[syslog-ng] Syslog-ng not receiving messages
keshava V
mv.keshava at gmail.com
Thu Nov 18 00:23:44 CET 2010
Further,
I have tried setting the kernel parameters without any luck
[root at aspsyslog ~]# sysctl -w net.core.rmem_max=8388608
[root at aspsyslog ~]# sysctl -w net.core.rmem_default=1048576
On Wed, Nov 17, 2010 at 5:19 PM, keshava V <mv.keshava at gmail.com> wrote:
> I am receiving messages on udp port 514 and nothing on tcp 514.
>
> 17:15:50.816216 IP 10.140.141.7.syslog > aspsyslog.syslog: SYSLOG
> local4.debug, length: 88
> 17:15:50.819013 IP 10.140.141.7.syslog > aspsyslog.syslog: SYSLOG
> local4.info, length: 191
> 17:15:50.817631 IP 10.140.141.6.syslog > aspsyslog.syslog: SYSLOG
> local4.info, length: 182
> 17:15:50.820751 IP 10.140.141.6.syslog > aspsyslog.syslog: SYSLOG
> local4.info, length: 166
> 17:15:50.837713 IP 10.140.141.7.syslog > aspsyslog.syslog: SYSLOG
> local4.alert, length: 126
> 17:15:50.837730 IP 10.140.141.6.syslog > aspsyslog.syslog: SYSLOG
> local4.alert, length: 126
> 17:15:50.898519 IP 10.140.141.6.syslog > aspsyslog.syslog: SYSLOG
> local4.info, length: 181
> 17:15:50.903282 IP 10.41.42.254.syslog > aspsyslog.syslog: SYSLOG
> local4.debug, length: 112
>
> I am running syslog-ng in debug mode and this is what is being sent to
> stdout
>
> [root at aspsyslog ~]# /opt/syslog-ng/sbin/syslog-ng -d -v
> Running application hooks; hook='1'
> Running application hooks; hook='3'
>
> syslog-ng starting up; version='3.1.2'
> Incoming log entry; line='<6>device eth0 entered promiscuous mode'
> Initializing destination file writer;
> template='/var/log/messages_syslog-ng.log',
> filename='/var/log/messages_syslog-ng.log'
> Incoming log entry; line='<6>device eth0 left promiscuous mode'
> Incoming log entry; line='<6>device eth0 entered promiscuous mode'
> Incoming log entry; line='<6>device eth0 left promiscuous mode'
> Incoming log entry; line='<6>device eth0 entered promiscuous mode'
>
>
>
>
>
> On Wed, Nov 17, 2010 at 5:14 PM, keshava V <mv.keshava at gmail.com> wrote:
>
>> We had a old syslog-ng server which was completely configured and working
>> fine which died. I am using the same IP address so I can confidently say
>> that firewall is open and all the messages are arriving at the new server.
>> syslog is writing messages to the destination but the messages coming on
>> udp/tcp 514. I am trying to get it to write to one file and if that works
>> then to filter all the messages later by host.
>>
>> I have attached the tcpdump output here and see info, debug messages
>> making it to this server
>>
>> 17:03:47.495842 IP aspsyslog.filenet-cm > neo.domain: 32289+ PTR?
>> 41.34.73.10.in-addr.arpa. (42)
>> 17:03:47.496324 IP 10.140.141.6.syslog > aspsyslog.syslog: SYSLOG
>> local4.info, length: 182
>> 17:03:47.496373 IP 10.140.141.7.syslog > aspsyslog.syslog: SYSLOG
>> local4.info, length: 164
>> 17:03:47.496395 IP 10.140.141.7.syslog > aspsyslog.syslog: SYSLOG
>> local4.info, length: 164
>> 17:03:47.496530 IP neo.domain > aspsyslog.filenet-cm: 32289 NXDomain*
>> 0/1/0 (128)
>> 17:03:47.497113 IP aspsyslog.ssh > nim.42783: P 48256:49264(1008) ack 97
>> win 53 <nop,nop,timestamp 93630177 1310858340>
>> 17:03:47.497603 IP 10.140.141.6.syslog > aspsyslog.syslog: SYSLOG
>> local4.info, length: 166
>> 17:03:47.497635 IP nim.42783 > aspsyslog.ssh: . ack 49264 win 32761
>> <nop,nop,timestamp 1310858341 93630124>
>> 17:03:47.506126 IP 10.140.141.6.syslog > aspsyslog.syslog: SYSLOG
>> local4.debug, length: 86
>> 17:03:47.506169 IP 10.140.141.6.syslog > aspsyslog.syslog: SYSLOG
>> local4.info, length: 189
>> 17:03:47.521584 IP 10.140.130.20.filenet-pa > aspsyslog.syslog: SYSLOG
>> daemon.info, length: 107
>> 17:03:47.521615 IP aspsyslog. > 10.140.130.20: ICMP host aspsyslog.
