[syslog-ng] Troubleshooting Question

Walter Tienken Walter.Tienken at asu.edu
Fri May 10 00:55:01 UTC 2019


Hello All,

I'd like to see if we can get some troubleshooting help with Syslog-NG OSE. Here's some background:

Our environment collects logs from various network locations (F5, checkpoint, plixer, etc) and sends them to our Syslog-NG cluster through two F5 load balancers. We have four netlog boxes in round-robin that are running version 5 of the PE version of Syslog-NG on RHEL6. We also have a dev server running rhel7 and the 3.19.1 OSE edition of Syslog-NG from the COPR repository. On each of these servers, we run the Splunk Universal Forwarder that then sends the logs over to our indexer cluster.

The problem we are having is that the dev server will not listen to any traffic except via localhost. We can see the traffic just fine on a TCPDUMP as it comes out of the load balancer into the dev box, but watching Syslog-NG in the foreground with -Fevd the traffic never registers at all. We can send test messages with loggen or netcat, etc, from localhost and Syslog-NG will see it and log it to disk as expected. Anywhere else it just never sees the traffic nor logs anything to disk even though we have confirmed that Syslog-NG is listening on the 9999 port to UDP with netstat.

Here is our syslog-ng.conf file from the working RHEL6 boxes:

https://gist.github.com/MrTink76/9ee1e88f93a313f953e4033560af463a

This is the syslog-ng.conf file on the OSE box:

https://gist.github.com/MrTink76/e181f4c0bf052077440d7bdfaf418e02

This is an example of our testing CONF file located in conf.d on the OSE box:

https://gist.github.com/MrTink76/a0433b9e908ba683e36cb6199f9cc43f

We send our test traffic to the F5 load balancer vip using UDP 9999. Like I said above, when we send on 9999 localhost with loggen or netcat, Syslog-NG sees it just fine and logs it to disk, but anywhere else it never registers nor records the test message to disk. We currently have SELinux disabled and there is no firewall running on the dev box (we see the traffic fine via tcpdump).

Any help/suggestions would be greatly appreciated. Please let me know if I need to provide further information.

Thanks much,

Walter Tienken
walter.tienken at asu.edu<https://ex2010.asu.edu/owa/redir.aspx?SURL=sS2_o_WV6gQ_JAkG-_VgxIDZLGj9-EeBZIHMzfX5pjLCAxsj0_bSCG0AYQBpAGwAdABvADoAdwBhAGwAdABlAHIALgB0AGkAZQBuAGsAZQBuAEAAYQBzAHUALgBlAGQAdQA.&URL=mailto%3awalter.tienken%40asu.edu>
Cloud and Advanced Network Engineering Services
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20190510/1655e201/attachment-0001.html>


More information about the syslog-ng mailing list