[syslog-ng] Can't get basic syslog to work for my firewall logs?

Damian Bell Damian.Bell at clarksons.com
Fri Feb 24 15:36:23 UTC 2017


Have you disabled any other syslog servers that might be listening on UDP 514? Rsyslog, etc? (ps aux | grep syslog) Try (temporarily) disabling SELINUX and keep firewall turned off. See if you can start syslog-ng in the foreground and see what you get (syslog-ng –Fed)




Damian Bell
Infrastructure Engineer | Support | H Clarkson & Co Ltd

Email: Damian.Bell at clarksons.com<mailto:Damian.Bell at clarksons.com>


From: syslog-ng [mailto:syslog-ng-bounces at lists.balabit.hu] On Behalf Of Tim Tyler
Sent: 24 February 2017 15:07
To: syslog-ng at lists.balabit.hu
Subject: [syslog-ng] Can't get basic syslog to work for my firewall logs?

Syslog-ng experts.
  I am very new to syslog-ng.  I installed syslog-ng on a fresh Redhat 7.3 server.   It defaults working with internal logging.  So I configured my firewall to send syslog with facility set to log_user.  I turned on Wireshark on the syslog-ng server and observed the firewall sending traffic to the server on udp 514.

But the syslog server never created the directory structure and logs.  I disabled the redhat firewall just to eliminate it as a possibility.  Still no logging.  So I don’t know what I am doing wrong at this point. I don’t know if this is a permission problem or some other configuration issue.  I found someone that had posted a very basic syslog-ng configuration for firewalls.  So I copied It into a firewall.conf I put in conf.d.  Can anyone see what might be wrong with it?

####################
options {
        create_dirs(yes);
        owner(root);
        group(root);
        perm(0640);
        dir_owner(root);
        dir_group(root);
        dir_perm(0750);
};


##################################################
source s_udp {
        udp(port(514));
};

#Template for a new firewall in the firewalls.conf file
#Entries to be changed: NAMEOFTHEFIREWALL and IPOFTHEFIREWALL

##################################################
filter f_NAMEOFTHEFIREWALL {
        host("192.168.30.1");
};
destination d_NAMEOFTHEFIREWALL {
        file("/var/log/firewalls/PA/$YEAR/$MONTH/$YEAR-$MONTH-$DAY.PA.log");
};
log {
        source(s_udp);
        filter(f_NAMEOFTHEFIREWALL);
        destination(d_NAMEOFTHEFIREWALL);
};


Tim Tyler
Network Engineer
Beloit College


________________________________
This message is private and confidential. If you have received it in error, you are on notice of its status. Please notify us immediately by reply email and then delete this message from your system. Please do not copy it or use it for any purposes, or disclose its contents to any other person: to do so could be a breach of confidence.

Emails may be monitored.

Details of Clarkson group companies and their regulators (where applicable) can be found at this url: Disclosure<http://www.clarksons.com/disclosure/>
________________________________
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20170224/418e68d0/attachment-0001.html>


More information about the syslog-ng mailing list