Hello, So I have made the change to my config and sent test messages which will be sent to /var/log/messages but I haven't seen anything in my graylog host. I have done netcat and telnet to make sure the syslog-ng server can connect to graylog server using 12201. I have used syslog-ng -Fevd to see what is happening and it says loading config from syslog-ng and connection established. # syslog-ng -Fevd Starting to read include file; filename='/etc/syslog-ng/scl.conf', depth='1' Global value changed; define='scl-root', value='/usr/share/syslog-ng/include/scl' Global value changed; define='include-path', value='/etc/syslog-ng:/usr/share/syslog-ng/include' Starting to read include file; filename='/usr/share/syslog-ng/include/scl/system/plugin.conf', depth='2' Module loaded and initialized successfully; module='system-source' Finishing include; filename='/usr/share/syslog-ng/include/scl/system/plugin.conf', depth='2' Starting to read include file; filename='/usr/share/syslog-ng/include/scl/pacct/plugin.conf', depth='2' Reading path for candidate modules; path='//usr/lib64/syslog-ng' Reading shared object for a candidate module; path='//usr/lib64/syslog-ng', fname='affile.so', module='affile' Registering candidate plugin; module='affile', context='source', name='file', preference='0' Registering candidate plugin; module='affile', context='source', name='pipe', preference='0' Registering candidate plugin; module='affile', context='destination', name='file', preference='0' Registering candidate plugin; module='affile', context='destination', name='pipe', preference='0' Reading shared object for a candidate module; path='//usr/lib64/syslog-ng', fname='afprog.so', module='afprog' Registering candidate plugin; module='afprog', context='source', name='program', preference='0' Registering candidate plugin; module='afprog', context='destination', name='program', preference='0' Reading shared object for a candidate module; path='//usr/lib64/syslog-ng', fname='afsocket-notls.so', module='afsocket-notls' Registering candidate plugin; module='afsocket-notls', context='source', name='unix-stream', preference='0' Registering candidate plugin; module='afsocket-notls', context='destination', name='unix-stream', preference='0' Registering candidate plugin; module='afsocket-notls', context='source', name='unix-dgram', preference='0' Registering candidate plugin; module='afsocket-notls', context='destination', name='unix-dgram', preference='0' Registering candidate plugin; module='afsocket-notls', context='source', name='tcp', preference='0' Registering candidate plugin; module='afsocket-notls', context='destination', name='tcp', preference='0' Registering candidate plugin; module='afsocket-notls', context='source', name='tcp6', preference='0' Registering candidate plugin; module='afsocket-notls', context='destination', name='tcp6', preference='0' Registering candidate plugin; module='afsocket-notls', context='source', name='udp', preference='0' Registering candidate plugin; module='afsocket-notls', context='destination', name='udp', preference='0' Registering candidate plugin; module='afsocket-notls', context='source', name='udp6', preference='0' Registering candidate plugin; module='afsocket-notls', context='destination', name='udp6', preference='0' Registering candidate plugin; module='afsocket-notls', context='source', name='syslog', preference='0' Registering candidate plugin; module='afsocket-notls', context='destination', name='syslog', preference='0' Registering candidate plugin; module='afsocket-notls', context='source', name='network', preference='0' Registering candidate plugin; module='afsocket-notls', context='destination', name='network', preference='0' Reading shared object for a candidate module; path='//usr/lib64/syslog-ng', fname='afsocket-tls.so', module='afsocket-tls' Registering candidate plugin; module='afsocket-tls', context='source', name='unix-stream', preference='100' Registering candidate plugin; module='afsocket-tls', context='destination', name='unix-stream', preference='100' Registering candidate plugin; module='afsocket-tls', context='source', name='unix-dgram', preference='100' Registering candidate plugin; module='afsocket-tls', context='destination', name='unix-dgram', preference='100' Registering candidate plugin; module='afsocket-tls', context='source', name='tcp', preference='100' Registering candidate plugin; module='afsocket-tls', context='destination', name='tcp', preference='100' Registering candidate plugin; module='afsocket-tls', context='source', name='tcp6', preference='100' Registering candidate plugin; module='afsocket-tls', context='destination', name='tcp6', preference='100' Registering candidate plugin; module='afsocket-tls', context='source', name='udp', preference='100' Registering candidate plugin; module='afsocket-tls', context='destination', name='udp', preference='100' Registering candidate plugin; module='afsocket-tls', context='source', name='udp6', preference='100' Registering candidate plugin; module='afsocket-tls', context='destination', name='udp6', preference='100' Registering candidate plugin; module='afsocket-tls', context='source', name='syslog', preference='100' Registering candidate plugin; module='afsocket-tls', context='destination', name='syslog', preference='100' Registering candidate plugin; module='afsocket-tls', context='source', name='network', preference='100' Registering candidate plugin; module='afsocket-tls', context='destination', name='network', preference='100' Reading shared object for a candidate module; path='//usr/lib64/syslog-ng', fname='afsocket.so', module='afsocket' Registering candidate plugin; module='afsocket', context='source', name='unix-stream', preference='100' Registering candidate plugin; module='afsocket', context='destination', name='unix-stream', preference='100' Registering candidate plugin; module='afsocket', context='source', name='unix-dgram', preference='100' Registering candidate plugin; module='afsocket', context='destination', name='unix-dgram', preference='100' Registering candidate plugin; module='afsocket', context='source', name='tcp', preference='100' Registering candidate plugin; module='afsocket', context='destination', name='tcp', preference='100' Registering candidate plugin; module='afsocket', context='source', name='tcp6', preference='100' Registering candidate plugin; module='afsocket', context='destination', name='tcp6', preference='100' Registering candidate plugin; module='afsocket', context='source', name='udp', preference='100' Registering candidate plugin; module='afsocket', context='destination', name='udp', preference='100' Registering candidate plugin; module='afsocket', context='source', name='udp6', preference='100' Registering candidate plugin; module='afsocket', context='destination', name='udp6', preference='100' Registering candidate plugin; module='afsocket', context='source', name='syslog', preference='100' Registering candidate plugin; module='afsocket', context='destination', name='syslog', preference='100' Registering candidate plugin; module='afsocket', context='source', name='network', preference='100' Registering candidate plugin; module='afsocket', context='destination', name='network', preference='100' Reading shared object for a candidate module; path='//usr/lib64/syslog-ng', fname='afstomp.so', module='afstomp' Registering candidate plugin; module='afstomp', context='destination', name='stomp', preference='0' Reading