[syslog-ng] Forwarding to a Loglogic device

Dukes Clayton Clayton.Dukes at HCAhealthcare.com
Thu Sep 28 17:51:59 CEST 2006 

I found the problem - typo in config...sheesh
 

________________________________

From: syslog-ng-bounces at lists.balabit.hu
[mailto:syslog-ng-bounces at lists.balabit.hu] On Behalf Of Dukes Clayton
Sent: Thursday, September 28, 2006 10:29 AM
To: Syslog-ng users' and developers' mailing list
Subject: [syslog-ng] Forwarding to a Loglogic device




Argh... 

Can someone tell me why a sniffer shows no traffic passing to the
destination when using this config? 
I've tried everything I can think of...what am I doing wrong? 


############################## 
# Loglogic dump 
############################## 
options { 
sync(0); 
log_fifo_size(1024); 
chain_hostnames(no); 
use_fqdn(yes); 
use_dns(yes); 
dns_cache(yes); 
dns_cache_expire(300); 
dns_cache_expire_failed(10); 
dns_cache_size(1024); 
keep_hostname(yes); 
}; 
source snet { tcp(); udp(); }; 
filter f_loglogic { level(debug..emerg) and facility(local0, local1,
local2, local3, local4, local6, local7); }; 
destination LogLogic { tcp("10.24.2.39" port(514) log_fifo_size(60000)
template("<$PRI> $R_DATE $SOURCEIP $MSG\n") ); };

log { source(snet); filter(f_loglogic);  destination(LogLogic); }; 
############################## 
# END Loglogic dump 
############################## 


When I telnet to my router and generate a SYS-5-CONFIG, I see the packet
come into the server: 
#----Start capture 
tcpdump dst port 514   
tcpdump: verbose output suppressed, use -v or -vv for full protocol
decode 
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes 

10:17:33.211813 IP 10.26.31.2.52935 > syslog.net.syslog: SYSLOG
local7.notice, length: 105 
148 packets captured 
297 packets received by filter 
0 packets dropped by kernel 
#----End capture 


But when I try to sniff packets going to the destination server, I see
nothing: 
 /etc/init.d/syslog-ng restart

 * Stopping syslog-ng ...
[ ok ]

 * Starting syslog-ng ...    

#----Start capture - note that the entries below are from syslog-ng
restarting, so I know it establishes a connection...

tcpdump dst host 10.24.2.39   
tcpdump: verbose output suppressed, use -v or -vv for full protocol
decode 
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes 

10:24:40.401037 IP syslog.net.56631 > .shell: F 1487912722:1487912722(0)
ack 91904650 win 1460 <nop,nop,timestamp 866281169 157842259>

10:24:40.407670 IP syslog.net.56631 > .shell: . ack 2 win 1460
<nop,nop,timestamp 866281177 158151244> 
10:24:43.014989 IP syslog.net.42848 > .shell: S 1805017512:1805017512(0)
win 5840 <mss 1460,sackOK,timestamp 866283785 0,nop,wscale 2>

10:24:43.015885 IP syslog.net.42848 > .shell: . ack 425051406 win 1460
<nop,nop,timestamp 866283786 158153852> 
#----End capture 


What am I missing here? 

Thanks! 
Clayton 


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20060928/041b3573/attachment.html

More information about the syslog-ng mailing list