[syslog-ng] Single host logs aren't being written

Sandor Geller sandor.geller at ericsson.com
Fri Mar 6 18:30:51 CET 2015 

Hi!

The only macro in the destination which isn't generated by syslog-ng 
itself is $HOST as you are using DNS for hostname resolution. Could you 
doublecheck that the source IP address of the originating device 
resolves properly to a hostname and the given hostname is unique?

hth,

Sandor

On 03/06/2015 05:56 PM, Brandon Kendall wrote:
> Hello everyone.
>
> I have a centralized syslog-ng server running that collect syslog
> messages from Cisco firewalls. The .conf file is very straightforward
> and contains the following:
>
> options {
> use_fqdn(no);
> use_dns(yes);
> dns_cache(yes);
> dns_cache_size(2000);
> dns_cache_expire(87600);
> keep_hostname(no);
> long_hostnames(no);
> flush_lines(0);
> normalize_hostnames(yes);
> create_dirs(yes);
> dir_group(group_name);
> dir_perm(0751);
> stats_freq(600);
> stats_level(1);
> group(group_name);
> perm(0640);
> };
>
> source s_network_1 {
> udp();
> };
>
> destination d_network_1 {
> file
> ("/var/syslog/$R_YEAR-$R_MONTH-$R_DAY/$HOST/$R_YEAR-$R_MONTH-$R_DAY-$HOST-$R_HOUR.log");
> };
>
> log {
> source(s_network_1);
> destination(d_network_1);
> };
>
>
> The goal is to have the logs from each device arranged in a hierarchy
> that is as follows (simplified):
> Date/device_name/hour-1.log
> Date/device/name/hour2.log
> etc
>
> This has been working great.
>
> Recently I configured another network device to send syslog messages to
> this server, and they aren't being logged. Using tcpdump on the
> syslog-ng box, I've verified the messages are making it to the server
> from the network device. They are UDP and using the correct port. I've
> compared the message format in the pcap to other devices that are still
> logging and everything matches. I have no errors in /var/log/syslog
> files, nor do I have errors in /var/log/messages.
>
> I've hit a dead end in troubleshooting, since all other devices sending
> logs to this server are being correctly written to log files. Can
> someone point me to anything else to check?
>
> This is syslog-ng 3.1.2 running on RHEL 5.8.
>
>
> Thanks!
>
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>

More information about the syslog-ng mailing list