shared object for a candidate module; path='//usr/lib64/syslog-ng', fname='afuser.so', module='afuser' Registering candidate plugin; module='afuser', context='destination', name='usertty', preference='0' Reading shared object for a candidate module; path='//usr/lib64/syslog-ng', fname='basicfuncs.so', module='basicfuncs' Registering candidate plugin; module='basicfuncs', context='template-func', name='grep', preference='0' Registering candidate plugin; module='basicfuncs', context='template-func', name='if', preference='0' Registering candidate plugin; module='basicfuncs', context='template-func', name='echo', preference='0' Registering candidate plugin; module='basicfuncs', context='template-func', name='length', preference='0' Registering candidate plugin; module='basicfuncs', context='template-func', name='substr', preference='0' Registering candidate plugin; module='basicfuncs', context='template-func', name='strip', preference='0' Registering candidate plugin; module='basicfuncs', context='template-func', name='sanitize', preference='0' Registering candidate plugin; module='basicfuncs', context='template-func', name='lowercase', preference='0' Registering candidate plugin; module='basicfuncs', context='template-func', name='uppercase', preference='0' Registering candidate plugin; module='basicfuncs', context='template-func', name='replace-delimiter', preference='0' Registering candidate plugin; module='basicfuncs', context='template-func', name='+', preference='0' Registering candidate plugin; module='basicfuncs', context='template-func', name='-', preference='0' Registering candidate plugin; module='basicfuncs', context='template-func', name='*', preference='0' Registering candidate plugin; module='basicfuncs', context='template-func', name='/', preference='0' Registering candidate plugin; module='basicfuncs', context='template-func', name='%', preference='0' Registering candidate plugin; module='basicfuncs', context='template-func', name='ipv4-to-int', preference='0' Registering candidate plugin; module='basicfuncs', context='template-func', name='indent-multi-line', preference='0' Registering candidate plugin; module='basicfuncs', context='template-func', name='context-length', preference='0' Registering candidate plugin; module='basicfuncs', context='template-func', name='env', preference='0' Reading shared object for a candidate module; path='//usr/lib64/syslog-ng', fname='confgen.so', module='confgen' Reading shared object for a candidate module; path='//usr/lib64/syslog-ng', fname='cryptofuncs.so', module='cryptofuncs' Registering candidate plugin; module='cryptofuncs', context='template-func', name='uuid', preference='0' Registering candidate plugin; module='cryptofuncs', context='template-func', name='hash', preference='0' Registering candidate plugin; module='cryptofuncs', context='template-func', name='sha1', preference='0' Registering candidate plugin; module='cryptofuncs', context='template-func', name='sha256', preference='0' Registering candidate plugin; module='cryptofuncs', context='template-func', name='sha512', preference='0' Registering candidate plugin; module='cryptofuncs', context='template-func', name='md4', preference='0' Registering candidate plugin; module='cryptofuncs', context='template-func', name='md5', preference='0' Reading shared object for a candidate module; path='//usr/lib64/syslog-ng', fname='csvparser.so', module='csvparser' Registering candidate plugin; module='csvparser', context='parser', name='csv-parser', preference='0' Reading shared object for a candidate module; path='//usr/lib64/syslog-ng', fname='dbparser.so', module='dbparser' Registering candidate plugin; module='dbparser', context='parser', name='db-parser', preference='0' Reading shared object for a candidate module; path='//usr/lib64/syslog-ng', fname='linux-kmsg-format.so', module='linux-kmsg-format' Registering candidate plugin; module='linux-kmsg-format', context='format', name='linux-kmsg', preference='0' Reading shared object for a candidate module; path='//usr/lib64/syslog-ng', fname='syslogformat.so', module='syslogformat' Registering candidate plugin; module='syslogformat', context='format', name='syslog', preference='0' Registering candidate plugin; module='syslogformat', context='parser', name='syslog-parser', preference='0' Reading shared object for a candidate module; path='//usr/lib64/syslog-ng', fname='system-source.so', module='system-source' Finishing include; filename='/usr/share/syslog-ng/include/scl/pacct/plugin.conf', depth='2' Starting to read include file; filename='/usr/share/syslog-ng/include/scl/syslogconf/plugin.conf', depth='2' Module loaded and initialized successfully; module='confgen' Finishing include; filename='/usr/share/syslog-ng/include/scl/syslogconf/plugin.conf', depth='2' Finishing include; filename='/etc/syslog-ng/scl.conf', depth='1' Module loaded and initialized successfully; module='afsocket-tls' Module loaded and initialized successfully; module='affile' Finishing include; content='source confgen system', depth='1' Module loaded and initialized successfully; module='afuser' Compiling #unnamed sequence [log] at [/etc/syslog-ng/syslog-ng.conf:6] Compiling s_sys reference [source] at [/etc/syslog-ng/syslog-ng.conf:6] Compiling s_sys sequence [source] at [/etc/syslog-ng/syslog-ng.conf:2] Compiling #unnamed junction [log] at [/etc/syslog-ng/syslog-ng.conf:2] Compiling #unnamed single [log] at [#buffer:1:1] Compiling #unnamed single [log] at [#buffer:2:1] Compiling #unnamed single [log] at [/etc/syslog-ng/syslog-ng.conf:2] Compiling f_kernel reference [filter] at [/etc/syslog-ng/syslog-ng.conf:6] Compiling f_kernel sequence [filter] at [/etc/syslog-ng/syslog-ng.conf:5] Compiling #unnamed single [log] at [/etc/syslog-ng/syslog-ng.conf:5] Compiling d_cons reference [destination] at [/etc/syslog-ng/syslog-ng.conf:6] Compiling d_cons sequence [destination] at [/etc/syslog-ng/syslog-ng.conf:3] Compiling #unnamed junction [log] at [/etc/syslog-ng/syslog-ng.conf:3] Compiling #unnamed single [log] at [/etc/syslog-ng/syslog-ng.conf:3] Compiling #unnamed sequence [log] at [/etc/syslog-ng/syslog-ng.conf:6] Compiling s_sys reference [source] at [/etc/syslog-ng/syslog-ng.conf:6] Compiling f_kernel reference [filter] at [/etc/syslog-ng/syslog-ng.conf:6] Compiling f_kernel sequence [filter] at [/etc/syslog-ng/syslog-ng.conf:5] Compiling #unnamed single [log] at [/etc/syslog-ng/syslog-ng.conf:5] Compiling d_kern reference [destination] at [/etc/syslog-ng/syslog-ng.conf:6] Compiling d_kern sequence [destination] at [/etc/syslog-ng/syslog-ng.conf:4] Compiling #unnamed junction [log] at [/etc/syslog-ng/syslog-ng.conf:4] Compiling #unnamed single [log] at [/etc/syslog-ng/syslog-ng.conf:4] Compiling #unnamed sequence [log] at [/etc/syslog-ng/syslog-ng.conf:7] Compiling s_sys reference [source] at [/etc/syslog-ng/syslog-ng.conf:7] Compiling f_default reference [filter] at [/etc/syslog-ng/syslog-ng.conf:7] Compiling f_default sequence [filter] at [/etc/syslog-ng/syslog-ng.conf:5] Compiling #unnamed single [log] at [/etc/syslog-ng/syslog-ng.conf:5] Compiling d_mesg reference [destination] at [/etc/syslog-ng/syslog-ng.conf:7] Compiling d_mesg sequence [destination] at [/etc/syslog-ng/syslog-ng.conf:3] Compiling #unnamed junction [log] at [/etc/syslog-ng/syslog-ng.conf:3] Compiling #unnamed single [log] at [/etc/syslog-ng/syslog-ng.conf:3] Compiling #unnamed sequence [log] at [/etc/syslog-ng/syslog-ng.conf:7] Compiling