[syslog-ng] Verifying local logs and remote logs are being sent to destination graylog

Mon Nov 12 18:28:19 UTC 2018

So I upgraded to syslog-ng 3.18 and it has syslog-ng-debun options. I was
reading through the documentation and when I issue syslog-ng-debun -d -P
'port 12201' should I see anything on standard out because all that happen
was it displayed the options for the command.  That is all that happened
when I issued the command below in this email. I tried to run
syslog-ng-debun -r and that executed and created a tarball.

syslog-ng-debun -d -P 'port 12201'

Usage: syslog-ng-debun [OPTIONS]

General Options:

  -r Run actual information gathering

  -h Show this help page

  -R [dir] Syslog-ng-PE's alternate install dir, instead of /opt/syslog-ng

  -W [dir] Work dir, where debug bundle will be placed

  -l "light" collect: Don't get data, which may disturb your sense about

privacy, like process tree, fstab, etc. If you use with -d, then it

will also enlighten that's params: -Fev

Debug mode options:

  -d Debug with params: -Fedv --enable-core

Warning! May increase disk io during the debug,

and dumps huge amount of data!

  -D [params] Debug with custom params

  -w [sec] Wait [sec] seconds before start syslog's debug mode, and

start realtime watching of it

  -t [sec] Timeout for noninteractive debug

Packet capture options:

  -i [iface] Capture packets on specified interface

  -p Create packet capture with filter: port 514 or port 601 or port 53

  -P [params] Create packet capture with custom filter

  -t [sec] Timeout for noninteractive debug

Syscall tracing options:

  -s Trace syslog

  -t [sec] Timeout for noninteractive debug

On Wed, Nov 7, 2018 at 7:22 PM PÁSZTOR György <
pasztor at linux.gyakg.u-szeged.hu> wrote:

> Hi,
>
> "Rodney Bizzell" <hardworker30 at gmail.com> írta 2018-11-07 15:14-kor:
> > I can try that but I echoed a message from the syslog server to the
> graylog
> > server and that worked
>
> What this exactly means that you "echoed" a message?
> echo -ne '{some json formatted graylog message}\0' | nc graylog.server
> 12201
> ?
>
> Can you please share the details?
> It's really hard to guess what you exactly thought of. And I don't have my
> magic crystal sphere with me to have a more reliable guess.
>
> Have you run a tcpdump to check communication between syslog-ng and
> graylog? Could you please share the pcap file?
>
> You only shared the debug messages of the syslog-ng initialization.
> But we haven't seen in your other mail what the debug mode says if you send
> in a message which should end up on the graylog server.
> Well, this is what debug mode is for: to debug situations like this.
>
> At this point it could be also useful, if this test system doesn't contain
> any sensitive information, to start a debug bundle run, and share the
> result:
> When your config is ready, etc. just use these parameters for the debun
> command:
> syslog-ng-debun -d -P 'port 12201'
>
> It will stop system's syslog-ng service, and restart that in debug mode and
> collect the data, and will wait for your input when to stop data
> collecting.
> So, while it runs in debug mode, on a second terminal please try to send a
> log message, what destined to reach the graylog server.
> Wait a couple of seconds.
> Then hit the enter on the first terminal where the data collection is
> running.
> It will pack the collected data into a tarball, and notify you where is the
> resulting file. Then please share that file with us.
>
> I think that is the most straightforward way to solve this mistery.
>
> Regards,
> Gyu
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation:
> http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20181112/11753f28/attachment.html>