[syslog-ng] Syslog-ng not receiving messages

Matthew Hall mhall at mhcomputing.net
Thu Nov 18 02:02:07 CET 2010 

There is a very simple reason for this problem.

AF_PACKET / BPF / libpcap / tcpdump / *shark get their packet copies at 
L2. This way you can see non-IP traffic, loopback traffic, and other 
special stuff you would need.

But iptables processes packets at L3. Thus none of these packet dump 
tools prove the datagrams are really received at L4 or L7. For this you 
need an L3 / L4 / L7 tool like hping* or a version of netcat.

In general, think carefully about how the stack works when you are 
trying to find missing packets.

Good Luck,
Matthew.

On Wed, Nov 17, 2010 at 05:47:09PM -0600, keshava V wrote:
> That's it. It is iptables. The moment I stopped iptables I see the syslog
> messages written to the file. Now I can work on seggregating them based on
> host IP the messages are coming from.
> 
> Thanks all for you help with this.
> 
> 
> 
> On Wed, Nov 17, 2010 at 5:42 PM, Patrick H. <syslogng at feystorm.net> wrote:
> 
> >  do you have any iptables rules? `iptables -nvL`  `iptables -nvL -t nat`
> > `iptables -nvL -t mangle`
> > About the only thing I can think of off the top of my head. There might be
> > some sysctl option to disable UDP, but I dont know it if it does exist.
> >
> > Sent: Wed Nov 17 2010 16:39:57 GMT-0700 (Mountain Standard Time)
> >
> > From: keshava V <mv.keshava at gmail.com> <mv.keshava at gmail.com>
> > To: Syslog-ng users' and developers' mailing list
> > <syslog-ng at lists.balabit.hu> <syslog-ng at lists.balabit.hu>
> > Subject: Re: [syslog-ng] Syslog-ng not receiving messages
> >
> > Looks like it is getting blocked somewhere as you thought. How come tcpdump
> > output is seeing all the udp syslog-ng messages?
> >
> > [root at aspsyslog ~]# /etc/init.d/syslog-ng start
> > Starting syslog-ng:                                        [  OK  ]
> > [root at aspsyslog ~]# /etc/init.d/syslog-ng stop
> > Stopping syslog-ng:                                        [  OK  ]
> > [root at aspsyslog ~]# nc -u -l 514
> >
> > getting nothing...!
> >
> >
> >
> > On Wed, Nov 17, 2010 at 5:34 PM, Patrick H. <syslogng at feystorm.net> wrote:
> >
> >> Ok, lets see if the problem is before it gets to syslog-ng or after. Shut
> >> syslog-ng down and do 'nc -u -l 514' and see if it gets anything. That'll
> >> dump out all traffic received. If it gets it, the problem is syslog-ng, if
> >> it doesnt get it the traffic is getting blocked somehow.
> >>
> >> Sent: Wed Nov 17 2010 16:30:12 GMT-0700 (Mountain Standard Time)
> >>
> >> From: keshava V <mv.keshava at gmail.com> <mv.keshava at gmail.com>
> >> To: Syslog-ng users' and developers' mailing list
> >> <syslog-ng at lists.balabit.hu> <syslog-ng at lists.balabit.hu>
> >> Subject: Re: [syslog-ng] Syslog-ng not receiving messages
> >>
> >> syslog-ng is using 514 as expected.
> >>
> >> [root at aspsyslog ~]# netstat -upnl | grep ":514"
> >> udp        0      0 0.0.0.0:514                 0.0.0.0:*
> >> 8789/syslog-ng
> >>
> >> Thanks
> >>
> >>
> >> On Wed, Nov 17, 2010 at 5:27 PM, Patrick H. <syslogng at feystorm.net>wrote:
> >>
> >>> There isnt something already listening on udp 514 is there?
> >>> netstat -upnl | grep ":514"
> >>>
> >>> Sent: Wed Nov 17 2010 16:23:44 GMT-0700 (Mountain Standard Time)
> >>> From: keshava V <mv.keshava at gmail.com> <mv.keshava at gmail.com>
> >>> To: Syslog-ng users' and developers' mailing list
> >>> <syslog-ng at lists.balabit.hu> <syslog-ng at lists.balabit.hu>
> >>> Subject: Re: [syslog-ng] Syslog-ng not receiving messages
> >>>
> >>> Further,
> >>>
> >>> I have tried setting the kernel parameters without any luck
> >>>
> >>> [root at aspsyslog ~]# sysctl -w net.core.rmem_max=8388608
> >>> [root at aspsyslog ~]# sysctl -w net.core.rmem_default=1048576
> >>>
> >>>  [SNIP]
> >>>
> >>>
> >>> ______________________________________________________________________________
> >>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> >>> Documentation:
> >>> http://www.balabit.com/support/documentation/?product=syslog-ng
> >>> FAQ: http://www.campin.net/syslog-ng/faq.html
> >>>
> >>>
> >>>
> >>  ------------------------------
> >>
> >> ______________________________________________________________________________
> >> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> >> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
> >> FAQ: http://www.campin.net/syslog-ng/faq.html
> >>
> >>
> >>
> >> ______________________________________________________________________________
> >> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> >> Documentation:
> >> http://www.balabit.com/support/documentation/?product=syslog-ng
> >> FAQ: http://www.campin.net/syslog-ng/faq.html
> >>
> >>
> >>
> > ------------------------------
> >
> > ______________________________________________________________________________
> > Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> > Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
> > FAQ: http://www.campin.net/syslog-ng/faq.html
> >
> >
> >
> > ______________________________________________________________________________
> > Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> > Documentation:
> > http://www.balabit.com/support/documentation/?product=syslog-ng
> > FAQ: http://www.campin.net/syslog-ng/faq.html
> >
> >
> >

> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.campin.net/syslog-ng/faq.html
>

More information about the syslog-ng mailing list