[syslog-ng] syslog-ng multiple VRF

Alexandre Santos alexandre.rosas.santos at gmail.com
Wed Jul 22 17:06:42 UTC 2020 

Hi Laci,

Thanks for your comments and help.
Bellow the details of my problem!

Any help is very appreciated.

*So I want to read from the interface:*
20: INTRA-CH at eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue
state UP group default qlen 1000
    link/ether 08:00:27:79:1c:f5 brd ff:ff:ff:ff:ff:ff
    inet 127.10.10.1/22 brd 127.1.3.255 scope host INTRA-CH
       valid_lft forever preferred_lft forever

*I want to write to the interface:*
30: EXT at eth2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9216 qdisc noqueue *master
MGMT* state UP group default qlen 1000
    link/ether 1a:07:cf:e2:28:ca brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.132/24 brd 192.168.1.255 scope global EXT
       valid_lft forever preferred_lft forever
    inet6 fe80::8bd5:aa6a:9510:7418/64 scope link stable-privacy
       valid_lft forever preferred_lft forever

*syslog-ng in running as a service in Debian10.*

*Configurations of syslog-ng for the source are:*
source s_src {
    system();
    internal();
    syslog(ip(127.1.1.1) transport("udp") port(514) keep-alive(no));
};

*Configurations of syslog-ng for the destination are:*
destination d_test1_udp {
    syslog("192.168.1.88" transport("udp") ip-protocol(4) port(514)
keep-alive(no) localip("192.168.1.132")
        suppress(5)
    );
};
filter f_remote_test1_udp_authpriv {
    facility(authpriv) and level(debug .. emerg);
};
filter f_remote_test1_udp_local1 {
    facility(local1) and level(debug .. emerg);
};
filter f_remote_test1_udp_local2 {
    facility(local2) and level(debug .. emerg);
};
filter f_remote_test1_udp_local6 {
    facility(local6) and level(debug .. emerg);
};
filter f_remote_test1_udp {
    filter(f_remote_test1_udp_authpriv) or
filter(f_remote_test1_udp_local1) or filter(f_remote_test1_udp_local2) or
filter(f_remote_test1_udp_local6); };
log {
    source(s_src);
    filter(f_remote_test1_udp);
    destination(d_test1_udp);
};

*I got the syslog-ng log:*



*Jul 22 17:01:10 localhost syslog-ng[14253]: [2020-07-22T17:01:10.448970]
WARNING: With use-dns(no), dns-cache() will be forced to 'no' too!;Jul 22
17:01:10 localhost syslog-ng[14253]: [2020-07-22T17:01:10.450299] Current
position not matches to the saved cursor position, seek to head;
cursor='s=eabbca1417cd46a398b5e6593d62Jul 22 17:01:10 localhost
syslog-ng[14253]: [2020-07-22T17:01:10.463249] Error binding socket;
addr='AF_INET(192.168.1.132:0)', error='Cannot assign requested address
(99)'Jul 22 17:01:10 localhost syslog-ng[14253]:
[2020-07-22T17:01:10.463974] Initiating connection failed, reconnecting;
time_reopen='60'*


On Wed, Jul 22, 2020 at 10:20 AM Laszlo Szemere (lszemere) <
Laszlo.Szemere at oneidentity.com> wrote:

> Hello Alex,
>  I read a tutorial about VRF's. (To be honest I have never worked with
> them before.)
>
>  From your current description it is not clear to me, where is syslog-ng
> on your network. Can you please provide some topology information?
>
>
>  In the meantime (if my assumption is right about your use case):
>    By default, a syslog-ng network source will listen on all available
> interfaces. You can specify the IP address to bind to, with the "ip()"
> option.
>    Similarly network destinations will bind to "0.0.0.0" by default, which
> can be overwritten by the "localip()" option.
>
>
> Best regards,
> Laci
>
> ------------------------------
> *From:* syslog-ng <syslog-ng-bounces at lists.balabit.hu> on behalf of
> Alexandre Santos <alexandre.rosas.santos at gmail.com>
> *Sent:* Tuesday, July 21, 2020 16:18
> *To:* Syslog-ng users' and developers' mailing list <
> syslog-ng at lists.balabit.hu>
> *Subject:* [syslog-ng] syslog-ng multiple VRF
>
> CAUTION: This email originated from outside of the organization. Do not
> follow guidance, click links, or open attachments unless you recognize the
> sender and know the content is safe.
>
> Hi All,
>
> I have a question regarding syslog-ng and VRF.
> I want to read from a syslog source, which interface is in the default
> VRF, and send the logs to a syslog/network destination interface which is
> in a MGMT VRF.
>
> Can syslog-ng support this?
> If yes, what are the aspects I should be careful about?
>
> Thanks and regards,
> Alex
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation:
> http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20200722/a9e77ad9/attachment.html>

More information about the syslog-ng mailing list