s_sys reference [source] at [/etc/syslog-ng/syslog-ng.conf:7] Compiling f_auth reference [filter] at [/etc/syslog-ng/syslog-ng.conf:7] Compiling f_auth sequence [filter] at [/etc/syslog-ng/syslog-ng.conf:5] Compiling #unnamed single [log] at [/etc/syslog-ng/syslog-ng.conf:5] Compiling d_auth reference [destination] at [/etc/syslog-ng/syslog-ng.conf:7] Compiling d_auth sequence [destination] at [/etc/syslog-ng/syslog-ng.conf:3] Compiling #unnamed junction [log] at [/etc/syslog-ng/syslog-ng.conf:3] Compiling #unnamed single [log] at [/etc/syslog-ng/syslog-ng.conf:3] Compiling #unnamed sequence [log] at [/etc/syslog-ng/syslog-ng.conf:7] Compiling s_sys reference [source] at [/etc/syslog-ng/syslog-ng.conf:7] Compiling f_mail reference [filter] at [/etc/syslog-ng/syslog-ng.conf:7] Compiling f_mail sequence [filter] at [/etc/syslog-ng/syslog-ng.conf:6] Compiling #unnamed single [log] at [/etc/syslog-ng/syslog-ng.conf:6] Compiling d_mail reference [destination] at [/etc/syslog-ng/syslog-ng.conf:7] Compiling d_mail sequence [destination] at [/etc/syslog-ng/syslog-ng.conf:3] Compiling #unnamed junction [log] at [/etc/syslog-ng/syslog-ng.conf:3] Compiling #unnamed single [log] at [/etc/syslog-ng/syslog-ng.conf:3] Compiling #unnamed sequence [log] at [/etc/syslog-ng/syslog-ng.conf:7] Compiling s_sys reference [source] at [/etc/syslog-ng/syslog-ng.conf:7] Compiling f_emergency reference [filter] at [/etc/syslog-ng/syslog-ng.conf:7] Compiling f_emergency sequence [filter] at [/etc/syslog-ng/syslog-ng.conf:6] Compiling #unnamed single [log] at [/etc/syslog-ng/syslog-ng.conf:6] Compiling d_mlal reference [destination] at [/etc/syslog-ng/syslog-ng.conf:7] Compiling d_mlal sequence [destination] at [/etc/syslog-ng/syslog-ng.conf:4] Compiling #unnamed junction [log] at [/etc/syslog-ng/syslog-ng.conf:4] Compiling #unnamed single [log] at [/etc/syslog-ng/syslog-ng.conf:4] Compiling #unnamed sequence [log] at [/etc/syslog-ng/syslog-ng.conf:7] Compiling s_sys reference [source] at [/etc/syslog-ng/syslog-ng.conf:7] Compiling f_news reference [filter] at [/etc/syslog-ng/syslog-ng.conf:7] Compiling f_news sequence [filter] at [/etc/syslog-ng/syslog-ng.conf:6] Compiling #unnamed single [log] at [/etc/syslog-ng/syslog-ng.conf:6] Compiling d_spol reference [destination] at [/etc/syslog-ng/syslog-ng.conf:7] Compiling d_spol sequence [destination] at [/etc/syslog-ng/syslog-ng.conf:4] Compiling #unnamed junction [log] at [/etc/syslog-ng/syslog-ng.conf:4] Compiling #unnamed single [log] at [/etc/syslog-ng/syslog-ng.conf:4] Compiling #unnamed sequence [log] at [/etc/syslog-ng/syslog-ng.conf:7] Compiling s_sys reference [source] at [/etc/syslog-ng/syslog-ng.conf:7] Compiling f_boot reference [filter] at [/etc/syslog-ng/syslog-ng.conf:7] Compiling f_boot sequence [filter] at [/etc/syslog-ng/syslog-ng.conf:6] Compiling #unnamed single [log] at [/etc/syslog-ng/syslog-ng.conf:6] Compiling d_boot reference [destination] at [/etc/syslog-ng/syslog-ng.conf:7] Compiling d_boot sequence [destination] at [/etc/syslog-ng/syslog-ng.conf:4] Compiling #unnamed junction [log] at [/etc/syslog-ng/syslog-ng.conf:4] Compiling #unnamed single [log] at [/etc/syslog-ng/syslog-ng.conf:4] Compiling #unnamed sequence [log] at [/etc/syslog-ng/syslog-ng.conf:7] Compiling s_sys reference [source] at [/etc/syslog-ng/syslog-ng.conf:7] Compiling f_cron reference [filter] at [/etc/syslog-ng/syslog-ng.conf:7] Compiling f_cron sequence [filter] at [/etc/syslog-ng/syslog-ng.conf:6] Compiling #unnamed single [log] at [/etc/syslog-ng/syslog-ng.conf:6] Compiling d_cron reference [destination] at [/etc/syslog-ng/syslog-ng.conf:7] Compiling d_cron sequence [destination] at [/etc/syslog-ng/syslog-ng.conf:4] Compiling #unnamed junction [log] at [/etc/syslog-ng/syslog-ng.conf:4] Compiling #unnamed single [log] at [/etc/syslog-ng/syslog-ng.conf:4] Compiling #unnamed sequence [log] at [/etc/syslog-ng/syslog-ng.conf:8] Compiling s_net reference [source] at [/etc/syslog-ng/syslog-ng.conf:8] Compiling s_net sequence [source] at [/etc/syslog-ng/syslog-ng.conf:3] Compiling #unnamed junction [log] at [/etc/syslog-ng/syslog-ng.conf:3] Compiling #unnamed single [log] at [/etc/syslog-ng/syslog-ng.conf:3] Compiling d_graylog reference [destination] at [/etc/syslog-ng/syslog-ng.conf:8] Compiling d_graylog sequence [destination] at [/etc/syslog-ng/syslog-ng.conf:4] Compiling #unnamed junction [log] at [/etc/syslog-ng/syslog-ng.conf:4] Compiling #unnamed single [log] at [/etc/syslog-ng/syslog-ng.conf:4] Compiling #unnamed sequence [log] at [/etc/syslog-ng/syslog-ng.conf:8] Compiling s_sys reference [source] at [/etc/syslog-ng/syslog-ng.conf:8] Compiling d_graylog reference [destination] at [/etc/syslog-ng/syslog-ng.conf:8] Module loaded and initialized successfully; module='syslogformat' Module loaded and initialized successfully; module='linux-kmsg-format' Running application hooks; hook='1' Running application hooks; hook='3' syslog-ng starting up; version='3.5.6' Syslog connection established; fd='9', server='AF_INET(19.211.45.55:12201)', local='AF_INET(0.0.0.0:0)' Syslog-ng Config @version:3.5 @include "scl.conf" # syslog-ng configuration file. # # This should behave pretty much like the original syslog on RedHat. But # it could be configured a lot smarter. # # See syslog-ng(8) and syslog-ng.conf(5) for more information. # # Note: it also sources additional configuration files (*.conf) # located in /etc/syslog-ng/conf.d/ options { flush_lines (0); time_reopen (10); log_fifo_size (2500000); # chain_hostnames (off); use_dns (no); use_fqdn (no); create_dirs (no); keep_hostname (yes); }; source s_sys { system(); internal(); # udp(ip(0.0.0.0) port(514)); }; source s_net { udp(ip(0.0.0.0) port(514)); #tcp(ip(0.0.0.0) port(514) max-connections(256)); }; destination d_cons { file("/dev/console"); }; destination d_mesg { file("/var/log/messages"); }; destination d_auth { file("/var/log/secure"); }; destination d_mail { file("/var/log/maillog" flush_lines(10)); }; destination d_spol { file("/var/log/spooler"); }; destination d_boot { file("/var/log/boot.log"); }; destination d_cron { file("/var/log/cron"); }; destination d_kern { file("/var/log/kern"); }; destination d_mlal { usertty("*"); }; destination d_graylog { tcp("graylog." port (12201) ); }; filter f_kernel { facility(kern); }; filter f_default { level(info..emerg) and not (facility(mail) or facility(authpriv) or facility(cron)); }; filter f_auth { facility(authpriv); }; filter f_mail { facility(mail); }; filter f_emergency { level(emerg); }; filter f_news { facility(uucp) or (facility(news) and level(crit..emerg)); }; filter f_boot { facility(local7); }; filter f_cron { facility(cron); }; log { source(s_sys); filter(f_kernel); destination(d_cons); }; log { source(s_sys); filter(f_kernel); destination(d_kern); }; log { source(s_sys); filter(f_default); destination(d_mesg); }; log { source(s_sys); filter(f_auth); destination(d_auth); }; log { source(s_sys); filter(f_mail); destination(d_mail); }; log { source(s_sys); filter(f_emergency); destination(d_mlal); }; log { source(s_sys); filter(f_news); destination(d_spol); }; log { source(s_sys); filter(f_boot); destination(d_boot); }; log { source(s_sys); filter(f_cron); destination(d_cron); }; log { source(s_net); destination(d_graylog); }; log { source(s_sys); destination(d_graylog); }; # Source additional configuration files (.conf extension only) @include "/etc/syslog-ng/conf.d/*.conf" # vim:ft=syslog-ng:ai:si:ts=4:sw=4:et:

