[syslog-ng] Trouble with switches and syslog-ng
Jean-Michel Philippon-Nadeau
jmphilip at ccs.usherbrooke.ca
Thu Apr 5 14:29:23 CEST 2007
Balazs Scheidler wrote:
> On Wed, 2007-04-04 at 11:01 -0400, Jean-Michel Philippon-Nadeau wrote:
>> Good day everyone,
>>
>> We use syslog-ng to store and organize the logs of our machines
>> (~3900). For every host we have, syslog-ng creates a folder with the
>> hostname or the ip address (if it couldn't determine the hostname) of
>> the machine and then stores the logs.
>>
>> We also have 5 switches that can report logs with standard syslog
>> capabilities (udp on port 514). The problem is that syslog-ng doesn't
>> create the folder for these switches and doesn't store their logs. I
>> made sure there was no network problems by using tcpdump - the packets
>> correctly made it to the central syslog-ng host. Yes, of course, I made
>> sure udp(); was in my source declaration.
>>
>> Does anyone know how I can make sure syslog-ng receives the logs?
>
> the message sent by the switch might not be in a format that syslog-ng
> accepts and this way the message gets to the wrong destination.
>
> can you paste a single log message as received by the syslog-ng host?
> ie. a message you captured using tcpdump.
>
Here is a login failure from ssh to the switch received by tcpdump -A
-vv to a specific interface, a specific hos (a switch) and on UDP port 514.
08:10:15.767285 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto
17, length: 88) 192.168.175.2.syslog > 192.168.175.1.syslog: UDP, length 60
E..X.. at .@.[@.............D..Login failed for user adminccs through ssh
(192.168.10
> btw: you also made sure that no packet filtering is involved, right?
>
Yes, everything was working fine before, we were using Splunk and
changed to syslog-ng withtout even touching the firewall.
Thanks for your help, it is very appreciated.
Jean-Michel
More information about the syslog-ng
mailing list