[syslog-ng] syslog-ng 3.0.8, 3.0.9 not sending logs to centralized log host

Jarrett Lee jarrett.lee at oversightsystems.com
Tue Dec 21 23:33:03 CET 2010 

As I stated before, I ran tcpdump to monitor the network traffic leaving the client system and then attempted to generate some logs, there was no network traffic beyond SSH and some VMware stuff, so I know it wasn't networking, at least not yet, as the syslog-ng client daemon was not even generating network traffic.

Anyway, I did figure out the issue. I was editing the wrong conf file, silly me! I was editing /etc/syslog-ng.conf when I should have been editing /opt/syslog-ng/etc/syslog-ng.conf. A coworker showed me this, proving that I had just been staring at the problem for too long to be able to see the answer ;)

Thank you for your help guys! It helped us get the gears in our heads moving again!

On Dec 21, 2010, at 17:09, Alan McKinnon wrote:

> Your config appears correct - I use a similar setup on a wide variety of 
> logging clients using all sorts of versions of sysloggers.
> 
> So I imagine your problem is more network and less syslog. You don't mention 
> basic networking tests you might have done, such as can you ping the log host 
> and can you telnet to the port and get a sensible result? I'd like to 
> establish that packets can at least go from client to server. And don't forget 
> to check silly things /etc/hosts - I once had a server listed there with 
> address 127.0.0.1.....  that took an awfully long time to find. [I see your 
> config implies you send to an ip not a hostname. But still, basic checks are 
> good.]
> 
> 
> 
> Apparently, though unproven, at 00:03 on Wednesday 22 December 2010, Jarrett 
> Lee did opine thusly:
> 
>> This is the client side that I'm having issues with, not the syslog server,
>> or loghost, side. Does it really need network configuration information in
>> the source statement? I thought that was on the server side to show it
>> which interface/port to listen on for clients.
>> 
>> On Dec 21, 2010, at 16:59, Clayton Dukes wrote:
>> 
>> Looks like you need to define UDP or TCP (or both) in your src statement.
>> 
>> Here's a short (hopefully helpful) link to a video for syslog-ng
>> configuration: http://www.logzilla.info/SearchResults.asp?Cat=49
>> 
>> <http://www.logzilla.info/SearchResults.asp?Cat=49>Full disclosure,
>> LogZilla is my log analysis software, but hopefully the video helps.
>> 
>> 
>> ______________________________________________________________
>> 
>> Clayton Dukes
>> ______________________________________________________________
>> 
>> 
>> On Tue, Dec 21, 2010 at 4:43 PM, Jarrett Lee
>> <jarrett.lee at oversightsystems.com<mailto:jarrett.lee at oversightsystems.com>
>>> wrote: I have syslog-ng 3.0.9 (also tried 3.0.8) on a CentOS 5.5 system,
>> firewall (iptables) turned off, and SELinux disabled. For some reason it
>> refuses to send logs to my log host, though it will put them in my
>> messages file. I've even broken out tcpdump to monitor the port while
>> generating logs to see if I can see any network traffic generated, but
>> it's crickets on the wire.
>> 
>> Anybody have this problem? Is there something I'm missing, perhaps I've
>> been looking at it for too long and need fresh eyes? I've had this working
>> before on other platforms, Solaris and other distros of Linux, but this
>> time it's kicking my butt...
>> 
>> Here's my syslog-ng.conf (with IP and port redacted):
>> #### BEGIN syslog-ng.conf ####
>> @version: 3.0
>> 
>> options {
>> };
>> 
>> source src {
>> internal();
>> unix-stream("/dev/log");
>> file("/proc/kmsg" program_override("kernel: "));
>> };
>> 
>> destination local {
>> file("/var/log/messages");
>> };
>> destination loghost {
>> tcp("IPADDR" port(PORT));
>> };
>> 
>> log {
>> source(src);
>> destination(local);
>> };
>> log {
>> source(src);
>> destination(loghost);
>> };
>> #### END syslog-ng.conf ####
>> 
>> 
>> Thanks,
>> Jarrett
>> 
>> Jarrett Lee, UNIX Administrator
>> OVERSIGHT SYSTEMS |
>> www.oversightsystems.com<http://www.oversightsystems.com/>
>> __________________________________________________________________________
>> ____ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>> Documentation:
>> http://www.balabit.com/support/documentation/?product=syslog-ng FAQ:
>> http://www.campin.net/syslog-ng/faq.html
>> 
>> 
>> ___________________________________________________________________________
>> ___ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>> Documentation:
>> http://www.balabit.com/support/documentation/?product=syslog-ng FAQ:
>> http://www.campin.net/syslog-ng/faq.html
> 
> -- 
> alan dot mckinnon at gmail dot com

More information about the syslog-ng mailing list