I can try that but I echoed a message from the syslog server to the graylog server and that worked On Wed, Nov 7, 2018, 2:52 PM Jim Hendrick <james.r.hendrick@gmail.com wrote:

Have you verified that packets are being sent from the syslog-ng server? And then on the greylog server? I know that sounds basic but it might show something. Jim

On Wed, Nov 7, 2018, 1:40 PM Rodney Bizzell <hardworker30@gmail.com wrote:

...

Hello, So I have made the change to my config and sent test messages which will be sent to /var/log/messages but I haven't seen anything in my graylog host. I have done netcat and telnet to make sure the syslog-ng server can connect to graylog server using 12201. I have used syslog-ng -Fevd to see what is happening and it says loading config from syslog-ng and connection established.

# syslog-ng -Fevd

Starting to read include file; filename='/etc/syslog-ng/scl.conf', depth='1'

Global value changed; define='scl-root', value='/usr/share/syslog-ng/include/scl'

Global value changed; define='include-path', value='/etc/syslog-ng:/usr/share/syslog-ng/include'

Starting to read include file; filename='/usr/share/syslog-ng/include/scl/system/plugin.conf', depth='2'

Module loaded and initialized successfully; module='system-source'

Finishing include; filename='/usr/share/syslog-ng/include/scl/system/plugin.conf', depth='2'

Starting to read include file; filename='/usr/share/syslog-ng/include/scl/pacct/plugin.conf', depth='2'

Reading path for candidate modules; path='//usr/lib64/syslog-ng'

Reading shared object for a candidate module; path='//usr/lib64/syslog-ng', fname='affile.so', module='affile'

Registering candidate plugin; module='affile', context='source', name='file', preference='0'

Registering candidate plugin; module='affile', context='source', name='pipe', preference='0'

Registering candidate plugin; module='affile', context='destination', name='file', preference='0'

Registering candidate plugin; module='affile', context='destination', name='pipe', preference='0'

Reading shared object for a candidate module; path='//usr/lib64/syslog-ng', fname='afprog.so', module='afprog'

Registering candidate plugin; module='afprog', context='source', name='program', preference='0'

Registering candidate plugin; module='afprog', context='destination', name='program', preference='0'

Reading shared object for a candidate module; path='//usr/lib64/syslog-ng', fname='afsocket-notls.so', module='afsocket-notls'

Registering candidate plugin; module='afsocket-notls', context='source', name='unix-stream', preference='0'

Registering candidate plugin; module='afsocket-notls', context='destination', name='unix-stream', preference='0'

Registering candidate plugin; module='afsocket-notls', context='source', name='unix-dgram', preference='0'

Registering candidate plugin; module='afsocket-notls', context='destination', name='unix-dgram', preference='0'

Registering candidate plugin; module='afsocket-notls', context='source', name='tcp', preference='0'

Registering candidate plugin; module='afsocket-notls', context='destination', name='tcp', preference='0'

Registering candidate plugin; module='afsocket-notls', context='source', name='tcp6', preference='0'

Registering candidate plugin; module='afsocket-notls', context='destination', name='tcp6', preference='0'

Registering candidate plugin; module='afsocket-notls', context='source', name='udp', preference='0'

Registering candidate plugin; module='afsocket-notls', context='destination', name='udp', preference='0'

Registering candidate plugin; module='afsocket-notls', context='source', name='udp6', preference='0'

Registering candidate plugin; module='afsocket-notls', context='destination', name='udp6', preference='0'

Registering candidate plugin; module='afsocket-notls', context='source', name='syslog', preference='0'

Registering candidate plugin; module='afsocket-notls', context='destination', name='syslog', preference='0'

Registering candidate plugin; module='afsocket-notls', context='source', name='network', preference='0'

Registering candidate plugin; module='afsocket-notls', context='destination', name='network', preference='0'

Reading shared object for a candidate module; path='//usr/lib64/syslog-ng', fname='afsocket-tls.so', module='afsocket-tls'

Registering candidate plugin; module='afsocket-tls', context='source', name='unix-stream', preference='100'

Registering candidate plugin; module='afsocket-tls', context='destination', name='unix-stream', preference='100'

Registering candidate plugin; module='afsocket-tls', context='source', name='unix-dgram', preference='100'

Registering candidate plugin; module='afsocket-tls', context='destination', name='unix-dgram', preference='100'

Registering candidate plugin; module='afsocket-tls', context='source', name='tcp', preference='100'

Registering candidate plugin; module='afsocket-tls', context='destination', name='tcp', preference='100'

Registering candidate plugin; module='afsocket-tls', context='source', name='tcp6', preference='100'

Registering candidate plugin; module='afsocket-tls', context='destination', name='tcp6', preference='100'

Registering candidate plugin; module='afsocket-tls', context='source', name='udp', preference='100'

Registering candidate plugin; module='afsocket-tls', context='destination', name='udp', preference='100'

Registering candidate plugin; module='afsocket-tls', context='source', name='udp6', preference='100'

Registering candidate plugin; module='afsocket-tls', context='destination', name='udp6', preference='100'

Registering candidate plugin; module='afsocket-tls', context='source', name='syslog', preference='100'

Registering candidate plugin; module='afsocket-tls', context='destination', name='syslog', preference='100'

Registering candidate plugin; module='afsocket-tls', context='source', name='network', preference='100'

Registering candidate plugin; module='afsocket-tls', context='destination', name='network', preference='100'

Reading shared object for a candidate module; path='//usr/lib64/syslog-ng', fname='afsocket.so', module='afsocket'

Registering candidate plugin; module='afsocket', context='source', name='unix-stream', preference='100'

Registering candidate plugin; module='afsocket', context='destination', name='unix-stream', preference='100'

Registering candidate plugin; module='afsocket', context='source', name='unix-dgram', preference='100'

Registering candidate plugin; module='afsocket', context='destination', name='unix-dgram', preference='100'

Registering candidate plugin; module='afsocket', context='source', name='tcp', preference='100'

Registering candidate plugin; module='afsocket', context='destination', name='tcp', preference='100'

Registering candidate plugin; module='afsocket', context='source', name='tcp6', preference='100'

Registering candidate plugin; module='afsocket', context='destination', name='tcp6', preference='100'

Registering candidate plugin; module='afsocket', context='source', name='udp', preference='100'

Registering candidate plugin; module='afsocket', context='destination', name='udp', preference='100'

Registering candidate plugin; module='afsocket', context='source', name='udp6', preference='100'

Registering candidate plugin; module='afsocket', context='destination', name='udp6', preference='100'

Registering candidate plugin; module='afsocket', context='source', name='syslog', preference='100'

Registering candidate plugin; module='afsocket', context='destination', name='syslog', preference='100'

