[syslog-ng] Single host logs aren't being written
Sandor Geller
sandor.geller at ericsson.com
Mon Mar 9 09:53:42 CET 2015
Hi,
Is it possible to configure the given device to use another port? This
way you could fire up another syslog-ng instance with debugging options
enabled to see what it thinks about the incoming messages. Running this
instance under strace won't impact the processing of logs from other
devices and the strace output would be quite useful for debugging.
Although you mentioned that the incoming logs seem to be OK could you
show a few incoming packets? Preferably in hexdump format, maybe we
could catch what's wrong.
Regards,
Sandor
On 03/06/2015 07:09 PM, Brandon Kendall wrote:
> Sorry, I should have specified that.
>
> Not only does the hostname resolve to the correct IP, I created an entry
> in the hosts file for this device.
>
> Thanks!
>
> On Fri, Mar 6, 2015 at 12:30 PM, Sandor Geller
> <sandor.geller at ericsson.com <mailto:sandor.geller at ericsson.com>> wrote:
>
> Hi!
>
> The only macro in the destination which isn't generated by syslog-ng
> itself is $HOST as you are using DNS for hostname resolution. Could you
> doublecheck that the source IP address of the originating device
> resolves properly to a hostname and the given hostname is unique?
>
> hth,
>
> Sandor
>
> On 03/06/2015 05:56 PM, Brandon Kendall wrote:
> > Hello everyone.
> >
> > I have a centralized syslog-ng server running that collect syslog
> > messages from Cisco firewalls. The .conf file is very straightforward
> > and contains the following:
> >
> > options {
> > use_fqdn(no);
> > use_dns(yes);
> > dns_cache(yes);
> > dns_cache_size(2000);
> > dns_cache_expire(87600);
> > keep_hostname(no);
> > long_hostnames(no);
> > flush_lines(0);
> > normalize_hostnames(yes);
> > create_dirs(yes);
> > dir_group(group_name);
> > dir_perm(0751);
> > stats_freq(600);
> > stats_level(1);
> > group(group_name);
> > perm(0640);
> > };
> >
> > source s_network_1 {
> > udp();
> > };
> >
> > destination d_network_1 {
> > file
> >
> ("/var/syslog/$R_YEAR-$R_MONTH-$R_DAY/$HOST/$R_YEAR-$R_MONTH-$R_DAY-$HOST-$R_HOUR.log");
> > };
> >
> > log {
> > source(s_network_1);
> > destination(d_network_1);
> > };
> >
> >
> > The goal is to have the logs from each device arranged in a hierarchy
> > that is as follows (simplified):
> > Date/device_name/hour-1.log
> > Date/device/name/hour2.log
> > etc
> >
> > This has been working great.
> >
> > Recently I configured another network device to send syslog
> messages to
> > this server, and they aren't being logged. Using tcpdump on the
> > syslog-ng box, I've verified the messages are making it to the server
> > from the network device. They are UDP and using the correct port.
> I've
> > compared the message format in the pcap to other devices that are
> still
> > logging and everything matches. I have no errors in /var/log/syslog
> > files, nor do I have errors in /var/log/messages.
> >
> > I've hit a dead end in troubleshooting, since all other devices
> sending
> > logs to this server are being correctly written to log files. Can
> > someone point me to anything else to check?
> >
> > This is syslog-ng 3.1.2 running on RHEL 5.8.
> >
> >
> > Thanks!
> >
> >
> >
> ______________________________________________________________________________
> > Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> > Documentation:
> http://www.balabit.com/support/documentation/?product=syslog-ng
> > FAQ: http://www.balabit.com/wiki/syslog-ng-faq
> >
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation:
> http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
>
>
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
More information about the syslog-ng
mailing list