' Incoming log entry; line='<6>device eth0 entered promiscuous mode' Incoming log entry; line='<6>device eth0 left promiscuous mode' Incoming log entry; line='<6>device eth0 entered promiscuous mode'
On Wed, Nov 17, 2010 at 5:14 PM, keshava V <mv.keshava@gmail.com> wrote:
We had a old syslog-ng server which was completely configured and working fine which died. I am using the same IP address so I can confidently say that firewall is open and all the messages are arriving at the new server. syslog is writing messages to the destination but the messages coming on udp/tcp 514. I am trying to get it to write to one file and if that works then to filter all the messages later by host.
I have attached the tcpdump output here and see info, debug messages making it to this server
17:03:47.495842 IP aspsyslog.filenet-cm > neo.domain: 32289+ PTR? 41.34.73.10.in-addr.arpa. (42) 17:03:47.496324 IP 10.140.141.6.syslog > aspsyslog.syslog: SYSLOG local4.info, length: 182 17:03:47.496373 IP 10.140.141.7.syslog > aspsyslog.syslog: SYSLOG local4.info, length: 164 17:03:47.496395 IP 10.140.141.7.syslog > aspsyslog.syslog: SYSLOG local4.info, length: 164 17:03:47.496530 IP neo.domain > aspsyslog.filenet-cm: 32289 NXDomain* 0/1/0 (128) 17:03:47.497113 IP aspsyslog.ssh > nim.42783: P 48256:49264(1008) ack 97 win 53 <nop,nop,timestamp 93630177 1310858340> 17:03:47.497603 IP 10.140.141.6.syslog > aspsyslog.syslog: SYSLOG local4.info, length: 166 17:03:47.497635 IP nim.42783 > aspsyslog.ssh: . ack 49264 win 32761 <nop,nop,timestamp 1310858341 93630124> 17:03:47.506126 IP 10.140.141.6.syslog > aspsyslog.syslog: SYSLOG local4.debug, length: 86 17:03:47.506169 IP 10.140.141.6.syslog > aspsyslog.syslog: SYSLOG local4.info, length: 189 17:03:47.521584 IP 10.140.130.20.filenet-pa > aspsyslog.syslog: SYSLOG daemon.info, length: 107 17:03:47.521615 IP aspsyslog. > 10.140.130.20: ICMP host aspsyslog. unreachable - admin prohibited, length 143 17:03:47.521907 IP aspsyslog.filenet-cm > neo.domain: 57020+ PTR? 20.130.140.10.in-addr.arpa. (44) 17:03:47.522331 IP 10.140.141.6.syslog > aspsyslog.syslog: SYSLOG local4.info, length: 182 17:03:47.522504 IP neo.domain > aspsyslog.filenet-cm: 57020 NXDomain* 0/1/0 (132) 17:03:47.523087 IP aspsyslog.ssh > nim.42783: P 49264:50416(1152) ack 97 win 53 <nop,nop,timestamp 93630203 1310858341> 17:03:47.523574 IP 10.140.141.6.syslog > aspsyslog.syslog: SYSLOG local4.info, length: 166 17:03:47.549950 IP 10.140.141.7.syslog > aspsyslog.syslog: SYSLOG local4.info, length: 164 17:03:47.549973 IP 10.140.141.7.syslog > aspsyslog.syslog: SYSLOG local4.info, length: 164 17:03:47.552109 IP 10.73.34.45.32822 > aspsyslog.syslog: SYSLOG daemon.info, length: 109 17:03:47.552136 IP aspsyslog. > 10.73.34.45: ICMP host aspsyslog. unreachable - admin prohibited, length 145 17:03:47.552410 IP aspsyslog.filenet-cm > neo.domain: 41657+ PTR? 45.34.73.10.in-addr.arpa. (42) 17:03:47.552852 IP 10.140.141.6.syslog > aspsyslog.syslog: SYSLOG local4.info, length: 182 17:03:47.553052 IP neo.domain > aspsyslog.filenet-cm: 41657 NXDomain* 0/1/0 (128) 17:03:47.553576 IP aspsyslog.ssh > nim.42783: P 50416:51392(976) ack 97 win 53 <nop,nop,timestamp 93630233 1310858341> 17:03:47.554127 IP 10.140.141.6.syslog > aspsyslog.syslog: SYSLOG local4.info, length: 