Registering candidate plugin; module='afsocket', context='source', name='network', preference='100'

Registering candidate plugin; module='afsocket', context='destination', name='network', preference='100'

Reading shared object for a candidate module; path='//usr/lib64/syslog-ng', fname='afstomp.so', module='afstomp'

Registering candidate plugin; module='afstomp', context='destination', name='stomp', preference='0'

Reading shared object for a candidate module; path='//usr/lib64/syslog-ng', fname='afuser.so', module='afuser'

Registering candidate plugin; module='afuser', context='destination', name='usertty', preference='0'

Reading shared object for a candidate module; path='//usr/lib64/syslog-ng', fname='basicfuncs.so', module='basicfuncs'

Registering candidate plugin; module='basicfuncs', context='template-func', name='grep', preference='0'

Registering candidate plugin; module='basicfuncs', context='template-func', name='if', preference='0'

Registering candidate plugin; module='basicfuncs', context='template-func', name='echo', preference='0'

Registering candidate plugin; module='basicfuncs', context='template-func', name='length', preference='0'

Registering candidate plugin; module='basicfuncs', context='template-func', name='substr', preference='0'

Registering candidate plugin; module='basicfuncs', context='template-func', name='strip', preference='0'

Registering candidate plugin; module='basicfuncs', context='template-func', name='sanitize', preference='0'

Registering candidate plugin; module='basicfuncs', context='template-func', name='lowercase', preference='0'

Registering candidate plugin; module='basicfuncs', context='template-func', name='uppercase', preference='0'

Registering candidate plugin; module='basicfuncs', context='template-func', name='replace-delimiter', preference='0'

Registering candidate plugin; module='basicfuncs', context='template-func', name='+', preference='0'

Registering candidate plugin; module='basicfuncs', context='template-func', name='-', preference='0'

Registering candidate plugin; module='basicfuncs', context='template-func', name='*', preference='0'

Registering candidate plugin; module='basicfuncs', context='template-func', name='/', preference='0'

Registering candidate plugin; module='basicfuncs', context='template-func', name='%', preference='0'

Registering candidate plugin; module='basicfuncs', context='template-func', name='ipv4-to-int', preference='0'

Registering candidate plugin; module='basicfuncs', context='template-func', name='indent-multi-line', preference='0'

Registering candidate plugin; module='basicfuncs', context='template-func', name='context-length', preference='0'

Registering candidate plugin; module='basicfuncs', context='template-func', name='env', preference='0'

Reading shared object for a candidate module; path='//usr/lib64/syslog-ng', fname='confgen.so', module='confgen'

Reading shared object for a candidate module; path='//usr/lib64/syslog-ng', fname='cryptofuncs.so', module='cryptofuncs'

Registering candidate plugin; module='cryptofuncs', context='template-func', name='uuid', preference='0'

Registering candidate plugin; module='cryptofuncs', context='template-func', name='hash', preference='0'

Registering candidate plugin; module='cryptofuncs', context='template-func', name='sha1', preference='0'

Registering candidate plugin; module='cryptofuncs', context='template-func', name='sha256', preference='0'

Registering candidate plugin; module='cryptofuncs', context='template-func', name='sha512', preference='0'

Registering candidate plugin; module='cryptofuncs', context='template-func', name='md4', preference='0'

Registering candidate plugin; module='cryptofuncs', context='template-func', name='md5', preference='0'

Reading shared object for a candidate module; path='//usr/lib64/syslog-ng', fname='csvparser.so', module='csvparser'

Registering candidate plugin; module='csvparser', context='parser', name='csv-parser', preference='0'

Reading shared object for a candidate module; path='//usr/lib64/syslog-ng', fname='dbparser.so', module='dbparser'

Registering candidate plugin; module='dbparser', context='parser', name='db-parser', preference='0'

Reading shared object for a candidate module; path='//usr/lib64/syslog-ng', fname='linux-kmsg-format.so', module='linux-kmsg-format'

Registering candidate plugin; module='linux-kmsg-format', context='format', name='linux-kmsg', preference='0'

Reading shared object for a candidate module; path='//usr/lib64/syslog-ng', fname='syslogformat.so', module='syslogformat'

Registering candidate plugin; module='syslogformat', context='format', name='syslog', preference='0'

Registering candidate plugin; module='syslogformat', context='parser', name='syslog-parser', preference='0'

Reading shared object for a candidate module; path='//usr/lib64/syslog-ng', fname='system-source.so', module='system-source'

Finishing include; filename='/usr/share/syslog-ng/include/scl/pacct/plugin.conf', depth='2'

Starting to read include file; filename='/usr/share/syslog-ng/include/scl/syslogconf/plugin.conf', depth='2'

Module loaded and initialized successfully; module='confgen'

Finishing include; filename='/usr/share/syslog-ng/include/scl/syslogconf/plugin.conf', depth='2'

Finishing include; filename='/etc/syslog-ng/scl.conf', depth='1'

Module loaded and initialized successfully; module='afsocket-tls'

Module loaded and initialized successfully; module='affile'

Finishing include; content='source confgen system', depth='1'

Module loaded and initialized successfully; module='afuser'

Compiling #unnamed sequence [log] at [/etc/syslog-ng/syslog-ng.conf:6]

Compiling s_sys reference [source] at [/etc/syslog-ng/syslog-ng.conf:6]

Compiling s_sys sequence [source] at [/etc/syslog-ng/syslog-ng.conf:2]

Compiling #unnamed junction [log] at [/etc/syslog-ng/syslog-ng.conf:2]

Compiling #unnamed single [log] at [#buffer:1:1]

Compiling #unnamed single [log] at [#buffer:2:1]

Compiling #unnamed single [log] at [/etc/syslog-ng/syslog-ng.conf:2]

Compiling f_kernel reference [filter] at [/etc/syslog-ng/syslog-ng.conf:6]

Compiling f_kernel sequence [filter] at [/etc/syslog-ng/syslog-ng.conf:5]

Compiling #unnamed single [log] at [/etc/syslog-ng/syslog-ng.conf:5]

Compiling d_cons reference [destination] at [/etc/syslog-ng/syslog-ng.conf:6]

Compiling d_cons sequence [destination] at [/etc/syslog-ng/syslog-ng.conf:3]

Compiling #unnamed junction [log] at [/etc/syslog-ng/syslog-ng.conf:3]

Compiling #unnamed single [log] at [/etc/syslog-ng/syslog-ng.conf:3]

Compiling #unnamed sequence [log] at [/etc/syslog-ng/syslog-ng.conf:6]

Compiling s_sys reference [source] at [/etc/syslog-ng/syslog-ng.conf:6]

Compiling f_kernel reference [filter] at [/etc/syslog-ng/syslog-ng.conf:6]

Compiling f_kernel sequence [filter] at [/etc/syslog-ng/syslog-ng.conf:5]

Compiling #unnamed single [log] at [/etc/syslog-ng/syslog-ng.conf:5]

Compiling d_kern reference [destination] at [/etc/syslog-ng/syslog-ng.conf:6]

Compiling d_kern sequence [destination] at [/etc/syslog-ng/syslog-ng.conf:4]

Compiling #unnamed junction [log] at [/etc/syslog-ng/syslog-ng.conf:4]

Compiling #unnamed single [log] at [/etc/syslog-ng/syslog-ng.conf:4]

Compiling #unnamed sequence [log] at [/etc/syslog-ng/syslog-ng.conf:7]

Compiling s_sys reference [source] at [/etc/syslog-ng/syslog-ng.conf:7]

Compiling f_default reference [filter] at [/etc/syslog-ng/syslog-ng.conf:7]

