[syslog-ng] Single host logs aren't being written

Jim Hendrick jrhendri at roadrunner.com
Fri Mar 6 18:24:21 CET 2015 

    
I would look at the macro parsing. Is HOST correctly being parsed, etc. You could create a separate file destination using one macro at a time to narrow it down. Also you could check the syslog-ng logs themselves to look at drops. 
Jim


Sent from my Verizon Wireless 4G LTE smartphone

-------- Original message --------
From: Brandon Kendall <brandon.kendall at gmail.com> 
Date: 03/06/2015  11:56 AM  (GMT-05:00) 
To: syslog-ng at lists.balabit.hu 
Subject: [syslog-ng] Single host logs aren't being written 

Hello everyone.
I have a centralized syslog-ng server running that collect syslog messages from Cisco firewalls. The .conf file is very straightforward and contains the following:
options {use_fqdn(no);use_dns(yes);dns_cache(yes);dns_cache_size(2000);dns_cache_expire(87600);keep_hostname(no);long_hostnames(no);flush_lines(0);normalize_hostnames(yes);create_dirs(yes);dir_group(group_name);dir_perm(0751);stats_freq(600);stats_level(1);group(group_name);perm(0640);};
source s_network_1 {udp();};
destination d_network_1 {file ("/var/syslog/$R_YEAR-$R_MONTH-$R_DAY/$HOST/$R_YEAR-$R_MONTH-$R_DAY-$HOST-$R_HOUR.log");};
log {source(s_network_1);destination(d_network_1);};

The goal is to have the logs from each device arranged in a hierarchy that is as follows (simplified):Date/device_name/hour-1.logDate/device/name/hour2.logetc
This has been working great.
Recently I configured another network device to send syslog messages to this server, and they aren't being logged. Using tcpdump on the syslog-ng box, I've verified the messages are making it to the server from the network device. They are UDP and using the correct port. I've compared the message format in the pcap to other devices that are still logging and everything matches. I have no errors in /var/log/syslog files, nor do I have errors in /var/log/messages.
I've hit a dead end in troubleshooting, since all other devices sending logs to this server are being correctly written to log files. Can someone point me to anything else to check?
This is syslog-ng 3.1.2 running on RHEL 5.8.

Thanks!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20150306/f83195f1/attachment.htm

More information about the syslog-ng mailing list