[syslog-ng] Forwarding to a Loglogic device

Dukes Clayton Clayton.Dukes at HCAhealthcare.com
Thu Sep 28 17:29:05 CEST 2006 

Argh...

Can someone tell me why a sniffer shows no traffic passing to the
destination when using this config?
I've tried everything I can think of...what am I doing wrong?


##############################
# Loglogic dump 
##############################
options {
sync(0);
log_fifo_size(1024);
chain_hostnames(no);
use_fqdn(yes);
use_dns(yes);
dns_cache(yes);
dns_cache_expire(300);
dns_cache_expire_failed(10);
dns_cache_size(1024);
keep_hostname(yes);
};
source snet { tcp(); udp(); };
filter f_loglogic { level(debug..emerg) and facility(local0, local1,
local2, local3, local4, local6, local7); };
destination LogLogic { tcp("10.24.2.39" port(514) log_fifo_size(60000)
template("<$PRI> $R_DATE $SOURCEIP $MSG\n") ); };
log { source(snet); filter(f_loglogic);  destination(LogLogic); };
##############################
# END Loglogic dump 
##############################


When I telnet to my router and generate a SYS-5-CONFIG, I see the packet
come into the server:
#----Start capture
tcpdump dst port 514   
tcpdump: verbose output suppressed, use -v or -vv for full protocol
decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes

10:17:33.211813 IP 10.26.31.2.52935 > syslog.net.syslog: SYSLOG
local7.notice, length: 105
148 packets captured
297 packets received by filter
0 packets dropped by kernel
#----End capture


But when I try to sniff packets going to the destination server, I see
nothing:
 /etc/init.d/syslog-ng restart

 * Stopping syslog-ng ...
[ ok ]
 * Starting syslog-ng ...    

#----Start capture - note that the entries below are from syslog-ng
restarting, so I know it establishes a connection...
tcpdump dst host 10.24.2.39   
tcpdump: verbose output suppressed, use -v or -vv for full protocol
decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes

10:24:40.401037 IP syslog.net.56631 > .shell: F 1487912722:1487912722(0)
ack 91904650 win 1460 <nop,nop,timestamp 866281169 157842259>
10:24:40.407670 IP syslog.net.56631 > .shell: . ack 2 win 1460
<nop,nop,timestamp 866281177 158151244>
10:24:43.014989 IP syslog.net.42848 > .shell: S 1805017512:1805017512(0)
win 5840 <mss 1460,sackOK,timestamp 866283785 0,nop,wscale 2>
10:24:43.015885 IP syslog.net.42848 > .shell: . ack 425051406 win 1460
<nop,nop,timestamp 866283786 158153852>
#----End capture


What am I missing here?

Thanks!
Clayton


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20060928/9faf85ec/attachment.htm

More information about the syslog-ng mailing list