Compiling f_default sequence [filter] at [/etc/syslog-ng/syslog-ng.conf:5]

Compiling #unnamed single [log] at [/etc/syslog-ng/syslog-ng.conf:5]

Compiling d_mesg reference [destination] at [/etc/syslog-ng/syslog-ng.conf:7]

Compiling d_mesg sequence [destination] at [/etc/syslog-ng/syslog-ng.conf:3]

Compiling #unnamed junction [log] at [/etc/syslog-ng/syslog-ng.conf:3]

Compiling #unnamed single [log] at [/etc/syslog-ng/syslog-ng.conf:3]

Compiling #unnamed sequence [log] at [/etc/syslog-ng/syslog-ng.conf:7]

Compiling s_sys reference [source] at [/etc/syslog-ng/syslog-ng.conf:7]

Compiling f_auth reference [filter] at [/etc/syslog-ng/syslog-ng.conf:7]

Compiling f_auth sequence [filter] at [/etc/syslog-ng/syslog-ng.conf:5]

Compiling #unnamed single [log] at [/etc/syslog-ng/syslog-ng.conf:5]

Compiling d_auth reference [destination] at [/etc/syslog-ng/syslog-ng.conf:7]

Compiling d_auth sequence [destination] at [/etc/syslog-ng/syslog-ng.conf:3]

Compiling #unnamed junction [log] at [/etc/syslog-ng/syslog-ng.conf:3]

Compiling #unnamed single [log] at [/etc/syslog-ng/syslog-ng.conf:3]

Compiling #unnamed sequence [log] at [/etc/syslog-ng/syslog-ng.conf:7]

Compiling s_sys reference [source] at [/etc/syslog-ng/syslog-ng.conf:7]

Compiling f_mail reference [filter] at [/etc/syslog-ng/syslog-ng.conf:7]

Compiling f_mail sequence [filter] at [/etc/syslog-ng/syslog-ng.conf:6]

Compiling #unnamed single [log] at [/etc/syslog-ng/syslog-ng.conf:6]

Compiling d_mail reference [destination] at [/etc/syslog-ng/syslog-ng.conf:7]

Compiling d_mail sequence [destination] at [/etc/syslog-ng/syslog-ng.conf:3]

Compiling #unnamed junction [log] at [/etc/syslog-ng/syslog-ng.conf:3]

Compiling #unnamed single [log] at [/etc/syslog-ng/syslog-ng.conf:3]

Compiling #unnamed sequence [log] at [/etc/syslog-ng/syslog-ng.conf:7]

Compiling s_sys reference [source] at [/etc/syslog-ng/syslog-ng.conf:7]

Compiling f_emergency reference [filter] at [/etc/syslog-ng/syslog-ng.conf:7]

Compiling f_emergency sequence [filter] at [/etc/syslog-ng/syslog-ng.conf:6]

Compiling #unnamed single [log] at [/etc/syslog-ng/syslog-ng.conf:6]

Compiling d_mlal reference [destination] at [/etc/syslog-ng/syslog-ng.conf:7]

Compiling d_mlal sequence [destination] at [/etc/syslog-ng/syslog-ng.conf:4]

Compiling #unnamed junction [log] at [/etc/syslog-ng/syslog-ng.conf:4]

Compiling #unnamed single [log] at [/etc/syslog-ng/syslog-ng.conf:4]

Compiling #unnamed sequence [log] at [/etc/syslog-ng/syslog-ng.conf:7]

Compiling s_sys reference [source] at [/etc/syslog-ng/syslog-ng.conf:7]

Compiling f_news reference [filter] at [/etc/syslog-ng/syslog-ng.conf:7]

Compiling f_news sequence [filter] at [/etc/syslog-ng/syslog-ng.conf:6]

Compiling #unnamed single [log] at [/etc/syslog-ng/syslog-ng.conf:6]

Compiling d_spol reference [destination] at [/etc/syslog-ng/syslog-ng.conf:7]

Compiling d_spol sequence [destination] at [/etc/syslog-ng/syslog-ng.conf:4]

Compiling #unnamed junction [log] at [/etc/syslog-ng/syslog-ng.conf:4]

Compiling #unnamed single [log] at [/etc/syslog-ng/syslog-ng.conf:4]

Compiling #unnamed sequence [log] at [/etc/syslog-ng/syslog-ng.conf:7]

Compiling s_sys reference [source] at [/etc/syslog-ng/syslog-ng.conf:7]

Compiling f_boot reference [filter] at [/etc/syslog-ng/syslog-ng.conf:7]

Compiling f_boot sequence [filter] at [/etc/syslog-ng/syslog-ng.conf:6]

Compiling #unnamed single [log] at [/etc/syslog-ng/syslog-ng.conf:6]

Compiling d_boot reference [destination] at [/etc/syslog-ng/syslog-ng.conf:7]

Compiling d_boot sequence [destination] at [/etc/syslog-ng/syslog-ng.conf:4]

Compiling #unnamed junction [log] at [/etc/syslog-ng/syslog-ng.conf:4]

Compiling #unnamed single [log] at [/etc/syslog-ng/syslog-ng.conf:4]

Compiling #unnamed sequence [log] at [/etc/syslog-ng/syslog-ng.conf:7]

Compiling s_sys reference [source] at [/etc/syslog-ng/syslog-ng.conf:7]

Compiling f_cron reference [filter] at [/etc/syslog-ng/syslog-ng.conf:7]

Compiling f_cron sequence [filter] at [/etc/syslog-ng/syslog-ng.conf:6]

Compiling #unnamed single [log] at [/etc/syslog-ng/syslog-ng.conf:6]

Compiling d_cron reference [destination] at [/etc/syslog-ng/syslog-ng.conf:7]

Compiling d_cron sequence [destination] at [/etc/syslog-ng/syslog-ng.conf:4]

Compiling #unnamed junction [log] at [/etc/syslog-ng/syslog-ng.conf:4]

Compiling #unnamed single [log] at [/etc/syslog-ng/syslog-ng.conf:4]

Compiling #unnamed sequence [log] at [/etc/syslog-ng/syslog-ng.conf:8]

Compiling s_net reference [source] at [/etc/syslog-ng/syslog-ng.conf:8]

Compiling s_net sequence [source] at [/etc/syslog-ng/syslog-ng.conf:3]

Compiling #unnamed junction [log] at [/etc/syslog-ng/syslog-ng.conf:3]

Compiling #unnamed single [log] at [/etc/syslog-ng/syslog-ng.conf:3]

Compiling d_graylog reference [destination] at [/etc/syslog-ng/syslog-ng.conf:8]

Compiling d_graylog sequence [destination] at [/etc/syslog-ng/syslog-ng.conf:4]

Compiling #unnamed junction [log] at [/etc/syslog-ng/syslog-ng.conf:4]

Compiling #unnamed single [log] at [/etc/syslog-ng/syslog-ng.conf:4]

Compiling #unnamed sequence [log] at [/etc/syslog-ng/syslog-ng.conf:8]

Compiling s_sys reference [source] at [/etc/syslog-ng/syslog-ng.conf:8]

Compiling d_graylog reference [destination] at [/etc/syslog-ng/syslog-ng.conf:8]

Module loaded and initialized successfully; module='syslogformat'

Module loaded and initialized successfully; module='linux-kmsg-format'

Running application hooks; hook='1'

Running application hooks; hook='3'

syslog-ng starting up; version='3.5.6'

Syslog connection established; fd='9', server='AF_INET(19.211.45.55:12201)', local='AF_INET(0.0.0.0:0)'

