[syslog-ng] Syslog-ng configuration for network source (udp)

Alex Clone alexandros.clone at gmail.com
Wed Sep 12 13:47:57 CEST 2012


>
> On Wed, Sep 12, 2012 at 11:39 AM, Sandor Geller <
> Sandor.Geller at morganstanley.com> wrote:
>
>> Hi,
>>
>> I don't see anything obvious. Could you check whether there are other
>> apps listening on 172.30.6.70:514 ? In other words grep for 514 in the
>> netstat output not for syslog. Are there packet filter rules dropping
>> incoming traffic?
>>
>> Regards,
>>
>> Sandor
>>
>> ______________________________________________________________________________
>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>> Documentation:
>> http://www.balabit.com/support/documentation/?product=syslog-ng
>> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>>
>>
> @ Sandor Geller
>
> Thanks for your response. The port 514 is for syslog-ng as it is defined
> in the services file :
>
> *~# cat /etc/services | grep 514
> shell        514/tcp        cmd        # no passwords used
> syslog-ng    514/udp*
> *
> ~# netstat -a --numeric-ports | grep 514
>
> tcp        0      0 0.0.0.0:514             0.0.0.0:*
> LISTEN
>  udp        0      0 0.0.0.0:514             0.0.0.0:*
>
> unix  3      [ ]         STREAM     CONNECTED     1514     *
>
> As you can see there is only the syslog-ng running on that port.
>
>
> On Wed, Sep 12, 2012 at 11:45 AM, Gergely Nagy <algernon at balabit.hu>wrote:
>
>> Alex Clone <alexandros.clone at gmail.com> writes:
>>
>> > *~# tcpdump -i eth0 udp 'port 514' -v
>>
>> > tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size
>> 65535
>> > bytes
>> > 06:05:58.669992 IP (tos 0x0, ttl 254, id 20209, offset 0, flags [none],
>> > proto UDP (17), length 82)
>> >     172.29.1.6.syslog-ng > 172.30.6.70.syslog-ng: SYSLOG, length: 54
>> >     Facility local4 (20), Severity debug (7)
>> >     Msg: %ASA-7-609001: Built local-host WAN:172.30.254.4\0x0a
>> > 06:05:58.670134 IP (tos 0x0, ttl 254, id 52, offset 0, flags [none],
>> proto
>> > UDP (17), length 85)
>> >     172.29.1.6.syslog-ng > 172.30.6.70.syslog-ng: SYSLOG, length: 57
>> >     Facility local4 (20), Severity debug (7)
>> >     Msg: %ASA-7-609001: Built local-host outside:172.26.10.4\0x0a
>> > ………..*
>>
>> These look like CISCO logs, which do not conform to the format syslog-ng
>> expects, and as such, they're not recognised and not processed either.
>>
>> If you just want to store them as-is, I'd recommend using the
>> flags(no-parse) setting in the s_network source, like this:
>>
>>  source s_network {
>>          tcp(flags(no-parse));
>>          udp(flags(no-parse));
>>  };
>>
>> --
>> |8]
>>
>>
>> ______________________________________________________________________________
>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>> Documentation:
>> http://www.balabit.com/support/documentation/?product=syslog-ng
>> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>>
>>
> @ Gergely Nagy
>
> Thanks for your response and your recommendation. I change the source
> block to the one that you mail me. The result is exactly the same.
> Syslog-ng cannot read the stream.
>
> By the way, when I tried to log local data using the internal(); option to
> the source block, syslog-ng worked perfectly. All the data logged to the
> given file. So, the problem, I have to solve, is why syslog-ng cannot read
> the interface eth0 (udp).
>
> Thanks in advance,
> Alex
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20120912/6f4464f8/attachment.htm 


More information about the syslog-ng mailing list