166 17:03:47.558864 IP 10.140.141.8.syslog > aspsyslog.syslog: SYSLOG local4.info, length: 177 17:03:47.558998 IP 10.140.141.9.syslog > aspsyslog.syslog: SYSLOG local4.info, length: 188 17:03:47.559027 IP aspsyslog. > 10.140.141.9: ICMP host aspsyslog. unreachable - admin prohibited, length 224 17:03:47.559031 IP 10.140.141.9.syslog > aspsyslog.syslog: SYSLOG local4.info, length: 188 17:03:47.595714 IP axprod20.filenet-rpc > aspsyslog.syslog: SYSLOG daemon.info, length: 108 17:03:47.595820 arp who-has axprod20. tell aspsyslog. 17:03:47.596053 IP aspsyslog.filenet-cm > neo.domain: 65192+ PTR? 25.130.140.10.in-addr.arpa. (44) 17:03:47.596226 IP aspsyslog. > axprod20.: ICMP host aspsyslog. unreachable - admin prohibited, length 144 17:03:47.596434 IP 10.140.141.6.syslog > aspsyslog.syslog: SYSLOG local4.info, length: 182 17:03:47.596540 IP 10.140.141.7.syslog > aspsyslog.syslog: SYSLOG local4.info, length: 164 17:03:47.596549 IP 10.140.141.7.syslog > aspsyslog.syslog: SYSLOG local4.debug, length: 86
On Wed, Nov 17, 2010 at 5:02 PM, Worsham, Michael <mworsham@scires.com>wrote:
Try running the syslog-ng application in debug mode: “syslog-ng –d –v” and see what the output is to the screen for the UDP connection and destination attempts.
*From:* syslog-ng-bounces@lists.balabit.hu [mailto: syslog-ng-bounces@lists.balabit.hu] *On Behalf Of *keshava V *Sent:* Wednesday, November 17, 2010 5:59 PM *To:* Syslog-ng users' and developers' mailing list *Subject:* Re: [syslog-ng] Syslog-ng not receiving messages
Messages from kernel, syslog-ng are being written but not the ones coming on udp 514 to the destination file as seen below.
[root@aspsyslog ~]# ls -ltr /var/log/messages_syslog-ng.log -rw-r--r-- 1 root root 24645 2010-11-17 15:32 /var/log/messages_syslog-ng.log
Nov 17 14:28:55 s_all@aspsyslog syslog-ng[4460]: Configuration reload request received, reloading configuration; Nov 17 14:29:40 s_all@aspsyslog syslog-ng[4460]: Configuration reload request received, reloading configuration; Nov 17 14:30:09 s_all@aspsyslog syslog-ng[4460]: Configuration reload request received, reloading configuration; Nov 17 14:36:33 s_all@aspsyslog syslog-ng[4460]: Termination requested via signal, terminating; Nov 17 14:36:33 s_all@aspsyslog syslog-ng[4460]: syslog-ng shutting down; version='3.1.2' Nov 17 14:36:40 s_all@aspsyslog syslog-ng[8051]: syslog-ng starting up; version='3.1.2' Nov 17 14:40:49 s_all@aspsyslog syslog-ng[8051]: Configuration reload request received, reloading configuration; Nov 17 14:47:07 s_all@aspsyslog syslog-ng[8051]: Termination requested via signal, terminating; Nov 17 14:47:07 s_all@aspsyslog syslog-ng[8051]: syslog-ng shutting down; version='3.1.2' Nov 17 14:55:43 s_all@aspsyslog kernel: device eth0 entered promiscuous mode Nov 17 14:56:09 s_all@aspsyslog kernel: device eth0 left promiscuous mode Nov 17 14:58:04 s_all@aspsyslog kernel: device eth0 entered promiscuous mode Nov 17 14:58:11 s_all@aspsyslog kernel: device eth0 left promiscuous mode
On Wed, Nov 17, 2010 at 4:29 PM, Martin Holste <mcholste@gmail.com> wrote:
Hm, maybe a permissions issue with writing? Try putting in /tmp/somefile as the destination and see if that works. Also, you should verify that messages are in fact arriving on the server using tcpdump.