Syslog-ng Config

@version:3.5

@include "scl.conf"

# syslog-ng configuration file.

#

# This should behave pretty much like the original syslog on RedHat. But

# it could be configured a lot smarter.

#

# See syslog-ng(8) and syslog-ng.conf(5) for more information.

#

# Note: it also sources additional configuration files (*.conf)

# located in /etc/syslog-ng/conf.d/

options {

flush_lines (0);

time_reopen (10);

log_fifo_size (2500000);

# chain_hostnames (off);

use_dns (no);

use_fqdn (no);

create_dirs (no);

keep_hostname (yes);

};

source s_sys {

system();

internal();

# udp(ip(0.0.0.0) port(514));

};

source s_net {

udp(ip(0.0.0.0) port(514));

#tcp(ip(0.0.0.0) port(514) max-connections(256));

};

destination d_cons { file("/dev/console"); };

destination d_mesg { file("/var/log/messages"); };

destination d_auth { file("/var/log/secure"); };

destination d_mail { file("/var/log/maillog" flush_lines(10)); };

destination d_spol { file("/var/log/spooler"); };

destination d_boot { file("/var/log/boot.log"); };

destination d_cron { file("/var/log/cron"); };

destination d_kern { file("/var/log/kern"); };

destination d_mlal { usertty("*"); };

destination d_graylog {

tcp("graylog."

port (12201)

);

};

filter f_kernel { facility(kern); };

filter f_default { level(info..emerg) and

not (facility(mail)

or facility(authpriv)

or facility(cron)); };

filter f_auth { facility(authpriv); };

filter f_mail { facility(mail); };

filter f_emergency { level(emerg); };

filter f_news { facility(uucp) or

(facility(news)

and level(crit..emerg)); };

filter f_boot { facility(local7); };

filter f_cron { facility(cron); };

log { source(s_sys); filter(f_kernel); destination(d_cons); };

log { source(s_sys); filter(f_kernel); destination(d_kern); };

log { source(s_sys); filter(f_default); destination(d_mesg); };

log { source(s_sys); filter(f_auth); destination(d_auth); };

log { source(s_sys); filter(f_mail); destination(d_mail); };

log { source(s_sys); filter(f_emergency); destination(d_mlal); };

log { source(s_sys); filter(f_news); destination(d_spol); };

log { source(s_sys); filter(f_boot); destination(d_boot); };

log { source(s_sys); filter(f_cron); destination(d_cron); };

log { source(s_net); destination(d_graylog); };

log { source(s_sys); destination(d_graylog); };

# Source additional configuration files (.conf extension only)

@include "/etc/syslog-ng/conf.d/*.conf"

# vim:ft=syslog-ng:ai:si:ts=4:sw=4:et:

______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq

______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq

So that I could communicate between the syslog-ng box and graylog box I sent a test message from the syslog server to the graylog server to make sure it wasn't any networking or firewall issues or selinux issues. I used netcat to ensure I can connect to the input on graylog on port 12201. I will go back and do a TCP dump and get logs when I try to send a test message. On Wed, Nov 7, 2018, 7:22 PM PÁSZTOR György <pasztor@linux.gyakg.u-szeged.hu wrote:

Hi,

"Rodney Bizzell" <hardworker30@gmail.com> írta 2018-11-07 15:14-kor:

...

I can try that but I echoed a message from the syslog server to the graylog server and that worked

What this exactly means that you "echoed" a message? echo -ne '{some json formatted graylog message}\0' | nc graylog.server 12201 ?

Can you please share the details? It's really hard to guess what you exactly thought of. And I don't have my magic crystal sphere with me to have a more reliable guess.

Have you run a tcpdump to check communication between syslog-ng and graylog? Could you please share the pcap file?

You only shared the debug messages of the syslog-ng initialization. But we haven't seen in your other mail what the debug mode says if you send in a message which should end up on the graylog server. Well, this is what debug mode is for: to debug situations like this.

At this point it could be also useful, if this test system doesn't contain any sensitive information, to start a debug bundle run, and share the result: When your config is ready, etc. just use these parameters for the debun command: syslog-ng-debun -d -P 'port 12201'

It will stop system's syslog-ng service, and restart that in debug mode and collect the data, and will wait for your input when to stop data collecting. So, while it runs in debug mode, on a second terminal please try to send a log message, what destined to reach the graylog server. Wait a couple of seconds. Then hit the enter on the first terminal where the data collection is running. It will pack the collected data into a tarball, and notify you where is the resulting file. Then please share that file with us.

I think that is the most straightforward way to solve this mistery.

Regards, Gyu

______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq

For some reason when I run this command syslog-ng-debun -d -P 'port 12201' I get command not found has the syntax change for syslog-ng version 3.5. I was successful running this command syslog-ng -e -F -d -v -u -b -p 'port 12201'. Looking at the documentation and it does show that command above should work. I am running this on Centos 7 On Wed, Nov 7, 2018 at 7:22 PM PÁSZTOR György < pasztor@linux.gyakg.u-szeged.hu> wrote:

Hi,

"Rodney Bizzell" <hardworker30@gmail.com> írta 2018-11-07 15:14-kor:

...

I can try that but I echoed a message from the syslog server to the graylog server and that worked

What this exactly means that you "echoed" a message? echo -ne '{some json formatted graylog message}\0' | nc graylog.server 12201 ?

Can you please share the details? It's really hard to guess what you exactly thought of. And I don't have my magic crystal sphere with me to have a more reliable guess.

Have you run a tcpdump to check communication between syslog-ng and graylog? Could you please share the pcap file?

You only shared the debug messages of the syslog-ng initialization. But we haven't seen in your other mail what the debug mode says if you send in a message which should end up on the graylog server. Well, this is what debug mode is for: to debug situations like this.

At this point it could be also useful, if this test system doesn't contain any sensitive information, to start a debug bundle run, and share the result: When your config is ready, etc. just use these parameters for the debun command: syslog-ng-debun -d -P 'port 12201'

It will stop system's syslog-ng service, and restart that in debug mode and collect the data, and will wait for your input when to stop data collecting. So, while it runs in debug mode, on a second terminal please try to send a log message, what destined to reach the graylog server. Wait a couple of seconds. Then hit the enter on the first terminal where the data collection is running. It will pack the collected data into a tarball, and notify you where is the resulting file. Then please share that file with us.

I think that is the most straightforward way to solve this mistery.

Regards, Gyu

______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq

Okay thanks I will do that On Thu, Nov 8, 2018, 5:13 PM PÁSZTOR György <pasztor@linux.gyakg.u-szeged.hu wrote:

Hi,

"Rodney Bizzell" <hardworker30@gmail.com> írta 2018-11-08 10:45-kor:

...

For some reason when I run this command syslog-ng-debun -d -P 'port 12201' I get command not found has the syntax change for syslog-ng version 3.5. I was successful running this command syslog-ng -e -F -d -v -u -b -p 'port 12201'. Looking at the documentation and it does show that command above should work. I am running this on Centos 7

The syslog-ng-debun is in the contrib directory. If you have 3.5, it's highly possible that it wasn't even part of the pack then. As far as I see, 3.5 is ~5 years old. The first versions of debug-bundle generator was added to the git repo,... Well, I don't remember but it's sure that it's less then 5 years.

