[syslog-ng] Single host logs aren't being written

Brandon Kendall brandon.kendall at gmail.com
Fri Mar 13 14:55:08 CET 2015 

Thanks for the responses, all. I managed to fix the issue by routing the
syslog messages to a different interface on the server.

Sent from my Android device.
On Mar 9, 2015 4:53 AM, "Sandor Geller" <sandor.geller at ericsson.com> wrote:

> Hi,
>
> Is it possible to configure the given device to use another port? This
> way you could fire up another syslog-ng instance with debugging options
> enabled to see what it thinks about the incoming messages. Running this
> instance under strace won't impact the processing of logs from other
> devices and the strace output would be quite useful for debugging.
>
> Although you mentioned that the incoming logs seem to be OK could you
> show a few incoming packets? Preferably in hexdump format, maybe we
> could catch what's wrong.
>
> Regards,
>
> Sandor
>
> On 03/06/2015 07:09 PM, Brandon Kendall wrote:
> > Sorry, I should have specified that.
> >
> > Not only does the hostname resolve to the correct IP, I created an entry
> > in the hosts file for this device.
> >
> > Thanks!
> >
> > On Fri, Mar 6, 2015 at 12:30 PM, Sandor Geller
> > <sandor.geller at ericsson.com <mailto:sandor.geller at ericsson.com>> wrote:
> >
> >     Hi!
> >
> >     The only macro in the destination which isn't generated by syslog-ng
> >     itself is $HOST as you are using DNS for hostname resolution. Could
> you
> >     doublecheck that the source IP address of the originating device
> >     resolves properly to a hostname and the given hostname is unique?
> >
> >     hth,
> >
> >     Sandor
> >
> >     On 03/06/2015 05:56 PM, Brandon Kendall wrote:
> >      > Hello everyone.
> >      >
> >      > I have a centralized syslog-ng server running that collect syslog
> >      > messages from Cisco firewalls. The .conf file is very
> straightforward
> >      > and contains the following:
> >      >
> >      > options {
> >      > use_fqdn(no);
> >      > use_dns(yes);
> >      > dns_cache(yes);
> >      > dns_cache_size(2000);
> >      > dns_cache_expire(87600);
> >      > keep_hostname(no);
> >      > long_hostnames(no);
> >      > flush_lines(0);
> >      > normalize_hostnames(yes);
> >      > create_dirs(yes);
> >      > dir_group(group_name);
> >      > dir_perm(0751);
> >      > stats_freq(600);
> >      > stats_level(1);
> >      > group(group_name);
> >      > perm(0640);
> >      > };
> >      >
> >      > source s_network_1 {
> >      > udp();
> >      > };
> >      >
> >      > destination d_network_1 {
> >      > file
> >      >
> >
>  ("/var/syslog/$R_YEAR-$R_MONTH-$R_DAY/$HOST/$R_YEAR-$R_MONTH-$R_DAY-$HOST-$R_HOUR.log");
> >      > };
> >      >
> >      > log {
> >      > source(s_network_1);
> >      > destination(d_network_1);
> >      > };
> >      >
> >      >
> >      > The goal is to have the logs from each device arranged in a
> hierarchy
> >      > that is as follows (simplified):
> >      > Date/device_name/hour-1.log
> >      > Date/device/name/hour2.log
> >      > etc
> >      >
> >      > This has been working great.
> >      >
> >      > Recently I configured another network device to send syslog
> >     messages to
> >      > this server, and they aren't being logged. Using tcpdump on the
> >      > syslog-ng box, I've verified the messages are making it to the
> server
> >      > from the network device. They are UDP and using the correct port.
> >     I've
> >      > compared the message format in the pcap to other devices that are
> >     still
> >      > logging and everything matches. I have no errors in
> /var/log/syslog
> >      > files, nor do I have errors in /var/log/messages.
> >      >
> >      > I've hit a dead end in troubleshooting, since all other devices
> >     sending
> >      > logs to this server are being correctly written to log files. Can
> >      > someone point me to anything else to check?
> >      >
> >      > This is syslog-ng 3.1.2 running on RHEL 5.8.
> >      >
> >      >
> >      > Thanks!
> >      >
> >      >
> >      >
> >
>  ______________________________________________________________________________
> >      > Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> >      > Documentation:
> >     http://www.balabit.com/support/documentation/?product=syslog-ng
> >      > FAQ: http://www.balabit.com/wiki/syslog-ng-faq
> >      >
> >
> >
>  ______________________________________________________________________________
> >     Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> >     Documentation:
> >     http://www.balabit.com/support/documentation/?product=syslog-ng
> >     FAQ: http://www.balabit.com/wiki/syslog-ng-faq
> >
> >
> >
> >
> >
> ______________________________________________________________________________
> > Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> > Documentation:
> http://www.balabit.com/support/documentation/?product=syslog-ng
> > FAQ: http://www.balabit.com/wiki/syslog-ng-faq
> >
>
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation:
> http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20150313/09a27045/attachment.htm

More information about the syslog-ng mailing list