[syslog-ng] need help debugging some network received logs that aren't writing to files

Scot Needy scotrn at gmail.com
Tue Feb 18 21:23:21 CET 2014 

When I’m not seeing any data I start with tcpdump to make sure it’s actually getting to the log host and review the packet dump for a possible issue. 

There is also a debug, trace function in syslog-ng but in heavy traffic environments like yours I start with tcpdump with a mac or ip filter. 

On Feb 18, 2014, at 3:12 PM, Chris Moody <chris at node-nine.com> wrote:

> Hello.
> 
> First off, thanks a __TON__ for syslog-ng.  I've sworn by this awesome 
> code for years now.  I've built all sorts of logging infrastructure with 
> it.
> 
> I seem to have hit on something though that's got me scratching my head 
> and lacking for explanation.  Perhaps I've just been staring at it and 
> debugging it too long and am missing something obvious.
> 
> I've got an installation with a couple thousand network devices logging 
> successfully to output spools on our log aggretor.  This is rockin' and 
> works beautifully.  I've got things configured whereby each network 
> source logs to it's own individual spool file with the source-ip as the 
> spool name.
> 
> I'm running into a case though where I have a Cisco switch sending logs 
> to my log aggregator but the log-server isn't writing the output to the 
> device's spool file.  It is working however for many many more devices 
> just like this switch.
> 
> I've confirmed via tcpdump that this log traffic does actually hit the 
> box, but it never gets recorded into the log spool for that network device.
> 
> Since the host is -super- busy receiving logs from other gear 
> enterprise-wide, I have to treat it very gingerly, so can't enable too 
> much debugging...but I'm really confused why the logs wouldn't show up 
> in the log spool..
> 
> Here's some bits of the config that are relevant:
> =====
> options {
>         keep_hostname(yes);
>         use_dns(no);
>         use_fqdn(no);
>         stats_freq(600);
>         stats_level(2);
>         # Allow large messages
>         log_msg_size(65536);
> };
> 
> # =====================
> # UDP Packet Source
> source s_udp {
>         udp();
> };
> 
> # =====================
> # TCP Packet Source
> source s_tcp {
>          tcp(ip(aaa.bbb.ccc.ddd) port(514) max-connections(50000));
> };
> 
> # =====================
> destination net_perhost {
>         file("/data/log/per-host/$HOST"
>         owner(root)
>         group(nwadmin)
>         perm(0775)
>         );
> };
> 
> # =====================
> log {
>         source(s_tcp);
>         source(s_udp);
>         destination(net_perhost);
> };
> =====
> 
> I've checked around for perhaps a different spool name, thinking perhaps 
> the data was getting recognized as something other than it's source-ip, 
> but haven't seen anything.
> 
> Any thoughts?
> 
> Cheers,
> -Chris
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>

More information about the syslog-ng mailing list