I suggest to download the latest version, then put that to a directory which is in your path. eg, run this two command first:

wget -O /usr/local/sbin/syslog-ng-debun https://raw.githubusercontent.com/balabit/syslog-ng/master/contrib/syslog-ng... chmod +x /usr/local/sbin/syslog-ng-debun

Regards, Gyu

______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq

Hi Rodney, "Rodney Bizzell" <hardworker30@gmail.com> írta 2018-11-12 13:28-kor:

So I upgraded to syslog-ng 3.18 and it has syslog-ng-debun options. I was

Just to run syslog-ng-debun, you should not had to upgrade your syslog-ng. syslog-ng-debun is a simple all in one portable shell script which's purpose is to gather information about any kind of syslog-ng installation. Always safe to use the latest one of this from the master branch, as I suggested to download via wget.

reading through the documentation and when I issue syslog-ng-debun -d -P 'port 12201' should I see anything on standard out because all that happen was it displayed the options for the command. That is all that happened

Yepp. In the meantime János Szigetrvári added an extra -r option to the script and that changed the default behaviour. Without the -r option it's just a "--dry-run"-ish parametering. It does nothing, except test the parameters. You can see that changeset following this link: https://github.com/balabit/syslog-ng/commit/f9312f87b758c450c6108abe8da9cf0b... So, from that point on, every syslog-ng-debun command should be replaced with the same, just adding an extra -r option. Which in your case, means: you should've run: syslog-ng-debun -r -d -P 'port 12201'

when I issued the command below in this email. I tried to run syslog-ng-debun -r and that executed and created a tarball.

Yep. This -r -d -P 'port 12201' will also create a tarball. Just a more useful one: It will run tcpdump in the bacground, to collect network traffic at the same time, matching the "port 12201" filtering expression. Btw.: Make sure, you have tcpdump installed on the system. Otherwise the script won't be able to run tcpdump. When you finished, we need that tarball what the script created. Regards, Gyu

Here is my config @version:3.18 @include "scl.conf" # syslog-ng configuration file. # # This should behave pretty much like the original syslog on RedHat. But # it could be configured a lot smarter. # # See syslog-ng(8) and syslog-ng.conf(5) for more information. # # Note: it also sources additional configuration files (*.conf) # located in /etc/syslog-ng/conf.d/ options { flush_lines (10); time_reopen (10); # chain_hostnames (off); use_dns (yes); use_fqdn (no); create_dirs (no); keep_hostname (yes); }; source s_sys { system(); internal(); # udp(ip(0.0.0.0) port(514)); }; source s_net { udp(ip(0.0.0.0) port(514)); tcp(ip(0.0.0.0) port(514) max-connections(256)); #log_iw_size(25000) so_keepalive(yes) log_fetch_limit(100)); }; destination d_cons { file("/dev/console"); }; destination d_mesg { file("/var/log/messages"); }; destination d_auth { file("/var/log/secure"); }; destination d_mail { file("/var/log/maillog" flush_lines(10)); }; destination d_spol { file("/var/log/spooler"); }; destination d_boot { file("/var/log/boot.log"); }; destination d_cron { file("/var/log/cron"); }; destination d_kern { file("/var/log/kern"); }; destination d_mlal { usertty("*"); }; destination d_graylog { tcp("hostname of Graylog server" port (12201) ); }; filter f_kernel { facility(kern); }; filter f_default { level(info..emerg) and not (facility(mail) or facility(authpriv) or facility(cron)); }; filter f_auth { facility(authpriv); }; filter f_mail { facility(mail); }; filter f_emergency { level(emerg); }; filter f_news { facility(uucp) or (facility(news) and level(crit..emerg)); }; filter f_boot { facility(local7); }; filter f_cron { facility(cron); }; log { source(s_sys); filter(f_kernel); destination(d_cons); }; log { source(s_sys); filter(f_kernel); destination(d_kern); }; log { source(s_sys); filter(f_default); destination(d_mesg); }; log { source(s_sys); filter(f_auth); destination(d_auth); }; log { source(s_sys); filter(f_mail); destination(d_mail); }; log { source(s_sys); filter(f_emergency); destination(d_mlal); }; log { source(s_sys); filter(f_news); destination(d_spol); }; log { source(s_sys); filter(f_boot); destination(d_boot); }; log { source(s_sys); filter(f_cron); destination(d_cron); }; log { source(s_net); destination(d_graylog); }; log { source(s_sys); destination(d_graylog); }; # Source additional configuration files (.conf extension only) @include "/etc/syslog-ng/conf.d/*.conf" # vim:ft=syslog-ng:ai:si:ts=4:sw=4:et: On Mon, Nov 12, 2018 at 2:02 PM PÁSZTOR György < pasztor@linux.gyakg.u-szeged.hu> wrote:

Hi Rodney,

"Rodney Bizzell" <hardworker30@gmail.com> írta 2018-11-12 13:28-kor:

...

So I upgraded to syslog-ng 3.18 and it has syslog-ng-debun options. I was

Just to run syslog-ng-debun, you should not had to upgrade your syslog-ng. syslog-ng-debun is a simple all in one portable shell script which's purpose is to gather information about any kind of syslog-ng installation. Always safe to use the latest one of this from the master branch, as I suggested to download via wget.

...

reading through the documentation and when I issue syslog-ng-debun -d -P 'port 12201' should I see anything on standard out because all that happen was it displayed the options for the command. That is all that happened

Yepp. In the meantime János Szigetrvári added an extra -r option to the script and that changed the default behaviour. Without the -r option it's just a "--dry-run"-ish parametering. It does nothing, except test the parameters. You can see that changeset following this link:

https://github.com/balabit/syslog-ng/commit/f9312f87b758c450c6108abe8da9cf0b...

So, from that point on, every syslog-ng-debun command should be replaced with the same, just adding an extra -r option.

Which in your case, means: you should've run: syslog-ng-debun -r -d -P 'port 12201'

...

when I issued the command below in this email. I tried to run syslog-ng-debun -r and that executed and created a tarball.

Yep. This -r -d -P 'port 12201' will also create a tarball. Just a more useful one: It will run tcpdump in the bacground, to collect network traffic at the same time, matching the "port 12201" filtering expression.

Btw.: Make sure, you have tcpdump installed on the system. Otherwise the script won't be able to run tcpdump.

When you finished, we need that tarball what the script created.

Regards, Gyu

______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq

So I made the changes to syslog-ng config for graylog destination configuration and started the debug mode again hopped on another terminal and ran logger command with a test message but I still see nothing getting into my graylog server. I am uploading the debug file again to see if there is something I am missing. On my graylog side. I have inputs setup Syslog I have Gelf input setup as well On Wed, Nov 14, 2018 at 1:31 PM PÁSZTOR György < pasztor@linux.gyakg.u-szeged.hu> wrote:

Hi,

I took a look at your debug bundle.

As far as I see the pcap file, tcp communication happens, but it's not graylog's "protocol", it's the legacy rfc3164. Unless graylog expecting legacy protocol, that's not correct. Then I spotted this:

"Rodney Bizzell" <hardworker30@gmail.com> írta 2018-11-12 14:59-kor:

...

destination d_graylog { tcp("hostname of Graylog server" port (12201) ); };

This configures a legacy tcp destination. It won't format the messages for gelf. At least in case of graylog, the best choice for protocol would be gelf. The correct configuration for gelf destination would be: destination d_graylog { graylog2( host("hostname of Graylog server") ); };

Or if you want something more detailed or specific stuff, then you can use this: destination d_graylog { network( "hostname of Graylog server" port(12201) transport(tcp) template("$(format-json --scope all-nv-pairs)\n") ); };

Of course, if gelf destination expects zero terminated strings, than you can replace the \n to \0 at the end of the template string.

Regards, Gyu

______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq