[syslog-ng] network logging

Anatoly Pugachev matorola at gmail.com
Wed Feb 19 15:01:49 UTC 2020 

On Wed, Feb 19, 2020 at 2:50 PM SZIGETVÁRI János <jszigetvari at gmail.com> wrote:
>
> Dear Anatoly,
>
> I would recommend you to stop the syslog-ng service, and start it in the foreground, in debug mode, with:
> # syslog-ng -Fedv
>
> Or possibly direct all its output to a file, and then try sending in the test logs, and subsequently check the debug output to see whether syslog-ng has received the logs.
> (It will report all incoming logs, so in the debug output you should see it even if it's not written to the destination file for some reason.)
> Also in the debug output you should see any file creation related error messages, if there are any.
> If you don't see your test logs in the debug output, then the cause is likely something outside of syslog-ng's scope.
>
> BTW do you have SELinux enabled?
> (I would not think so though, because syslog-ng was allowed to bind to UDP/3514, a non-standard port, which SELinux would prevent, if in enforcing mode.)
>
> Best Regards,
> János
> --
> Janos SZIGETVARI
> RHCE, License no. 150-053-692
>
> Anatoly Pugachev <matorola at gmail.com> ezt írta (időpont: 2020. febr. 19., Sze, 12:29):
>> Hello!
>>
>> Can someone help me with network logging with syslog-ng :
>>
>> # rpm -q syslog-ng
>> syslog-ng-3.25.1.239.g0535e8a-1.el7.x86_64
>>
>> # rpm -qf /etc/os-release
>> centos-release-7-7.1908.0.el7.centos.x86_64
>>
>> server is centos 7 x86_64 vm
>>
>> /etc/syslog-ng/syslog-ng.conf is in the default configuration (no
>> changes made from rpm package installed), have additional
>> configuration in :
>>
>> # cat conf.d/mtcaptive.conf
>> source s_mtcaptive { network( ip("0.0.0.0") port(3514) transport("udp")); };
>> destination d_mtcaptive { file("/var/log/mt-captive-remote"); };
>> log { source(s_mtcaptive); destination(d_mtcaptive); };
>>
>>
>> If i try to log a test message with logger on a localhost (where
>> syslog-ng runs):
>>
>> [root at localhost syslog-ng]# logger -d -i -n 172.16.3.50 -P 3514 "test
>> from localhost"
>>
>> it does work and appears in /var/log/mt-captive-remote :
>>
>> $ tail -1 /var/log/mt-captive-remote
>> Feb 19 06:15:01 172.16.3.50 root[11326]: test from localhost
>>
>> But if i try the same command on a nearby host (vm2, same L2 network,
>> but different IP network), it does not logged, but udp packet with
>> test messages is received by host:
>>
>> [root at vm2 ~]# logger -d -i -n 172.16.3.50 -P 3514 "test from vm2"
>>
>> back to syslog-ng host:
>>
>> # ngrep -d ens224 -n 10 "test from" "udp and port 3514"
>> interface: ens224 (172.16.3.0/255.255.255.0)
>> filter: ( udp and port 3514 ) and ((ip || ip6) || (vlan && (ip || ip6)))
>> match: test from
>> ##########################################################################################################################################################################################################################
>> U 100.64.128.5:24046 -> 172.16.3.50:3514 #218
>>   <5>Feb 19 06:20:27 root[31663]: test from vm2.
>> #####################################################################################################^Cexit
>> 319 received, 1 matched
>>
>>
>> looking at socket status on syslog-ng host:
>>
>> # ss -unlp | grep 3514
>> UNCONN     0      0            *:3514                     *:*
>>          users:(("syslog-ng",pid=11198,fd=23))
>>
>> no firewall or iptables rules (default all ACCEPT).
>>
>> Can someone suggest why syslog-ng does not log remote messages to my
>> destination file?
>>
>> Thanks.



Janos,

here's attached syslog-ng-Fedv-log.txt.gz with a log of running
syslog-ng with debug options (Fedv) .
selinux is disabled.

Command sequence:

[root at localhost ~]# getenforce
Disabled

[root at localhost ~]# systemctl stop syslog.socket

[root at localhost ~]# systemctl stop syslog-ng

[root at localhost ~]# ps ax | grep syslog
11997 pts/0    S+     0:00 grep --color=auto syslog

[root at localhost ~]# cd /etc/syslog-ng/

[root at localhost syslog-ng]# syslog-ng -s -f syslog-ng.conf
[root at localhost syslog-ng]# echo $?
0

[root at localhost syslog-ng]# syslog-ng -Fedv

(start logging and open another terminal window)

[root at localhost ~]# logger -d -i -n 172.16.3.50 -P 3514 "test from localhost"

[root at vm2 ~]# logger -d -i -n 172.16.3.50 -P 3514 "test from vm2"

back to running syslog-ng log and stop it (CTRL-C on syslog-ng -Fedv )
-------------- next part --------------
A non-text attachment was scrubbed...
Name: syslog-ng-Fedv-log.txt.gz
Type: application/x-gzip
Size: 4456 bytes
Desc: not available
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20200219/6efa156d/attachment.bin>

More information about the syslog-ng mailing list