[syslog-ng] network logging

Wed Feb 19 11:50:02 UTC 2020

Dear Anatoly,

I would recommend you to stop the syslog-ng service, and start it in the
foreground, in debug mode, with:
# syslog-ng -Fedv

Or possibly direct all its output to a file, and then try sending in the
test logs, and subsequently check the debug output to see whether syslog-ng
has received the logs.
(It will report all incoming logs, so in the debug output you should see it
even if it's not written to the destination file for some reason.)
Also in the debug output you should see any file creation related error
messages, if there are any.
If you don't see your test logs in the debug output, then the cause is
likely something outside of syslog-ng's scope.

BTW do you have SELinux enabled?
(I would not think so though, because syslog-ng was allowed to bind to
UDP/3514, a non-standard port, which SELinux would prevent, if in enforcing
mode.)

Best Regards,
János
--
Janos SZIGETVARI
RHCE, License no. 150-053-692
<https://www.redhat.com/rhtapps/verify/?certId=150-053-692>

LinkedIn: linkedin.com/in/janosszigetvari

__ at __˚V˚
Make the switch to open (source) applications, protocols, formats now:
- windows -> Linux, iexplore -> Firefox, msoffice -> LibreOffice
- msn -> jabber protocol (Pidgin, Google Talk)
- mp3 -> ogg, wmv -> ogg, jpg -> png, doc/xls/ppt -> odt/ods/odp

Anatoly Pugachev <matorola at gmail.com> ezt írta (időpont: 2020. febr. 19.,
Sze, 12:29):

> Hello!
>
> Can someone help me with network logging with syslog-ng :
>
> # rpm -q syslog-ng
> syslog-ng-3.25.1.239.g0535e8a-1.el7.x86_64
>
> # rpm -qf /etc/os-release
> centos-release-7-7.1908.0.el7.centos.x86_64
>
> server is centos 7 x86_64 vm
>
> /etc/syslog-ng/syslog-ng.conf is in the default configuration (no
> changes made from rpm package installed), have additional
> configuration in :
>
> # cat conf.d/mtcaptive.conf
> source s_mtcaptive { network( ip("0.0.0.0") port(3514) transport("udp"));
> };
> destination d_mtcaptive { file("/var/log/mt-captive-remote"); };
> log { source(s_mtcaptive); destination(d_mtcaptive); };
>
>
> If i try to log a test message with logger on a localhost (where
> syslog-ng runs):
>
> [root at localhost syslog-ng]# logger -d -i -n 172.16.3.50 -P 3514 "test
> from localhost"
>
> it does work and appears in /var/log/mt-captive-remote :
>
> $ tail -1 /var/log/mt-captive-remote
> Feb 19 06:15:01 172.16.3.50 root[11326]: test from localhost
>
> But if i try the same command on a nearby host (vm2, same L2 network,
> but different IP network), it does not logged, but udp packet with
> test messages is received by host:
>
> [root at vm2 ~]# logger -d -i -n 172.16.3.50 -P 3514 "test from vm2"
>
> back to syslog-ng host:
>
> # ngrep -d ens224 -n 10 "test from" "udp and port 3514"
> interface: ens224 (172.16.3.0/255.255.255.0)
> filter: ( udp and port 3514 ) and ((ip || ip6) || (vlan && (ip || ip6)))
> match: test from
>
> ##########################################################################################################################################################################################################################
> U 100.64.128.5:24046 -> 172.16.3.50:3514 #218
>   <5>Feb 19 06:20:27 root[31663]: test from vm2.
>
> #####################################################################################################^Cexit
> 319 received, 1 matched
>
>
> looking at socket status on syslog-ng host:
>
> # ss -unlp | grep 3514
> UNCONN     0      0            *:3514                     *:*
>          users:(("syslog-ng",pid=11198,fd=23))
>
> no firewall or iptables rules (default all ACCEPT).
>
> Can someone suggest why syslog-ng does not log remote messages to my
> destination file?
>
> Thanks.
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation:
> http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20200219/440125fc/attachment.html>