[syslog-ng] syslog-ng is ignoring a network source

Laszlo Szemere (lszemere) Laszlo.Szemere at oneidentity.com
Fri Aug 28 10:20:45 UTC 2020 

Hello Ben,

 our experience shows that having logs in Wireshark doesn't necessary means that they reach the applications. (Wireshark captures packets on the interface level.)
 So as a first step I would recommend to clarify that the logs from the second host indeed reaches Syslog-ng. (For UDP logs netcat usually is enough.)

 Once it is clear that those logs reaches the application level, we can focus on debugging Syslog-ng.

 By starting Syslog-ng with the following options, it would be much easier to examine the flow of messages:
 syslog-ng -Fdevt

 -F : start it in the foreground
 -d : debug mode
 -e : log messages to stderr
 -v : increases verbository
 -t : also enable trace messages

Note: With these options enabled, Syslog-ng will produce a LOT of messages. So if you can turn off other logging sources temporary, than it will be much more easier to read those logs.

At this point you should start to receive this kind of debug messages, which will indicate that Syslog-ng received the log messages from your host:

  [2020-08-28T10:09:43.289660] Incoming log entry; line='hello world'

>From this point the easiest way is to start with a minimal config, and build up your final configuration step by step. Checking incoming logs in each steps.


Br,
Laci


________________________________
From: syslog-ng <syslog-ng-bounces at lists.balabit.hu> on behalf of Bruns, Benjamin <Benjamin.Bruns at cypp.de>
Sent: Friday, August 28, 2020 11:53
To: syslog-ng at lists.balabit.hu <syslog-ng at lists.balabit.hu>
Subject: [syslog-ng] syslog-ng is ignoring a network source

CAUTION: This email originated from outside of the organization. Do not follow guidance, click links, or open attachments unless you recognize the sender and know the content is safe.


Hello!



I try to send syslogs from two firewalls to my syslog-ng host. The first one worked immediately, but logs of the second firewall seems to be ignored. Both syslogs come in via UDP on port 514 and I can see them in Wireshark on my syslog-ng host, but they disappear for my second firewall in a black hole. Both have Logstash as their destination configured. Any ideas? Thanks in advance!



Cheers, Ben
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20200828/97e790fc/attachment.html>

More information about the syslog-ng mailing list