[syslog-ng] Syslogs not writing to disk

Thu Apr 30 16:49:58 UTC 2020

Tcpdump shows data that is later dropped by the packet filter, so make sure
that iptables lets the packets through.

Another potential culprit is selinux, check for violations in the kernel
log.

On Thu, Apr 30, 2020, 16:20 Rose, Ed <Ed_Rose at mentor.com> wrote:

> Hello All,
>
>
>
> I have syslog-ng setup currently setup to write to disk and forward events
> on to a different syslog server.  Syslog isn’t writing to disk it seems.  I
> do not see any errors either, unless I am not looking in the right place
> for the errors.  Tcpdump –v host x.x.x.x shows data coming in from the host
> but a tail –f ${HOST}/log_${HOST} shows no logs going to disk.
>
>
>
> Thanks
>
> Ed
>
>
>
>
>
> syslog-ng 3 (3.14.1)
>
> Config version: 3.14
>
> Installer-Version: 3.14.1
>
> Revision:
>
> Module-Directory: /usr/lib64/syslog-ng
>
> Module-Path: /usr/lib64/syslog-ng
>
> Available-Modules:
> afmongodb,sdjournal,linux-kmsg-format,appmodel,date,pseudofile,afamqp,syslogformat,csvparser,cef,tags-parser,affile,afsocket,afstomp,tfgetent,json-plugin,confgen,system-source,stardate,graphite,dbparser,afprog,xml,add-contextual-data,snmptrapd-parser,cryptofuncs,kvformat,disk-buffer,basicfuncs,afuser,map-value-pairs
>
> Enable-Debug: off
>
> Enable-GProf: off
>
> Enable-Memtrace: off
>
> Enable-IPv6: on
>
> Enable-Spoof-Source: on
>
> Enable-TCP-Wrapper: on
>
> Enable-Linux-Caps: on
>
> Enable-Systemd: on
>
>
>
>
>
> filter f_awanra1 { host("x.x.x.x"); };
>
> filter f_bwanra1 { host("x.x.x.x"); };
>
> filter f_cwanra1 { host("x.x.x.x"); };
>
>
>
> destination d_ciscoasa {
> file("/var/log2/gns/cisco_asa/${HOST}/log_${HOST}" create-dirs(yes)
> dir-perm(0755) dir-group(splunk) perm(0640) group(splunk)); };
>
>
>
> destination d_uid1 { tcp("x.x.x.x"  port(514) ); };
>
> destination d_uid2 { tcp("x.x.x.x"  port(514) ); };
>
> destination d_uid3 { tcp("x.x.x.x"  port(514) ); };
>
> destination d_uid4 { tcp("x.x.x.x"  port(514) ); };
>
>
>
> log { source(s_net); filter(f_amywanra1); destination(d_ciscoasa);
> destination(d_uid1); destination(d_uid2); destination(d_uid3);
> destination(d_uid4); flags(final); };
>
> log { source(s_net); filter(f_cnswanra1); destination(d_ciscoasa);
> destination(d_uid1); destination(d_uid2); destination(d_uid3);
> destination(d_uid4); flags(final); };
>
> log { source(s_net); filter(f_demwanra1); destination(d_ciscoasa);
> destination(d_uid1); destination(d_uid2); destination(d_uid3);
> destination(d_uid4); flags(final); };
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation:
> http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20200430/51b9a1df/attachment.html>