[syslog-ng] Syslog-ng configuration for network source (udp)

Alex Clone alexandros.clone at gmail.com
Wed Sep 12 11:30:48 CEST 2012 

On Wed, Sep 12, 2012 at 11:39 AM, Sandor Geller <
Sandor.Geller at morganstanley.com> wrote:

> Hi,
>
> I don't see anything obvious. Could you check whether there are other
> apps listening on 172.30.6.70:514 ? In other words grep for 514 in the
> netstat output not for syslog. Are there packet filter rules dropping
> incoming traffic?
>
> Regards,
>
> Sandor
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation:
> http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
>
@ Sandor Geller

Thanks for your response. The port 514 is for syslog-ng as it is defined in
the services file :

*~# cat /etc/services | grep 514
shell        514/tcp        cmd        # no passwords used
syslog-ng    514/udp*
*
~# netstat -a --numeric-ports | grep 514
tcp        0      0 0.0.0.0:514             0.0.0.0:*
LISTEN
udp        0      0 0.0.0.0:514             0.0.0.0:*

unix  3      [ ]         STREAM     CONNECTED     1514     *

As you can see there is only the syslog-ng running on that port.


On Wed, Sep 12, 2012 at 11:45 AM, Gergely Nagy <algernon at balabit.hu> wrote:

> Alex Clone <alexandros.clone at gmail.com> writes:
>
> > *~# tcpdump -i eth0 udp 'port 514' -v
> > tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size
> 65535
> > bytes
> > 06:05:58.669992 IP (tos 0x0, ttl 254, id 20209, offset 0, flags [none],
> > proto UDP (17), length 82)
> >     172.29.1.6.syslog-ng > 172.30.6.70.syslog-ng: SYSLOG, length: 54
> >     Facility local4 (20), Severity debug (7)
> >     Msg: %ASA-7-609001: Built local-host WAN:172.30.254.4\0x0a
> > 06:05:58.670134 IP (tos 0x0, ttl 254, id 52, offset 0, flags [none],
> proto
> > UDP (17), length 85)
> >     172.29.1.6.syslog-ng > 172.30.6.70.syslog-ng: SYSLOG, length: 57
> >     Facility local4 (20), Severity debug (7)
> >     Msg: %ASA-7-609001: Built local-host outside:172.26.10.4\0x0a
> > ………..*
>
> These look like CISCO logs, which do not conform to the format syslog-ng
> expects, and as such, they're not recognised and not processed either.
>
> If you just want to store them as-is, I'd recommend using the
> flags(no-parse) setting in the s_network source, like this:
>
>  source s_network {
>          tcp(flags(no-parse));
>          udp(flags(no-parse));
>  };
>
> --
> |8]
>
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation:
> http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
>
@ Gergely Nagy

Thanks for your response and your recommendation. I change the source block
to the one that you mail me. The result is exactly the same. Syslog-ng
cannot read the stream.

By the way, when I tried to log local data using the internal(); option to
the source block, syslog-ng worked perfectly. All the data logged to the
given file. So, the problem, I have to solve, is why syslog-ng cannot read
the interface eth0 (udp).

Thanks in advance,
Alex
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20120912/26410299/attachment-0001.htm

More information about the syslog-ng mailing list