On Wed, Nov 17, 2010 at 3:44 PM, keshava Veerabhadraiah <mv.keshava@gmail.com> wrote:
Hi I am new to syslog-ng and I have gone through other post to see if I can get a resolution to my problem. Syslog is not writing to the destination file any messages received on udp() or tcp(). I have made sure that syslog server is receiving the syslog messages as seen from the tcpdump
15:09:55.422423 IP 10.140.141.6.syslog > aspsyslog.sungardebs.com.syslog: SYSLOG local4.warning, length: 153 15:09:55.434638 IP 10.140.141.6.syslog > aspsyslog.sungardebs.com.syslog: SYSLOG local4.info, length: 184 15:09:55.470383 IP 10.140.141.6.syslog > aspsyslog.sungardebs.com.syslog: SYSLOG local4.info, length: 176 15:09:55.473519 IP 10.140.141.6.syslog > aspsyslog.sungardebs.com.syslog: SYSLOG local4.info, length: 190 15:09:55.493361 IP 10.140.141.6.syslog > aspsyslog.sungardebs.com.syslog: SYSLOG local4.info, length: 180 15:09:55.493748 IP aspsyslog.sungardebs.com.ssh > nim.sungardebs.com.42703: P 128608:129696(1088) ack 289 win 461 <nop,nop,timestamp 88706531 1310848493> 15:09:55.495519 IP 10.140.141.9.syslog > aspsyslog.sungardebs.com.syslog: SYSLOG local4.info, length: 188 15:09:55.495548 IP 10.140.141.9.syslog > aspsyslog.sungardebs.com.syslog: SYSLOG local4.debug, length: 90 15:09:55.495556 IP 10.140.141.9.syslog > aspsyslog.sungardebs.com.syslog: SYSLOG local4.debug, length: 85 15:09:55.521115 IP 10.140.141.6.syslog > aspsyslog.sungardebs.com.syslog: SYSLOG local4.debug, length: 87 15:09:55.521188 IP 10.140.141.6.syslog > aspsyslog.sungardebs.com.syslog: SYSLOG local4.info, length: 188 15:09:55.522041 IP 10.140.141.6.syslog > aspsyslog.sungardebs.com.syslog: SYSLOG local4.info, length: 175 15:09:55.522212 IP 10.140.141.7.syslog > aspsyslog.sungardebs.com.syslog: SYSLOG local4.info, length: 164
Here is how my syslog-ng config looks.
@version: 3.0 #Default configuration file for syslog-ng. # # For a description of syslog-ng configuration file directives, please read # the syslog-ng Administrator's guide at: # # http://www.balabit.com/dl/html/syslog-ng-admin-guide_en.html/bk01-toc.html #
options { chain_hostnames(no); create_dirs (no); dir_perm(0755); dns_cache(no); keep_hostname(yes); log_fifo_size(2048); log_msg_size(1024); log_iw_size (500); long_hostnames(on); perm(0644); stats_freq(3600); flush_lines(100); time_reopen (10); use_dns(no); use_fqdn(yes); # max_connections(100);
};
source s_all { udp(so_rcvbuf(2048576)); tcp(); unix-stream("/dev/log"); internal(); file("/proc/kmsg"); };
destination d_file_normal {file("/var/log/messages_syslog-ng.log"); };
log { source(s_all); destination (d_file_normal); };
Any help would be greatly appreciated.
Thanks
______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
------------------------------ CONFIDENTIALITY NOTICE: This email and any attachments are intended solely for the use of the named recipient(s). This email may contain confidential and/or proprietary information of Scientific Research Corporation. If you are not a named recipient, you are prohibited from reviewing, copying, using, disclosing or distributing to others the information in this email and attachments. If you believe you have received this email in error, please notify the sender immediately and permanently delete the email, any attachments, and all copies thereof from any drives or storage media and destroy any printouts of the email or attachments.
