[syslog-ng] network logging
SZIGETVÁRI János
jszigetvari at gmail.com
Tue Feb 25 14:39:06 UTC 2020
Hi Anatoly,
I appreciate the trust you bestowed to me by sending me the bundle.
>From syslog-ng perspective your setup looks all sane, and I couldn't spot
any problems.
Upon checking the debug logs, I saw, that syslog-ng did not report either
of the incoming UDP packages as "Incoming messages" even though they were
recorded in the pcap file.
Given that SELinux is disabled, I and your firewall rules are all ALLOW,
there are very few things that could prevent the reception of the messages.
That led me to suspect a networking problem: a routing issue.
You seem to have two interfaces active: A and B.
A has a single IP configured, and B has two.
Only two locally connected networks are present in the routing table, and a
default route, that points to a host located in the subnet that interface A
is connected to.
The problem is that the packets arrive to interface B, and the IP address
they arrive from should be in the direction of interface A, at least from
routing perspective.
Due to this the kernel will silently discard these packets.
In order to fix this I would recommend you to review your routing table, or
reconfigure your setup so that these packets arrive to interface A's
configured IP address.
If you want to verify this theory of mine, I can point you to the following
article on how to make the kernel log these unroutable packets:
https://www.cyberciti.biz/faq/linux-log-suspicious-martian-packets-un-routable-source-addresses/
Best Regards,
János
--
Janos SZIGETVARI
RHCE, License no. 150-053-692
<https://www.redhat.com/rhtapps/verify/?certId=150-053-692>
LinkedIn: linkedin.com/in/janosszigetvari
__ at __˚V˚
Make the switch to open (source) applications, protocols, formats now:
- windows -> Linux, iexplore -> Firefox, msoffice -> LibreOffice
- msn -> jabber protocol (Pidgin, Google Talk)
- mp3 -> ogg, wmv -> ogg, jpg -> png, doc/xls/ppt -> odt/ods/odp
Anatoly Pugachev <matorola at gmail.com> ezt írta (időpont: 2020. febr. 25.,
K, 10:58):
> On Wed, Feb 19, 2020 at 6:46 PM SZIGETVÁRI János <jszigetvari at gmail.com>
> wrote:
> >
> > Hi Anatoly,
> >
> > Thank you for the debug log!
> > It clearly shows that syslog-ng does not get the remote log at all.
> > Could you please run the syslog-ng-debun script with the following
> parameters, and send me the resulting tgz file?
> >
> > # syslog-ng-debun -r -P "port 3514" -D "-Fedv" -t 90
> >
> > This will run syslog-ng in debug mode for 90 seconds, and will also
> create a network traffic dump of the syslog traffic. Please try sending the
> test logs from the other VM while it is running.
>
>
> Janos,
>
> sorry for the delay, please see attached files.
>
> Thanks.
>
> tcpdump command was:
>
> localhost# tcpdump -n -w udp-3514.pcap -i ens224 udp and port 3514
>
> this captured 2 packets coming from 2 different machines, which was run :
>
> vm1# logger -d -i -n 172.16.3.50 -P 3514 "test from vm1"
> vm2# logger -d -i -n 172.16.3.50 -P 3514 "test from vm2"
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20200225/86037ffa/attachment.html>
More information about the syslog-ng
mailing list