>> unreachable - admin prohibited, length 143
>> 17:03:47.521907 IP aspsyslog.filenet-cm > neo.domain: 57020+ PTR?
>> 20.130.140.10.in-addr.arpa. (44)
>> 17:03:47.522331 IP 10.140.141.6.syslog > aspsyslog.syslog: SYSLOG
>> local4.info, length: 182
>> 17:03:47.522504 IP neo.domain > aspsyslog.filenet-cm: 57020 NXDomain*
>> 0/1/0 (132)
>> 17:03:47.523087 IP aspsyslog.ssh > nim.42783: P 49264:50416(1152) ack 97
>> win 53 <nop,nop,timestamp 93630203 1310858341>
>> 17:03:47.523574 IP 10.140.141.6.syslog > aspsyslog.syslog: SYSLOG
>> local4.info, length: 166
>> 17:03:47.549950 IP 10.140.141.7.syslog > aspsyslog.syslog: SYSLOG
>> local4.info, length: 164
>> 17:03:47.549973 IP 10.140.141.7.syslog > aspsyslog.syslog: SYSLOG
>> local4.info, length: 164
>> 17:03:47.552109 IP 10.73.34.45.32822 > aspsyslog.syslog: SYSLOG
>> daemon.info, length: 109
>> 17:03:47.552136 IP aspsyslog. > 10.73.34.45: ICMP host aspsyslog.
>> unreachable - admin prohibited, length 145
>> 17:03:47.552410 IP aspsyslog.filenet-cm > neo.domain: 41657+ PTR?
>> 45.34.73.10.in-addr.arpa. (42)
>> 17:03:47.552852 IP 10.140.141.6.syslog > aspsyslog.syslog: SYSLOG
>> local4.info, length: 182
>> 17:03:47.553052 IP neo.domain > aspsyslog.filenet-cm: 41657 NXDomain*
>> 0/1/0 (128)
>> 17:03:47.553576 IP aspsyslog.ssh > nim.42783: P 50416:51392(976) ack 97
>> win 53 <nop,nop,timestamp 93630233 1310858341>
>> 17:03:47.554127 IP 10.140.141.6.syslog > aspsyslog.syslog: SYSLOG
>> local4.info, length: 166
>> 17:03:47.558864 IP 10.140.141.8.syslog > aspsyslog.syslog: SYSLOG
>> local4.info, length: 177
>> 17:03:47.558998 IP 10.140.141.9.syslog > aspsyslog.syslog: SYSLOG
>> local4.info, length: 188
>> 17:03:47.559027 IP aspsyslog. > 10.140.141.9: ICMP host aspsyslog.
>> unreachable - admin prohibited, length 224
>> 17:03:47.559031 IP 10.140.141.9.syslog > aspsyslog.syslog: SYSLOG
>> local4.info, length: 188
>> 17:03:47.595714 IP axprod20.filenet-rpc > aspsyslog.syslog: SYSLOG
>> daemon.info, length: 108
>> 17:03:47.595820 arp who-has axprod20. tell aspsyslog.
>> 17:03:47.596053 IP aspsyslog.filenet-cm > neo.domain: 65192+ PTR?
>> 25.130.140.10.in-addr.arpa. (44)
>> 17:03:47.596226 IP aspsyslog. > axprod20.: ICMP host aspsyslog.
>> unreachable - admin prohibited, length 144
>> 17:03:47.596434 IP 10.140.141.6.syslog > aspsyslog.syslog: SYSLOG
>> local4.info, length: 182
>> 17:03:47.596540 IP 10.140.141.7.syslog > aspsyslog.syslog: SYSLOG
>> local4.info, length: 164
>> 17:03:47.596549 IP 10.140.141.7.syslog > aspsyslog.syslog: SYSLOG
>> local4.debug, length: 86
>>
>> On Wed, Nov 17, 2010 at 5:02 PM, Worsham, Michael <mworsham at scires.com>wrote:
>>
>>> Try running the syslog-ng application in debug mode: “syslog-ng –d –v”
>>> and see what the output is to the screen for the UDP connection and
>>> destination attempts.
>>>
>>>
>>>
>>>
>>>
>>> *From:* syslog-ng-bounces at lists.balabit.hu [mailto:
>>> syslog-ng-bounces at lists.balabit.hu] *On Behalf Of *keshava V
>>> *Sent:* Wednesday, November 17, 2010 5:59 PM
>>> *To:* Syslog-ng users' and developers' mailing list
>>> *Subject:* Re: [syslog-ng] Syslog-ng not receiving messages
>>>
>>>
>>>
>>> Messages from kernel, syslog-ng are being written but not the ones coming
>>> on udp 514 to the destination file as seen below.
