[syslog-ng] Syslogs not writing to disk

Rose, Ed Ed_Rose at mentor.com
Thu Apr 30 17:34:39 UTC 2020 

The tcpdump looks good and there doesn’t appear to be any drops.  I should also mention that the syslog servers are behind a Netscaler load balancer doing round robin load balancing between two different syslog-ng servers that are setup exactly the same.  I have about 10 different sources send logs to these syslog servers and all of them are writing to disk except this particular source (cisco_asa).

Thanks
Ed



10:24:21.525178 IP (tos 0x0, ttl 254, id 3483, offset 0, flags [none], proto UDP (17), length 190)
    x.x.x.x  > x.x.x.x: SYSLOG, length: 162
        Facility local4 (20), Severity debug (7)
        Msg: 2020-04-30T17:24:21Z: %ASA-7-734003: DAP: User blah, Addr x.x.x.x: Session Attribute endpoint.am["539"].description="Trend Micro OfficeScan Client"\0x0a
10:24:21.525179 IP (tos 0x0, ttl 254, id 15604, offset 0, flags [none], proto UDP (17), length 166)
    x.x.x.x > x.x.x.x: SYSLOG, length: 138
        Facility local4 (20), Severity debug (7)
        Msg: 2020-04-30T17:24:21Z: %ASA-7-734003: DAP: User blah, Addr x.x.x.x: Session Attribute endpoint.am["539"].version="12.0.5400"\0x0a
10:24:21.525368 IP (tos 0x0, ttl 254, id 19622, offset 0, flags [none], proto UDP (17), length 193)
    x.x.x.x > x.x.x.x: SYSLOG, length: 165
        Facility local4 (20), Severity debug (7)
        Msg: 2020-04-30T17:24:21Z: %ASA-7-734003: DAP: User blah, Addr x.x.x.x: Session Attribute endpoint.anyconnect.devicetype = "Dell Inc. Latitude 5290 2-in-1"\0x0a

From: syslog-ng [mailto:syslog-ng-bounces at lists.balabit.hu] On Behalf Of Balazs Scheidler
Sent: Thursday, April 30, 2020 10:50 AM
To: Syslog-ng users' and developers' mailing list <syslog-ng at lists.balabit.hu>
Subject: Re: [syslog-ng] Syslogs not writing to disk

Tcpdump shows data that is later dropped by the packet filter, so make sure that iptables lets the packets through.

Another potential culprit is selinux, check for violations in the kernel log.


On Thu, Apr 30, 2020, 16:20 Rose, Ed <Ed_Rose at mentor.com<mailto:Ed_Rose at mentor.com>> wrote:
Hello All,

I have syslog-ng setup currently setup to write to disk and forward events on to a different syslog server.  Syslog isn’t writing to disk it seems.  I do not see any errors either, unless I am not looking in the right place for the errors.  Tcpdump –v host x.x.x.x shows data coming in from the host but a tail –f ${HOST}/log_${HOST} shows no logs going to disk.

Thanks
Ed


syslog-ng 3 (3.14.1)
Config version: 3.14
Installer-Version: 3.14.1
Revision:
Module-Directory: /usr/lib64/syslog-ng
Module-Path: /usr/lib64/syslog-ng
Available-Modules: afmongodb,sdjournal,linux-kmsg-format,appmodel,date,pseudofile,afamqp,syslogformat,csvparser,cef,tags-parser,affile,afsocket,afstomp,tfgetent,json-plugin,confgen,system-source,stardate,graphite,dbparser,afprog,xml,add-contextual-data,snmptrapd-parser,cryptofuncs,kvformat,disk-buffer,basicfuncs,afuser,map-value-pairs
Enable-Debug: off
Enable-GProf: off
Enable-Memtrace: off
Enable-IPv6: on
Enable-Spoof-Source: on
Enable-TCP-Wrapper: on
Enable-Linux-Caps: on
Enable-Systemd: on


filter f_awanra1 { host("x.x.x.x"); };
filter f_bwanra1 { host("x.x.x.x"); };
filter f_cwanra1 { host("x.x.x.x"); };

destination d_ciscoasa { file("/var/log2/gns/cisco_asa/${HOST}/log_${HOST}" create-dirs(yes) dir-perm(0755) dir-group(splunk) perm(0640) group(splunk)); };

destination d_uid1 { tcp("x.x.x.x"  port(514) ); };
destination d_uid2 { tcp("x.x.x.x"  port(514) ); };
destination d_uid3 { tcp("x.x.x.x"  port(514) ); };
destination d_uid4 { tcp("x.x.x.x"  port(514) ); };

log { source(s_net); filter(f_amywanra1); destination(d_ciscoasa); destination(d_uid1); destination(d_uid2); destination(d_uid3); destination(d_uid4); flags(final); };
log { source(s_net); filter(f_cnswanra1); destination(d_ciscoasa); destination(d_uid1); destination(d_uid2); destination(d_uid3); destination(d_uid4); flags(final); };
log { source(s_net); filter(f_demwanra1); destination(d_ciscoasa); destination(d_uid1); destination(d_uid2); destination(d_uid3); destination(d_uid4); flags(final); };
______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20200430/7627f588/attachment-0001.html>

More information about the syslog-ng mailing list