EXPORT COMPLIANCE NOTICE: This email and any attachments may contain technical data subject to U.S export restrictions under the International Traffic in Arms Regulations (ITAR) or the Export Administration Regulations (EAR). Export or transfer of this technical data and/or related information to any foreign person(s) or entity(ies), either within the U.S. or outside of the U.S., may require advance export authorization by the appropriate U.S. Government agency prior to export or transfer. In addition, technical data may not be exported or transferred to certain countries or specified designated nationals identified by U.S. embargo controls without prior export authorization. By accepting this email and any attachments, all recipients confirm that they understand and will comply with all applicable ITAR, EAR and embargo compliance requirements.
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
There isnt something already listening on udp 514 is there? netstat -upnl | grep ":514" Sent: Wed Nov 17 2010 16:23:44 GMT-0700 (Mountain Standard Time) From: keshava V <mv.keshava@gmail.com> To: Syslog-ng users' and developers' mailing list <syslog-ng@lists.balabit.hu> Subject: Re: [syslog-ng] Syslog-ng not receiving messages
Further, I have tried setting the kernel parameters without any luck
[root@aspsyslog ~]# sysctl -w net.core.rmem_max=8388608 [root@aspsyslog ~]# sysctl -w net.core.rmem_default=1048576
[SNIP]
syslog-ng is using 514 as expected. [root@aspsyslog ~]# netstat -upnl | grep ":514" udp 0 0 0.0.0.0:514 0.0.0.0:* 8789/syslog-ng Thanks On Wed, Nov 17, 2010 at 5:27 PM, Patrick H. <syslogng@feystorm.net> wrote:
There isnt something already listening on udp 514 is there? netstat -upnl | grep ":514"
Sent: Wed Nov 17 2010 16:23:44 GMT-0700 (Mountain Standard Time) From: keshava V <mv.keshava@gmail.com> <mv.keshava@gmail.com> To: Syslog-ng users' and developers' mailing list <syslog-ng@lists.balabit.hu> <syslog-ng@lists.balabit.hu> Subject: Re: [syslog-ng] Syslog-ng not receiving messages
Further,
I have tried setting the kernel parameters without any luck
[root@aspsyslog ~]# sysctl -w net.core.rmem_max=8388608 [root@aspsyslog ~]# sysctl -w net.core.rmem_default=1048576
[SNIP]
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
Ok, lets see if the problem is before it gets to syslog-ng or after. Shut syslog-ng down and do 'nc -u -l 514' and see if it gets anything. That'll dump out all traffic received. If it gets it, the problem is syslog-ng, if it doesnt get it the traffic is getting blocked somehow. Sent: Wed Nov 17 2010 16:30:12 GMT-0700 (Mountain Standard Time) From: keshava V <mv.keshava@gmail.com> To: Syslog-ng users' and developers' mailing list <syslog-ng@lists.balabit.hu> Subject: Re: [syslog-ng] Syslog-ng not receiving messages
syslog-ng is using 514 as expected.
[root@aspsyslog ~]# netstat -upnl | grep ":514" udp 0 0 0.0.0.0:514 <http://0.0.0.0:514> 0.0.0.0:* 8789/syslog-ng
Thanks
On Wed, Nov 17, 2010 at 5:27 PM, Patrick H. <syslogng@feystorm.net <mailto:syslogng@feystorm.net>> wrote:
There isnt something already listening on udp 514 is there? netstat -upnl | grep ":514"
Sent: Wed Nov 17 2010 16:23:44 GMT-0700 (Mountain Standard Time) From: keshava V <mv.keshava@gmail.com> <mailto:mv.keshava@gmail.com> To: Syslog-ng users' and developers' mailing list <syslog-ng@lists.balabit.hu> <mailto:syslog-ng@lists.balabit.hu> Subject: Re: [syslog-ng] Syslog-ng not receiving messages
Further,
I have tried setting the kernel parameters without any luck
[root@aspsyslog ~]# sysctl -w net.core.rmem_max=8388608 [root@aspsyslog ~]# sysctl -w net.core.rmem_default=1048576
[SNIP]
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
------------------------------------------------------------------------
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
Looks like it is getting blocked somewhere as you thought. How come tcpdump output is seeing all the udp syslog-ng messages? [root@aspsyslog ~]# /etc/init.d/syslog-ng start Starting syslog-ng: [ OK ] [root@aspsyslog ~]# /etc/init.d/syslog-ng stop Stopping syslog-ng: [ OK ] [root@aspsyslog ~]# nc -u -l 514 getting nothing...! On Wed, Nov 17, 2010 at 5:34 PM, Patrick H. <syslogng@feystorm.net> wrote:
Ok, lets see if the problem is before it gets to syslog-ng or after. Shut syslog-ng down and do 'nc -u -l 514' and see if it gets anything. That'll dump out all traffic received. If it gets it, the problem is syslog-ng, if it doesnt get it the traffic is getting blocked somehow.
