[syslog-ng] Single host logs aren't being written

Fri Mar 6 19:09:04 CET 2015

Sorry, I should have specified that.

Not only does the hostname resolve to the correct IP, I created an entry in
the hosts file for this device.

Thanks!

On Fri, Mar 6, 2015 at 12:30 PM, Sandor Geller <sandor.geller at ericsson.com>
wrote:

> Hi!
>
> The only macro in the destination which isn't generated by syslog-ng
> itself is $HOST as you are using DNS for hostname resolution. Could you
> doublecheck that the source IP address of the originating device
> resolves properly to a hostname and the given hostname is unique?
>
> hth,
>
> Sandor
>
> On 03/06/2015 05:56 PM, Brandon Kendall wrote:
> > Hello everyone.
> >
> > I have a centralized syslog-ng server running that collect syslog
> > messages from Cisco firewalls. The .conf file is very straightforward
> > and contains the following:
> >
> > options {
> > use_fqdn(no);
> > use_dns(yes);
> > dns_cache(yes);
> > dns_cache_size(2000);
> > dns_cache_expire(87600);
> > keep_hostname(no);
> > long_hostnames(no);
> > flush_lines(0);
> > normalize_hostnames(yes);
> > create_dirs(yes);
> > dir_group(group_name);
> > dir_perm(0751);
> > stats_freq(600);
> > stats_level(1);
> > group(group_name);
> > perm(0640);
> > };
> >
> > source s_network_1 {
> > udp();
> > };
> >
> > destination d_network_1 {
> > file
> >
> ("/var/syslog/$R_YEAR-$R_MONTH-$R_DAY/$HOST/$R_YEAR-$R_MONTH-$R_DAY-$HOST-$R_HOUR.log");
> > };
> >
> > log {
> > source(s_network_1);
> > destination(d_network_1);
> > };
> >
> >
> > The goal is to have the logs from each device arranged in a hierarchy
> > that is as follows (simplified):
> > Date/device_name/hour-1.log
> > Date/device/name/hour2.log
> > etc
> >
> > This has been working great.
> >
> > Recently I configured another network device to send syslog messages to
> > this server, and they aren't being logged. Using tcpdump on the
> > syslog-ng box, I've verified the messages are making it to the server
> > from the network device. They are UDP and using the correct port. I've
> > compared the message format in the pcap to other devices that are still
> > logging and everything matches. I have no errors in /var/log/syslog
> > files, nor do I have errors in /var/log/messages.
> >
> > I've hit a dead end in troubleshooting, since all other devices sending
> > logs to this server are being correctly written to log files. Can
> > someone point me to anything else to check?
> >
> > This is syslog-ng 3.1.2 running on RHEL 5.8.
> >
> >
> > Thanks!
> >
> >
> >
> ______________________________________________________________________________
> > Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> > Documentation:
> http://www.balabit.com/support/documentation/?product=syslog-ng
> > FAQ: http://www.balabit.com/wiki/syslog-ng-faq
> >
>
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation:
> http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20150306/9247da4f/attachment-0001.htm 