[syslog-ng] Syslog-ng configuration for network source (udp)

Wed Sep 12 09:50:56 CEST 2012

Hello,

I am trying to "read" a log stream from interface eth0 and to save it in a
file (/var/log/messages_tcp). I am newbie on the use of syslog-ng but I try
to learn reading the official manual and a lot of configuration examples.
Although, I have try a lot of different configurations, the result is
always the same : Syslog-ng cannot read the streaming data. I hope that you
can help me.

That's the version of syslog-ng that I use:

*~# /usr/local/syslog-ng/sbin/syslog-ng -V
syslog-ng 3.2.4
Installer-Version: 3.2.4
Revision: ssh+git://bazsi@git.balabit
//var/scm/git/syslog-ng/syslog-ng-ose--mainline--3.2#master#ef7b91e4a1b1f9628c66138b4ae83de7e4c697c6
Compile-Date: Sep  6 2012 14:36:19
Enable-Threads: off
Enable-Debug: off
Enable-GProf: off
Enable-Memtrace: off
Enable-Sun-STREAMS: off
Enable-IPv6: on
Enable-Spoof-Source: on
Enable-TCP-Wrapper: off
Enable-SSL: on
Enable-SQL: off
Enable-Linux-Caps: on
Enable-Pcre: on
Enable-Pacct: off*

There is an incoming log stream in eth0 (udp), as you can see next :

*~# tcpdump -i eth0 udp 'port 514' -v
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535
bytes
06:05:58.669992 IP (tos 0x0, ttl 254, id 20209, offset 0, flags [none],
proto UDP (17), length 82)
    172.29.1.6.syslog-ng > 172.30.6.70.syslog-ng: SYSLOG, length: 54
    Facility local4 (20), Severity debug (7)
    Msg: %ASA-7-609001: Built local-host WAN:172.30.254.4\0x0a
06:05:58.670134 IP (tos 0x0, ttl 254, id 52, offset 0, flags [none], proto
UDP (17), length 85)
    172.29.1.6.syslog-ng > 172.30.6.70.syslog-ng: SYSLOG, length: 57
    Facility local4 (20), Severity debug (7)
    Msg: %ASA-7-609001: Built local-host outside:172.26.10.4\0x0a
………..*

The syslog-ng.conf that I use is the following:
*
@version: 3.2

options {
        chain_hostnames(off);
        long_hostnames(off);
        use_dns(no);             # We don't want DNS names,  IP's only.
        flush_lines(0);
        stats_freq(43200);
        time_reopen(10);
};

source s_network {

#       tcp(ip("172.30.6.70") port(514));
#       udp(ip("172.30.6.70") port(514));
#       syslog(
#               flags(no-multi-line)
#               ip(172.30.6.70)
#               keep-alive(yes)
#
keep_hostname(yes)

#               transport(udp)
# TLS Options
#               tls()
#    );

        tcp();
        udp();
};

destination d_tcp {
        file("/var/log/messages_tcp" owner("root") group("adm") perm(0640));
};

log {
        source(s_network);
        destination(d_tcp);
};
*

When I start syslog-ng in debug mode (syslog-ng -Fevd) the results are the
followings:

*~# /usr/local/syslog-ng/sbin/syslog-ng -Fevdt
Trying to open module; module='syslogformat',
filename='/usr/local/syslog-ng-3.2.4/lib/syslog-ng/libsyslogformat.so'
Trying to open module; module='basicfuncs',
filename='/usr/local/syslog-ng-3.2.4/lib/syslog-ng/libbasicfuncs.so'
Trying to open module; module='afsocket',
filename='/usr/local/syslog-ng-3.2.4/lib/syslog-ng/libafsocket.so'
Trying to open module; module='affile',
filename='/usr/local/syslog-ng-3.2.4/lib/syslog-ng/libaffile.so'
Trying to open module; module='afprog',
filename='/usr/local/syslog-ng-3.2.4/lib/syslog-ng/libafprog.so'
Trying to open module; module='afuser',
filename='/usr/local/syslog-ng-3.2.4/lib/syslog-ng/libafuser.so'
Trying to open module; module='dbparser',
filename='/usr/local/syslog-ng-3.2.4/lib/syslog-ng/libdbparser.so'
Trying to open module; module='csvparser',
filename='/usr/local/syslog-ng-3.2.4/lib/syslog-ng/libcsvparser.so'
Running application hooks; hook='1'
Running application hooks; hook='3'
syslog-ng starting up; version='3.2.4'
^CTermination requested via signal, terminating;
syslog-ng shutting down; version='3.2.4'
Closing log transport fd; fd='6'
Running application hooks; hook='4'*

As you can see there is no "Incoming log entry..:" line. I pressed Ctrl+C
for the termination of program.

Also listening to the network interface seems to be right:

*~# netstat -tanpu | grep syslog
tcp        0      0 0.0.0.0:514             0.0.0.0:*
LISTEN      25950/syslog-ng
udp        0      0 0.0.0.0:514             0.0.0.0:*
25950/syslog-ng
*

Please, can anyone help me with this problem? I don't know what could be
blocking the packets, if it is because of the OS or because of syslog-ng
configuration.What could it be wrong? I am waiting for your response.

PS. Sorry for my "bad" English.

Thanks is advance,
Alex
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20120912/1959082c/attachment.htm 