Sent: Wed Nov 17 2010 16:30:12 GMT-0700 (Mountain Standard Time)
From: keshava V <mv.keshava@gmail.com> <mv.keshava@gmail.com> To: Syslog-ng users' and developers' mailing list <syslog-ng@lists.balabit.hu> <syslog-ng@lists.balabit.hu> Subject: Re: [syslog-ng] Syslog-ng not receiving messages
syslog-ng is using 514 as expected.
[root@aspsyslog ~]# netstat -upnl | grep ":514" udp 0 0 0.0.0.0:514 0.0.0.0:* 8789/syslog-ng
Thanks
On Wed, Nov 17, 2010 at 5:27 PM, Patrick H. <syslogng@feystorm.net> wrote:
There isnt something already listening on udp 514 is there? netstat -upnl | grep ":514"
Sent: Wed Nov 17 2010 16:23:44 GMT-0700 (Mountain Standard Time) From: keshava V <mv.keshava@gmail.com> <mv.keshava@gmail.com> To: Syslog-ng users' and developers' mailing list <syslog-ng@lists.balabit.hu> <syslog-ng@lists.balabit.hu> Subject: Re: [syslog-ng] Syslog-ng not receiving messages
Further,
I have tried setting the kernel parameters without any luck
[root@aspsyslog ~]# sysctl -w net.core.rmem_max=8388608 [root@aspsyslog ~]# sysctl -w net.core.rmem_default=1048576
[SNIP]
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
------------------------------
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
do you have any iptables rules? `iptables -nvL` `iptables -nvL -t nat` `iptables -nvL -t mangle` About the only thing I can think of off the top of my head. There might be some sysctl option to disable UDP, but I dont know it if it does exist. Sent: Wed Nov 17 2010 16:39:57 GMT-0700 (Mountain Standard Time) From: keshava V <mv.keshava@gmail.com> To: Syslog-ng users' and developers' mailing list <syslog-ng@lists.balabit.hu> Subject: Re: [syslog-ng] Syslog-ng not receiving messages
Looks like it is getting blocked somewhere as you thought. How come tcpdump output is seeing all the udp syslog-ng messages?
[root@aspsyslog ~]# /etc/init.d/syslog-ng start Starting syslog-ng: [ OK ] [root@aspsyslog ~]# /etc/init.d/syslog-ng stop Stopping syslog-ng: [ OK ] [root@aspsyslog ~]# nc -u -l 514
getting nothing...!
On Wed, Nov 17, 2010 at 5:34 PM, Patrick H. <syslogng@feystorm.net <mailto:syslogng@feystorm.net>> wrote:
Ok, lets see if the problem is before it gets to syslog-ng or after. Shut syslog-ng down and do 'nc -u -l 514' and see if it gets anything. That'll dump out all traffic received. If it gets it, the problem is syslog-ng, if it doesnt get it the traffic is getting blocked somehow.
Sent: Wed Nov 17 2010 16:30:12 GMT-0700 (Mountain Standard Time)
From: keshava V <mv.keshava@gmail.com> <mailto:mv.keshava@gmail.com> To: Syslog-ng users' and developers' mailing list <syslog-ng@lists.balabit.hu> <mailto:syslog-ng@lists.balabit.hu> Subject: Re: [syslog-ng] Syslog-ng not receiving messages
syslog-ng is using 514 as expected.
