[syslog-ng] Syslog-ng not receiving messages

keshava V mv.keshava at gmail.com
Thu Nov 18 02:11:29 CET 2010 

Thanks for explaining  how the different tools are used at different layers
of TCP/IP stack to debug the packet trace.


On Wed, Nov 17, 2010 at 7:02 PM, Matthew Hall <mhall at mhcomputing.net> wrote:

> There is a very simple reason for this problem.
>
> AF_PACKET / BPF / libpcap / tcpdump / *shark get their packet copies at
> L2. This way you can see non-IP traffic, loopback traffic, and other
> special stuff you would need.
>
> But iptables processes packets at L3. Thus none of these packet dump
> tools prove the datagrams are really received at L4 or L7. For this you
> need an L3 / L4 / L7 tool like hping* or a version of netcat.
>
> In general, think carefully about how the stack works when you are
> trying to find missing packets.
>
> Good Luck,
> Matthew.
>
> On Wed, Nov 17, 2010 at 05:47:09PM -0600, keshava V wrote:
> > That's it. It is iptables. The moment I stopped iptables I see the syslog
> > messages written to the file. Now I can work on seggregating them based
> on
> > host IP the messages are coming from.
> >
> > Thanks all for you help with this.
> >
> >
> >
> > On Wed, Nov 17, 2010 at 5:42 PM, Patrick H. <syslogng at feystorm.net>
> wrote:
> >
> > >  do you have any iptables rules? `iptables -nvL`  `iptables -nvL -t
> nat`
> > > `iptables -nvL -t mangle`
> > > About the only thing I can think of off the top of my head. There might
> be
> > > some sysctl option to disable UDP, but I dont know it if it does exist.
> > >
> > > Sent: Wed Nov 17 2010 16:39:57 GMT-0700 (Mountain Standard Time)
> > >
> > > From: keshava V <mv.keshava at gmail.com> <mv.keshava at gmail.com>
> > > To: Syslog-ng users' and developers' mailing list
> > > <syslog-ng at lists.balabit.hu> <syslog-ng at lists.balabit.hu>
> > > Subject: Re: [syslog-ng] Syslog-ng not receiving messages
> > >
> > > Looks like it is getting blocked somewhere as you thought. How come
> tcpdump
> > > output is seeing all the udp syslog-ng messages?
> > >
> > > [root at aspsyslog ~]# /etc/init.d/syslog-ng start
> > > Starting syslog-ng:                                        [  OK  ]
> > > [root at aspsyslog ~]# /etc/init.d/syslog-ng stop
> > > Stopping syslog-ng:                                        [  OK  ]
> > > [root at aspsyslog ~]# nc -u -l 514
> > >
> > > getting nothing...!
> > >
> > >
> > >
> > > On Wed, Nov 17, 2010 at 5:34 PM, Patrick H. <syslogng at feystorm.net>
> wrote:
> > >
> > >> Ok, lets see if the problem is before it gets to syslog-ng or after.
> Shut
> > >> syslog-ng down and do 'nc -u -l 514' and see if it gets anything.
> That'll
> > >> dump out all traffic received. If it gets it, the problem is
> syslog-ng, if
> > >> it doesnt get it the traffic is getting blocked somehow.
> > >>
> > >> Sent: Wed Nov 17 2010 16:30:12 GMT-0700 (Mountain Standard Time)
> > >>
> > >> From: keshava V <mv.keshava at gmail.com> <mv.keshava at gmail.com>
> > >> To: Syslog-ng users' and developers' mailing list
> > >> <syslog-ng at lists.balabit.hu> <syslog-ng at lists.balabit.hu>
> > >> Subject: Re: [syslog-ng] Syslog-ng not receiving messages
> > >>
> > >> syslog-ng is using 514 as expected.
> > >>
> > >> [root at aspsyslog ~]# netstat -upnl | grep ":514"
> > >> udp        0      0 0.0.0.0:514                 0.0.0.0:*
> > >> 8789/syslog-ng
> > >>
> > >> Thanks
> > >>
> > >>
> > >> On Wed, Nov 17, 2010 at 5:27 PM, Patrick H. <syslogng at feystorm.net
> >wrote:
> > >>
> > >>> There isnt something already listening on udp 514 is there?
> > >>> netstat -upnl | grep ":514"
> > >>>
> > >>> Sent: Wed Nov 17 2010 16:23:44 GMT-0700 (Mountain Standard Time)
> > >>> From: keshava V <mv.keshava at gmail.com> <mv.keshava at gmail.com>
> > >>> To: Syslog-ng users' and developers' mailing list
> > >>> <syslog-ng at lists.balabit.hu> <syslog-ng at lists.balabit.hu>
> > >>> Subject: Re: [syslog-ng] Syslog-ng not receiving messages
> > >>>
> > >>> Further,
> > >>>
> > >>> I have tried setting the kernel parameters without any luck
> > >>>
> > >>> [root at aspsyslog ~]# sysctl -w net.core.rmem_max=8388608
> > >>> [root at aspsyslog ~]# sysctl -w net.core.rmem_default=1048576
> > >>>
> > >>>  [SNIP]
> > >>>
> > >>>
> > >>>
> ______________________________________________________________________________
> > >>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> > >>> Documentation:
> > >>> http://www.balabit.com/support/documentation/?product=syslog-ng
> > >>> FAQ: http://www.campin.net/syslog-ng/faq.html
> > >>>
> > >>>
> > >>>
> > >>  ------------------------------
> > >>
> > >>
> ______________________________________________________________________________
> > >> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> > >> Documentation:
> http://www.balabit.com/support/documentation/?product=syslog-ng
> > >> FAQ: http://www.campin.net/syslog-ng/faq.html
> > >>
> > >>
> > >>
> > >>
> ______________________________________________________________________________
> > >> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> > >> Documentation:
> > >> http://www.balabit.com/support/documentation/?product=syslog-ng
> > >> FAQ: http://www.campin.net/syslog-ng/faq.html
> > >>
> > >>
> > >>
> > > ------------------------------
> > >
> > >
> ______________________________________________________________________________
> > > Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> > > Documentation:
> http://www.balabit.com/support/documentation/?product=syslog-ng
> > > FAQ: http://www.campin.net/syslog-ng/faq.html
> > >
> > >
> > >
> > >
> ______________________________________________________________________________
> > > Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> > > Documentation:
> > > http://www.balabit.com/support/documentation/?product=syslog-ng
> > > FAQ: http://www.campin.net/syslog-ng/faq.html
> > >
> > >
> > >
>
> >
> ______________________________________________________________________________
> > Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> > Documentation:
> http://www.balabit.com/support/documentation/?product=syslog-ng
> > FAQ: http://www.campin.net/syslog-ng/faq.html
> >
>
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation:
> http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.campin.net/syslog-ng/faq.html
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20101117/753cc8cc/attachment.htm

More information about the syslog-ng mailing list