>>>
>>> [root at aspsyslog ~]# ls -ltr /var/log/messages_syslog-ng.log
>>> -rw-r--r-- 1 root root 24645 2010-11-17 15:32
>>> /var/log/messages_syslog-ng.log
>>>
>>> Nov 17 14:28:55 s_all at aspsyslog syslog-ng[4460]: Configuration reload
>>> request received, reloading configuration;
>>> Nov 17 14:29:40 s_all at aspsyslog syslog-ng[4460]: Configuration reload
>>> request received, reloading configuration;
>>> Nov 17 14:30:09 s_all at aspsyslog syslog-ng[4460]: Configuration reload
>>> request received, reloading configuration;
>>> Nov 17 14:36:33 s_all at aspsyslog syslog-ng[4460]: Termination requested
>>> via signal, terminating;
>>> Nov 17 14:36:33 s_all at aspsyslog syslog-ng[4460]: syslog-ng shutting
>>> down; version='3.1.2'
>>> Nov 17 14:36:40 s_all at aspsyslog syslog-ng[8051]: syslog-ng starting up;
>>> version='3.1.2'
>>> Nov 17 14:40:49 s_all at aspsyslog syslog-ng[8051]: Configuration reload
>>> request received, reloading configuration;
>>> Nov 17 14:47:07 s_all at aspsyslog syslog-ng[8051]: Termination requested
>>> via signal, terminating;
>>> Nov 17 14:47:07 s_all at aspsyslog syslog-ng[8051]: syslog-ng shutting
>>> down; version='3.1.2'
>>> Nov 17 14:55:43 s_all at aspsyslog kernel: device eth0 entered promiscuous
>>> mode
>>> Nov 17 14:56:09 s_all at aspsyslog kernel: device eth0 left promiscuous
>>> mode
>>> Nov 17 14:58:04 s_all at aspsyslog kernel: device eth0 entered promiscuous
>>> mode
>>> Nov 17 14:58:11 s_all at aspsyslog kernel: device eth0 left promiscuous
>>> mode
>>>
>>>
>>>
>>> On Wed, Nov 17, 2010 at 4:29 PM, Martin Holste <mcholste at gmail.com>
>>> wrote:
>>>
>>> Hm, maybe a permissions issue with writing? Try putting in
>>> /tmp/somefile as the destination and see if that works. Also, you
>>> should verify that messages are in fact arriving on the server using
>>> tcpdump.
>>>
>>>
>>> On Wed, Nov 17, 2010 at 3:44 PM, keshava Veerabhadraiah
>>> <mv.keshava at gmail.com> wrote:
>>> > Hi
>>> > I am new to syslog-ng and I have gone through other post to see if I
>>> can
>>> > get a resolution to my problem.
>>> > Syslog is not writing to the destination file any messages received on
>>> udp()
>>> > or tcp().
>>> > I have made sure that syslog server is receiving the syslog messages as
>>> seen
>>> > from the tcpdump
>>> >
>>> >
>>> > 15:09:55.422423 IP 10.140.141.6.syslog >
>>> aspsyslog.sungardebs.com.syslog:
>>> > SYSLOG local4.warning, length: 153
>>> > 15:09:55.434638 IP 10.140.141.6.syslog >
>>> aspsyslog.sungardebs.com.syslog:
>>> > SYSLOG local4.info, length: 184
>>> > 15:09:55.470383 IP 10.140.141.6.syslog >
>>> aspsyslog.sungardebs.com.syslog:
>>> > SYSLOG local4.info, length: 176
>>> > 15:09:55.473519 IP 10.140.141.6.syslog >
>>> aspsyslog.sungardebs.com.syslog:
>>> > SYSLOG local4.info, length: 190
>>> > 15:09:55.493361 IP 10.140.141.6.syslog >
>>> aspsyslog.sungardebs.com.syslog:
>>> > SYSLOG local4.info, length: 180
>>> > 15:09:55.493748 IP aspsyslog.sungardebs.com.ssh >
>>> nim.sungardebs.com.42703:
>>> > P 128608:129696(1088) ack 289 win 461 <nop,nop,timestamp 88706531
>>> > 1310848493>
>>> > 15:09:55.495519 IP 10.140.141.9.syslog >
>>> aspsyslog.sungardebs.com.syslog:
>>> > SYSLOG local4.info, length: 188
>>> > 15:09:55.495548 IP 10.140.141.9.syslog >
>>> aspsyslog.sungardebs.com.syslog:
>>> > SYSLOG local4.debug, length: 90
>>> > 15:09:55.495556 IP 10.140.141.9.syslog >
>>> aspsyslog.sungardebs.com.syslog:
>>> > SYSLOG local4.debug, length: 85
>>> > 15:09:55.521115 IP 10.140.141.6.syslog >
>>> aspsyslog.sungardebs.com.syslog:
>>> > SYSLOG local4.debug, length: 87
>>> > 15:09:55.521188 IP 10.140.141.6.syslog >
>>> aspsyslog.sungardebs.com.syslog:
>>> > SYSLOG local4.info, length: 188
>>> > 15:09:55.522041 IP 10.140.141.6.syslog >
>>> aspsyslog.sungardebs.com.syslog:
>>> > SYSLOG local4.info, length: 175
>>> > 15:09:55.522212 IP 10.140.141.7.syslog >
>>> aspsyslog.sungardebs.com.syslog:
>>> > SYSLOG local4.info, length: 164
>>> >
>>> >
>>> >
>>> > Here is how my syslog-ng config looks.