[root@aspsyslog ~]# netstat -upnl | grep ":514" udp 0 0 0.0.0.0:514 <http://0.0.0.0:514> 0.0.0.0:* 8789/syslog-ng
Thanks
On Wed, Nov 17, 2010 at 5:27 PM, Patrick H. <syslogng@feystorm.net <mailto:syslogng@feystorm.net>> wrote:
There isnt something already listening on udp 514 is there? netstat -upnl | grep ":514"
Sent: Wed Nov 17 2010 16:23:44 GMT-0700 (Mountain Standard Time) From: keshava V <mv.keshava@gmail.com> <mailto:mv.keshava@gmail.com> To: Syslog-ng users' and developers' mailing list <syslog-ng@lists.balabit.hu> <mailto:syslog-ng@lists.balabit.hu> Subject: Re: [syslog-ng] Syslog-ng not receiving messages
Further,
I have tried setting the kernel parameters without any luck
[root@aspsyslog ~]# sysctl -w net.core.rmem_max=8388608 [root@aspsyslog ~]# sysctl -w net.core.rmem_default=1048576
[SNIP]
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
------------------------------------------------------------------------ ______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
------------------------------------------------------------------------
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
That's it. It is iptables. The moment I stopped iptables I see the syslog messages written to the file. Now I can work on seggregating them based on host IP the messages are coming from. Thanks all for you help with this. On Wed, Nov 17, 2010 at 5:42 PM, Patrick H. <syslogng@feystorm.net> wrote:
do you have any iptables rules? `iptables -nvL` `iptables -nvL -t nat` `iptables -nvL -t mangle` About the only thing I can think of off the top of my head. There might be some sysctl option to disable UDP, but I dont know it if it does exist.
Sent: Wed Nov 17 2010 16:39:57 GMT-0700 (Mountain Standard Time)
From: keshava V <mv.keshava@gmail.com> <mv.keshava@gmail.com> To: Syslog-ng users' and developers' mailing list <syslog-ng@lists.balabit.hu> <syslog-ng@lists.balabit.hu> Subject: Re: [syslog-ng] Syslog-ng not receiving messages
Looks like it is getting blocked somewhere as you thought. How come tcpdump output is seeing all the udp syslog-ng messages?
[root@aspsyslog ~]# /etc/init.d/syslog-ng start Starting syslog-ng: [ OK ] [root@aspsyslog ~]# /etc/init.d/syslog-ng stop Stopping syslog-ng: [ OK ] [root@aspsyslog ~]# nc -u -l 514
getting nothing...!
On Wed, Nov 17, 2010 at 5:34 PM, Patrick H. <syslogng@feystorm.net> wrote:
Ok, lets see if the problem is before it gets to syslog-ng or after. Shut syslog-ng down and do 'nc -u -l 514' and see if it gets anything. That'll dump out all traffic received. If it gets it, the problem is syslog-ng, if it doesnt get it the traffic is getting blocked somehow.
Sent: Wed Nov 17 2010 16:30:12 GMT-0700 (Mountain Standard Time)
From: keshava V <mv.keshava@gmail.com> <mv.keshava@gmail.com> To: Syslog-ng users' and developers' mailing list <syslog-ng@lists.balabit.hu> <syslog-ng@lists.balabit.hu> Subject: Re: [syslog-ng] Syslog-ng not receiving messages
syslog-ng is using 514 as expected.
