[syslog-ng] need help debugging some network received logs that aren't writing to files

Chris Moody chris at node-nine.com
Tue Feb 18 21:12:50 CET 2014 

Hello.

First off, thanks a __TON__ for syslog-ng.  I've sworn by this awesome 
code for years now.  I've built all sorts of logging infrastructure with 
it.

I seem to have hit on something though that's got me scratching my head 
and lacking for explanation.  Perhaps I've just been staring at it and 
debugging it too long and am missing something obvious.

I've got an installation with a couple thousand network devices logging 
successfully to output spools on our log aggretor.  This is rockin' and 
works beautifully.  I've got things configured whereby each network 
source logs to it's own individual spool file with the source-ip as the 
spool name.

I'm running into a case though where I have a Cisco switch sending logs 
to my log aggregator but the log-server isn't writing the output to the 
device's spool file.  It is working however for many many more devices 
just like this switch.

I've confirmed via tcpdump that this log traffic does actually hit the 
box, but it never gets recorded into the log spool for that network device.

Since the host is -super- busy receiving logs from other gear 
enterprise-wide, I have to treat it very gingerly, so can't enable too 
much debugging...but I'm really confused why the logs wouldn't show up 
in the log spool..

Here's some bits of the config that are relevant:
=====
options {
         keep_hostname(yes);
         use_dns(no);
         use_fqdn(no);
         stats_freq(600);
         stats_level(2);
         # Allow large messages
         log_msg_size(65536);
};

# =====================
# UDP Packet Source
source s_udp {
         udp();
};

# =====================
# TCP Packet Source
source s_tcp {
          tcp(ip(aaa.bbb.ccc.ddd) port(514) max-connections(50000));
};

# =====================
destination net_perhost {
         file("/data/log/per-host/$HOST"
         owner(root)
         group(nwadmin)
         perm(0775)
         );
};

# =====================
log {
         source(s_tcp);
         source(s_udp);
         destination(net_perhost);
};
=====

I've checked around for perhaps a different spool name, thinking perhaps 
the data was getting recognized as something other than it's source-ip, 
but haven't seen anything.

Any thoughts?

Cheers,
-Chris

More information about the syslog-ng mailing list