>>> >
>>> > @version: 3.0
>>> > #Default configuration file for syslog-ng.
>>> > #
>>> > # For a description of syslog-ng configuration file directives, please
>>> read
>>> > # the syslog-ng Administrator's guide at:
>>> > #
>>> > #
>>> http://www.balabit.com/dl/html/syslog-ng-admin-guide_en.html/bk01-toc.html
>>> > #
>>> >
>>> > options {
>>> > chain_hostnames(no);
>>> > create_dirs (no);
>>> > dir_perm(0755);
>>> > dns_cache(no);
>>> > keep_hostname(yes);
>>> > log_fifo_size(2048);
>>> > log_msg_size(1024);
>>> > log_iw_size (500);
>>> > long_hostnames(on);
>>> > perm(0644);
>>> > stats_freq(3600);
>>> > flush_lines(100);
>>> > time_reopen (10);
>>> > use_dns(no);
>>> > use_fqdn(yes);
>>> > # max_connections(100);
>>> >
>>> > };
>>> >
>>> > source s_all {
>>> > udp(so_rcvbuf(2048576));
>>> > tcp();
>>> > unix-stream("/dev/log");
>>> > internal();
>>> > file("/proc/kmsg");
>>> > };
>>> >
>>> > destination d_file_normal {file("/var/log/messages_syslog-ng.log"); };
>>> >
>>> > log { source(s_all); destination (d_file_normal); };
>>> >
>>> >
>>> > Any help would be greatly appreciated.
>>> >
>>> > Thanks
>>> >
>>> >
>>> >
>>> >
>>> >
>>> >
>>>
>>> >
>>> ______________________________________________________________________________
>>> > Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>>> > Documentation:
>>> > http://www.balabit.com/support/documentation/?product=syslog-ng
>>> > FAQ: http://www.campin.net/syslog-ng/faq.html
>>> >
>>> >
>>> >
>>>
>>> ______________________________________________________________________________
>>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>>> Documentation:
>>> http://www.balabit.com/support/documentation/?product=syslog-ng
>>> FAQ: http://www.campin.net/syslog-ng/faq.html
>>>
>>>
>>>
>>> ------------------------------
>>> CONFIDENTIALITY NOTICE: This email and any attachments are intended
>>> solely for the use of the named recipient(s). This email may contain
>>> confidential and/or proprietary information of Scientific Research
>>> Corporation. If you are not a named recipient, you are prohibited from
>>> reviewing, copying, using, disclosing or distributing to others the
>>> information in this email and attachments. If you believe you have received
>>> this email in error, please notify the sender immediately and permanently
>>> delete the email, any attachments, and all copies thereof from any drives or
>>> storage media and destroy any printouts of the email or attachments.
>>>
>>> EXPORT COMPLIANCE NOTICE: This email and any attachments may contain
>>> technical data subject to U.S export restrictions under the International
>>> Traffic in Arms Regulations (ITAR) or the Export Administration Regulations
>>> (EAR). Export or transfer of this technical data and/or related information
>>> to any foreign person(s) or entity(ies), either within the U.S. or outside
>>> of the U.S., may require advance export authorization by the appropriate
>>> U.S. Government agency prior to export or transfer. In addition, technical
>>> data may not be exported or transferred to certain countries or specified
>>> designated nationals identified by U.S. embargo controls without prior
>>> export authorization. By accepting this email and any attachments, all
>>> recipients confirm that they understand and will comply with all applicable
>>> ITAR, EAR and embargo compliance requirements.
>>>
>>>
>>> ______________________________________________________________________________
>>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>>> Documentation:
>>> http://www.balabit.com/support/documentation/?product=syslog-ng
>>> FAQ: http://www.campin.net/syslog-ng/faq.html
>>>
>>>
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20101117/9b8a7c3c/attachment-0001.htm
More information about the syslog-ng
mailing list