[root@aspsyslog ~]# netstat -upnl | grep ":514" udp 0 0 0.0.0.0:514 0.0.0.0:* 8789/syslog-ng
Thanks
On Wed, Nov 17, 2010 at 5:27 PM, Patrick H. <syslogng@feystorm.net>wrote:
There isnt something already listening on udp 514 is there? netstat -upnl | grep ":514"
Sent: Wed Nov 17 2010 16:23:44 GMT-0700 (Mountain Standard Time) From: keshava V <mv.keshava@gmail.com> <mv.keshava@gmail.com> To: Syslog-ng users' and developers' mailing list <syslog-ng@lists.balabit.hu> <syslog-ng@lists.balabit.hu> Subject: Re: [syslog-ng] Syslog-ng not receiving messages
Further,
I have tried setting the kernel parameters without any luck
[root@aspsyslog ~]# sysctl -w net.core.rmem_max=8388608 [root@aspsyslog ~]# sysctl -w net.core.rmem_default=1048576
[SNIP]
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
------------------------------
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
------------------------------
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
There is a very simple reason for this problem. AF_PACKET / BPF / libpcap / tcpdump / *shark get their packet copies at L2. This way you can see non-IP traffic, loopback traffic, and other special stuff you would need. But iptables processes packets at L3. Thus none of these packet dump tools prove the datagrams are really received at L4 or L7. For this you need an L3 / L4 / L7 tool like hping* or a version of netcat. In general, think carefully about how the stack works when you are trying to find missing packets. Good Luck, Matthew. On Wed, Nov 17, 2010 at 05:47:09PM -0600, keshava V wrote:
That's it. It is iptables. The moment I stopped iptables I see the syslog messages written to the file. Now I can work on seggregating them based on host IP the messages are coming from.
Thanks all for you help with this.
On Wed, Nov 17, 2010 at 5:42 PM, Patrick H. <syslogng@feystorm.net> wrote:
do you have any iptables rules? `iptables -nvL` `iptables -nvL -t nat` `iptables -nvL -t mangle` About the only thing I can think of off the top of my head. There might be some sysctl option to disable UDP, but I dont know it if it does exist.
Sent: Wed Nov 17 2010 16:39:57 GMT-0700 (Mountain Standard Time)
From: keshava V <mv.keshava@gmail.com> <mv.keshava@gmail.com> To: Syslog-ng users' and developers' mailing list <syslog-ng@lists.balabit.hu> <syslog-ng@lists.balabit.hu> Subject: Re: [syslog-ng] Syslog-ng not receiving messages
Looks like it is getting blocked somewhere as you thought. How come tcpdump output is seeing all the udp syslog-ng messages?
[root@aspsyslog ~]# /etc/init.d/syslog-ng start Starting syslog-ng: [ OK ] [root@aspsyslog ~]# /etc/init.d/syslog-ng stop Stopping syslog-ng: [ OK ] [root@aspsyslog ~]# nc -u -l 514
getting nothing...!
On Wed, Nov 17, 2010 at 5:34 PM, Patrick H. <syslogng@feystorm.net> wrote:
Ok, lets see if the problem is before it gets to syslog-ng or after. Shut syslog-ng down and do 'nc -u -l 514' and see if it gets anything. That'll dump out all traffic received. If it gets it, the problem is syslog-ng, if it doesnt get it the traffic is getting blocked somehow.
Sent: Wed Nov 17 2010 16:30:12 GMT-0700 (Mountain Standard Time)
From: keshava V <mv.keshava@gmail.com> <mv.keshava@gmail.com> To: Syslog-ng users' and developers' mailing list <syslog-ng@lists.balabit.hu> <syslog-ng@lists.balabit.hu> Subject: Re: [syslog-ng] Syslog-ng not receiving messages
syslog-ng is using 514 as expected.
[root@aspsyslog ~]# netstat -upnl | grep ":514" udp 0 0 0.0.0.0:514 0.0.0.0:* 8789/syslog-ng
Thanks
On Wed, Nov 17, 2010 at 5:27 PM, Patrick H. <syslogng@feystorm.net>wrote:
There isnt something already listening on udp 514 is there? netstat -upnl | grep ":514"
Sent: Wed Nov 17 2010 16:23:44 GMT-0700 (Mountain Standard Time) From: keshava V <mv.keshava@gmail.com> <mv.keshava@gmail.com> To: Syslog-ng users' and developers' mailing list <syslog-ng@lists.balabit.hu> <syslog-ng@lists.balabit.hu> Subject: Re: [syslog-ng] Syslog-ng not receiving messages
Further,
I have tried setting the kernel parameters without any luck
[root@aspsyslog ~]# sysctl -w net.core.rmem_max=8388608 [root@aspsyslog ~]# sysctl -w net.core.rmem_default=1048576
[SNIP]
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
------------------------------
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
------------------------------
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
Thanks for explaining how the different tools are used at different layers of TCP/IP stack to debug the packet trace. On Wed, Nov 17, 2010 at 7:02 PM, Matthew Hall <mhall@mhcomputing.net> wrote:
There is a very simple reason for this problem.
