[syslog-ng] Single host logs aren't being written

Brandon Kendall brandon.kendall at gmail.com
Fri Mar 6 17:56:07 CET 2015


Hello everyone.

I have a centralized syslog-ng server running that collect syslog messages
from Cisco firewalls. The .conf file is very straightforward and contains
the following:

options {
use_fqdn(no);
use_dns(yes);
dns_cache(yes);
dns_cache_size(2000);
dns_cache_expire(87600);
keep_hostname(no);
long_hostnames(no);
flush_lines(0);
normalize_hostnames(yes);
create_dirs(yes);
dir_group(group_name);
dir_perm(0751);
stats_freq(600);
stats_level(1);
group(group_name);
perm(0640);
};

source s_network_1 {
udp();
};

destination d_network_1 {
file
("/var/syslog/$R_YEAR-$R_MONTH-$R_DAY/$HOST/$R_YEAR-$R_MONTH-$R_DAY-$HOST-$R_HOUR.log");
};

log {
source(s_network_1);
destination(d_network_1);
};


The goal is to have the logs from each device arranged in a hierarchy that
is as follows (simplified):
Date/device_name/hour-1.log
Date/device/name/hour2.log
etc

This has been working great.

Recently I configured another network device to send syslog messages to
this server, and they aren't being logged. Using tcpdump on the syslog-ng
box, I've verified the messages are making it to the server from the
network device. They are UDP and using the correct port. I've compared the
message format in the pcap to other devices that are still logging and
everything matches. I have no errors in /var/log/syslog files, nor do I
have errors in /var/log/messages.

I've hit a dead end in troubleshooting, since all other devices sending
logs to this server are being correctly written to log files. Can someone
point me to anything else to check?

This is syslog-ng 3.1.2 running on RHEL 5.8.


Thanks!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20150306/93dbeea8/attachment.htm 


More information about the syslog-ng mailing list