[syslog-ng] Switching the syslog-ng central server - client messages go missing

Wed Apr 27 18:22:10 CEST 2016

Can you test manually using logger? That way you can see if it behaves differently with different combinations of facility and priority. Also capture those with tcpdump or whatever. I seem to recall that Solaris uses different mappings than other operating systems. You might look at the sending and receiving system header files. I forget the exact name or location but something like /usr/include/sys/syslog.h I think...
Good luck Jim

Sent from my Verizon, Samsung Galaxy smartphone
-------- Original message --------From: "Cottington-Bray, Ian" <ian.cottington-bray at mclaren.com> Date: 4/27/16  7:06 AM  (GMT-05:00) To: Syslog-ng users' and developers' mailing list <syslog-ng at lists.balabit.hu> Subject: Re: [syslog-ng] Switching the syslog-ng central server - client messages go missing 

Thanks for the feedback – had to wait for a period to test again.

Comments below

Ian Cottington-Bray  | Senior Infrastructure Engineer – Linux/Unix |
McLaren Technology Group Limited

McLaren Technology Centre, Chertsey Road, Woking, Surrey GU21 4YH, UK

T:
 +44 (0) 1483 261 900
D:
 +44 (0) 1483 262 357

E:  ian.cottington-bray at mclaren.com
W:
www.mclaren.com

From: syslog-ng-bounces at lists.balabit.hu [mailto:syslog-ng-bounces at lists.balabit.hu]
On Behalf Of Scheidler, Balázs

Sent: 21 April 2016 10:33

To: Syslog-ng users' and developers' mailing list <syslog-ng at lists.balabit.hu>

Subject: Re: [syslog-ng] Switching the syslog-ng central server - client messages go missing

hmm... couple of things come to mind, not all syslog-ng related:

1)     
are those messages actually arriving on the host (check with tcpdump)
Sometimes – I see network packets being sent some of the time (by the client) but not always

2)     
is the local firewall letting them through?
There is no firewall on this network

3)     
is syslog-ng bound to a specific ip/port or it is bound to 0.0.0.0? (check that with netstat)
Specific IP/port (514) – several IPs in fact

4)     
you should be able to use telnet/netcat on the client host to check if the port on the solaris11 box is open
The port is open

5)     
if all else fails, check the syslog-ng config, but that shouldn't be a problem
It looks OK to me ..
It almost looks like the client systems don’t send all the time – which is VERY strange and I’m struggling to understand why.  The
 client systems seem to send a few messages immediately after syslog-ng starts on the central server and then stop sending …  

If I shutdown the new server and bring up the old one the messages start appearing in the logs as I would expect.
Any suggestions ?

Bazsi

-- 

Bazsi

On Wed, Apr 20, 2016 at 4:51 PM, Cottington-Bray, Ian <ian.cottington-bray at mclaren.com> wrote:

Hi

I have a Solaris 10 server running version 3.0 of syslog-ng.

I have built a new server running Solaris 11 with version 3.6 of syslog-ng installed.

I have tested the new server by pointing another client at it and messages appear in the configured files as expected.

I then shut down the Solaris 10 server – change the Solaris 11 server IP configuration to match the details for the Solaris 10 server – restart syslog-ng on the Solaris 11 server.   
 Things seem to be working ok – except for the (Solaris and Linux) clients using syslog-ng (and referencing the central syslog-ng server by IP) their messages do not arrive at the expected files. 

Any suggestions ?

Ian

Ian Cottington-Bray  | Senior Infrastructure Engineer – Linux/Unix |
McLaren Technology Group Limited

McLaren Technology Centre, Chertsey Road, Woking, Surrey GU21 4YH, UK

T:
 +44 (0) 1483 261 900
D:
 +44 (0) 1483 262 357

E:  ian.cottington-bray at mclaren.com
W:
www.mclaren.com

The contents of this e-mail are confidential and for the exclusive use of the intended recipient. If you are not the intended recipient you should not read, copy, retransmit or disclose its contents. If you have received this email in error please delete it
 from your system immediately and notify us either by email or telephone. The views expressed in this communication may not necessarily be the views held by McLaren Technology Group Limited.

McLaren Technology Group Limited | McLaren Technology Centre | Chertsey Road | Woking | Surrey | GU21 4YH | UK | Company Number: 01967715

______________________________________________________________________________

Member info: 
https://lists.balabit.hu/mailman/listinfo/syslog-ng

Documentation: 
http://www.balabit.com/support/documentation/?product=syslog-ng

FAQ: http://www.balabit.com/wiki/syslog-ng-faq

The contents of this e-mail are confidential and for the exclusive use of the intended recipient. If you are not the intended recipient you should not read, copy, retransmit or disclose its contents. If you have received this email in error please delete it from your system immediately and notify us either by email or telephone. The views expressed in this communication may not necessarily be the views held by McLaren Technology Group Limited. 

 McLaren Technology Group Limited | McLaren Technology Centre | Chertsey Road | Woking | Surrey | GU21 4YH | UK | Company Number: 01967715

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20160427/df6935d2/attachment-0001.htm 