AF_PACKET / BPF / libpcap / tcpdump / *shark get their packet copies at L2. This way you can see non-IP traffic, loopback traffic, and other special stuff you would need.
But iptables processes packets at L3. Thus none of these packet dump tools prove the datagrams are really received at L4 or L7. For this you need an L3 / L4 / L7 tool like hping* or a version of netcat.
In general, think carefully about how the stack works when you are trying to find missing packets.
Good Luck, Matthew.
On Wed, Nov 17, 2010 at 05:47:09PM -0600, keshava V wrote:
That's it. It is iptables. The moment I stopped iptables I see the syslog messages written to the file. Now I can work on seggregating them based on host IP the messages are coming from.
Thanks all for you help with this.
On Wed, Nov 17, 2010 at 5:42 PM, Patrick H. <syslogng@feystorm.net> wrote:
do you have any iptables rules? `iptables -nvL` `iptables -nvL -t nat` `iptables -nvL -t mangle` About the only thing I can think of off the top of my head. There might be some sysctl option to disable UDP, but I dont know it if it does exist.
Sent: Wed Nov 17 2010 16:39:57 GMT-0700 (Mountain Standard Time)
From: keshava V <mv.keshava@gmail.com> <mv.keshava@gmail.com> To: Syslog-ng users' and developers' mailing list <syslog-ng@lists.balabit.hu> <syslog-ng@lists.balabit.hu> Subject: Re: [syslog-ng] Syslog-ng not receiving messages
Looks like it is getting blocked somewhere as you thought. How come tcpdump output is seeing all the udp syslog-ng messages?
[root@aspsyslog ~]# /etc/init.d/syslog-ng start Starting syslog-ng: [ OK ] [root@aspsyslog ~]# /etc/init.d/syslog-ng stop Stopping syslog-ng: [ OK ] [root@aspsyslog ~]# nc -u -l 514
getting nothing...!
On Wed, Nov 17, 2010 at 5:34 PM, Patrick H. <syslogng@feystorm.net> wrote:
Ok, lets see if the problem is before it gets to syslog-ng or after. Shut syslog-ng down and do 'nc -u -l 514' and see if it gets anything. That'll dump out all traffic received. If it gets it, the problem is syslog-ng, if it doesnt get it the traffic is getting blocked somehow.
Sent: Wed Nov 17 2010 16:30:12 GMT-0700 (Mountain Standard Time)
From: keshava V <mv.keshava@gmail.com> <mv.keshava@gmail.com> To: Syslog-ng users' and developers' mailing list <syslog-ng@lists.balabit.hu> <syslog-ng@lists.balabit.hu> Subject: Re: [syslog-ng] Syslog-ng not receiving messages
syslog-ng is using 514 as expected.
[root@aspsyslog ~]# netstat -upnl | grep ":514" udp 0 0 0.0.0.0:514 0.0.0.0:* 8789/syslog-ng
Thanks
On Wed, Nov 17, 2010 at 5:27 PM, Patrick H. <syslogng@feystorm.net wrote:
There isnt something already listening on udp 514 is there? netstat -upnl | grep ":514"
Sent: Wed Nov 17 2010 16:23:44 GMT-0700 (Mountain Standard Time) From: keshava V <mv.keshava@gmail.com> <mv.keshava@gmail.com> To: Syslog-ng users' and developers' mailing list <syslog-ng@lists.balabit.hu> <syslog-ng@lists.balabit.hu> Subject: Re: [syslog-ng] Syslog-ng not receiving messages
Further,
I have tried setting the kernel parameters without any luck
[root@aspsyslog ~]# sysctl -w net.core.rmem_max=8388608 [root@aspsyslog ~]# sysctl -w net.core.rmem_default=1048576
[SNIP]
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
------------------------------
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
------------------------------
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
participants (7)
-
Clayton Dukes
-
keshava V
-
keshava Veerabhadraiah
-
Martin Holste
-
Matthew Hall
-
Patrick H.
-
Worsham, Michael