[syslog-ng] 3.0.5 & Cisco TCP problems

Fri Mar 26 00:31:15 CET 2010

Hello,

After spending the afternoon trying to get this working, I've decided
to reach out for some help (tried google - no luck!).

I have what I believe is a very simple syslog-ng configuration where I
am trying to capture syslog events from Cisco routers via TCP.  I
first tested via UDP, and all works good.  The router establishes a
TCP connection with my syslog-ng (viewable via netstat -nap, and in
the /var/log/messages):

Mar 25 17:07:53 logger syslog-ng[8943]: Syslog connection accepted;
fd='11', client='AF_INET(X.X.X.254:56868)',
local='AF_INET(X.X.X.5:2002)'

On the router I do a "config term" & "exit" to generate a log.
tcpdump on the syslog-ng machine shows traffic as expected:

17:18:44.891080 IP X.X.X.254.61241 > 10.240.0.5.2002: .
3679441367:3679441450(83) ack 1811354960 win 4128
17:18:44.891134 IP X.X.X.5.2002> 10.240.0.254.61241: . ack 83 win 5840

And a strace:

poll([{fd=6, events=POLLIN}, {fd=5, events=POLLIN}, {fd=3,
events=POLLIN}, {fd=8, events=POLLIN}], 4, 456650) = 1 ([{fd=8,
revents=POLLIN}])
gettimeofday({1269559238, 85688}, NULL) = 0
read(8, "<189>145: *Mar 25 23:41:37.033: "..., 7739) = 83
read(8, 0x9f94618, 7656)                = -1 EAGAIN (Resource
temporarily unavailable)
gettimeofday({1269559238, 86032}, NULL) = 0
poll([{fd=6, events=POLLIN}, {fd=5, events=POLLIN}, {fd=3,
events=POLLIN}, {fd=8, events=POLLIN}], 4, 449113

But nothing ever shows up in the log files!  Here's my syslog-ng.conf.
 Any pointers or ideas?

@version: 3.0
options {
use_dns(no);
};
source t_net { tcp(ip(X.X.X.5) port(2002) keep-alive(yes) ); };
source s_local { internal(); unix-stream("/dev/log");
file("/proc/kmsg" program_override("kernel: ")); };
destination d_messages { file("/var/log/messages"); };
destination d_cisco { file("/var/log/cisco.log"); };
log { source(t_net); destination(d_messages); };
log { source(s_local); destination(d_messages); };

And for what it is worth the relevant lines from my test cisco:

logging host X.X.X.5 transport tcp port 2002

And syslog-ng version:

syslog-ng 3.0.5
Installer-Version: 3.0.5
Revision: ssh+git://bazsi@git.balabit//var/scm/git/syslog-ng/syslog-ng-ose--mainline--3.0#master#f2fd7457627a88eb9602a73a5c16cd8b2434b667
Compile-Date: Dec  7 2009 14:52:42
Enable-Threads: on
Enable-Debug: off
Enable-GProf: off
Enable-Memtrace: off
Enable-Sun-STREAMS: off
Enable-Sun-Door: off
Enable-IPv6: on
Enable-Spoof-Source: on
Enable-TCP-Wrapper: off
Enable-SSL: on
Enable-SQL: on
Enable-Linux-Caps: on
Enable-Pcre: off

Thanks in advance!