[syslog-ng] network logging

SZIGETVÁRI János jszigetvari at gmail.com
Wed Feb 19 15:46:11 UTC 2020


Hi Anatoly,

Thank you for the debug log!
It clearly shows that syslog-ng does not get the remote log at all.
Could you please run the syslog-ng-debun script with the following
parameters, and send me the resulting tgz file?

# syslog-ng-debun -r -P "port 3514" -D "-Fedv" -t 90

This will run syslog-ng in debug mode for 90 seconds, and will also create
a network traffic dump of the syslog traffic. Please try sending the test
logs from the other VM while it is running.

Thanks,
János
--
Janos SZIGETVARI
RHCE, License no. 150-053-692
<https://www.redhat.com/rhtapps/verify/?certId=150-053-692>

LinkedIn: linkedin.com/in/janosszigetvari

__ at __˚V˚
Make the switch to open (source) applications, protocols, formats now:
- windows -> Linux, iexplore -> Firefox, msoffice -> LibreOffice
- msn -> jabber protocol (Pidgin, Google Talk)
- mp3 -> ogg, wmv -> ogg, jpg -> png, doc/xls/ppt -> odt/ods/odp


Anatoly Pugachev <matorola at gmail.com> ezt írta (időpont: 2020. febr. 19.,
Sze, 16:02):

> On Wed, Feb 19, 2020 at 2:50 PM SZIGETVÁRI János <jszigetvari at gmail.com>
> wrote:
> >
> > Dear Anatoly,
> >
> > I would recommend you to stop the syslog-ng service, and start it in the
> foreground, in debug mode, with:
> > # syslog-ng -Fedv
> >
> > Or possibly direct all its output to a file, and then try sending in the
> test logs, and subsequently check the debug output to see whether syslog-ng
> has received the logs.
> > (It will report all incoming logs, so in the debug output you should see
> it even if it's not written to the destination file for some reason.)
> > Also in the debug output you should see any file creation related error
> messages, if there are any.
> > If you don't see your test logs in the debug output, then the cause is
> likely something outside of syslog-ng's scope.
> >
> > BTW do you have SELinux enabled?
> > (I would not think so though, because syslog-ng was allowed to bind to
> UDP/3514, a non-standard port, which SELinux would prevent, if in enforcing
> mode.)
> >
> > Best Regards,
> > János
> > --
> > Janos SZIGETVARI
> > RHCE, License no. 150-053-692
> >
> > Anatoly Pugachev <matorola at gmail.com> ezt írta (időpont: 2020. febr.
> 19., Sze, 12:29):
> >> Hello!
> >>
> >> Can someone help me with network logging with syslog-ng :
> >>
> >> # rpm -q syslog-ng
> >> syslog-ng-3.25.1.239.g0535e8a-1.el7.x86_64
> >>
> >> # rpm -qf /etc/os-release
> >> centos-release-7-7.1908.0.el7.centos.x86_64
> >>
> >> server is centos 7 x86_64 vm
> >>
> >> /etc/syslog-ng/syslog-ng.conf is in the default configuration (no
> >> changes made from rpm package installed), have additional
> >> configuration in :
> >>
> >> # cat conf.d/mtcaptive.conf
> >> source s_mtcaptive { network( ip("0.0.0.0") port(3514)
> transport("udp")); };
> >> destination d_mtcaptive { file("/var/log/mt-captive-remote"); };
> >> log { source(s_mtcaptive); destination(d_mtcaptive); };
> >>
> >>
> >> If i try to log a test message with logger on a localhost (where
> >> syslog-ng runs):
> >>
> >> [root at localhost syslog-ng]# logger -d -i -n 172.16.3.50 -P 3514 "test
> >> from localhost"
> >>
> >> it does work and appears in /var/log/mt-captive-remote :
> >>
> >> $ tail -1 /var/log/mt-captive-remote
> >> Feb 19 06:15:01 172.16.3.50 root[11326]: test from localhost
> >>
> >> But if i try the same command on a nearby host (vm2, same L2 network,
> >> but different IP network), it does not logged, but udp packet with
> >> test messages is received by host:
> >>
> >> [root at vm2 ~]# logger -d -i -n 172.16.3.50 -P 3514 "test from vm2"
> >>
> >> back to syslog-ng host:
> >>
> >> # ngrep -d ens224 -n 10 "test from" "udp and port 3514"
> >> interface: ens224 (172.16.3.0/255.255.255.0)
> >> filter: ( udp and port 3514 ) and ((ip || ip6) || (vlan && (ip || ip6)))
> >> match: test from
> >>
> ##########################################################################################################################################################################################################################
> >> U 100.64.128.5:24046 -> 172.16.3.50:3514 #218
> >>   <5>Feb 19 06:20:27 root[31663]: test from vm2.
> >>
> #####################################################################################################^Cexit
> >> 319 received, 1 matched
> >>
> >>
> >> looking at socket status on syslog-ng host:
> >>
> >> # ss -unlp | grep 3514
> >> UNCONN     0      0            *:3514                     *:*
> >>          users:(("syslog-ng",pid=11198,fd=23))
> >>
> >> no firewall or iptables rules (default all ACCEPT).
> >>
> >> Can someone suggest why syslog-ng does not log remote messages to my
> >> destination file?
> >>
> >> Thanks.
>
>
>
> Janos,
>
> here's attached syslog-ng-Fedv-log.txt.gz with a log of running
> syslog-ng with debug options (Fedv) .
> selinux is disabled.
>
> Command sequence:
>
> [root at localhost ~]# getenforce
> Disabled
>
> [root at localhost ~]# systemctl stop syslog.socket
>
> [root at localhost ~]# systemctl stop syslog-ng
>
> [root at localhost ~]# ps ax | grep syslog
> 11997 pts/0    S+     0:00 grep --color=auto syslog
>
> [root at localhost ~]# cd /etc/syslog-ng/
>
> [root at localhost syslog-ng]# syslog-ng -s -f syslog-ng.conf
> [root at localhost syslog-ng]# echo $?
> 0
>
> [root at localhost syslog-ng]# syslog-ng -Fedv
>
> (start logging and open another terminal window)
>
> [root at localhost ~]# logger -d -i -n 172.16.3.50 -P 3514 "test from
> localhost"
>
> [root at vm2 ~]# logger -d -i -n 172.16.3.50 -P 3514 "test from vm2"
>
> back to running syslog-ng log and stop it (CTRL-C on syslog-ng -Fedv )
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation:
> http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20200219/7b59be13/attachment-0001.html>


More information about the syslog-ng mailing list