[syslog-ng] Problem to Get UDP Packets - Syslog-ng

William Luiz Ribeiro Vasconcelos Da Silva wsilva_ericsson at timbrasil.com.br
Wed Mar 25 15:48:53 UTC 2020 

Hello Everyone,

I installed syslog-ng on a new machine, however in initial tests, there was no collection of UDP packages by syslog-ng.

Here are some points I checked:

sudo netstat -plunt | grep -e PID -e syslog
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 0.0.0.0:601             0.0.0.0:*               LISTEN      16169/syslog-ng
udp        0      0 10.96.145.42:514        0.0.0.0:*                           16169/syslog-ng

netstat -anu | grep 514
udp        0      0 10.96.145.42:514        0.0.0.0:*


[cgnat at mgalnxa01 etc]$ sudo systemctl status syslog-ng -l
● syslog-ng.service - System Logger Daemon
   Loaded: loaded (/usr/lib/systemd/system/syslog-ng.service; enabled; vendor preset: enabled)
   Active: active (running) since Wed 2020-03-25 12:38:08 -03; 5min ago
  Process: 114207 ExecReload=/bin/kill -HUP $MAINPID (code=exited, status=0/SUCCESS)
Main PID: 16169 (syslog-ng)
   CGroup: /system.slice/syslog-ng.service
           └─16169 /opt/syslog-ng/libexec/syslog-ng -F --enable-core

Mar 25 12:38:08 mgalnxa01 systemd[1]: Starting System Logger Daemon...


Here is an example of the package received via tcpdump, but it was not captured by syslog-ng:

10:46:13.529331 IP (tos 0x20, ttl 251, id 33055, offset 0, flags [none], proto UDP (17), length 243)
    10.96.145.98.syslog > mgalnxa01.9514: [udp sum ok] SYSLOG, length: 215
        Facility user (1), Severity info (6)
        Msg: Mar 24 13:46:13 2020 RTCGNMGA0103 RT_NAT: RT_SRC_NAT_PBA_ALLOC: Subscriber 100.64.1.6 used/maximum [2/2] blocks, allocates port block [47104-47167] from 177.51.116.146 in source pool PUBLIC-NAT-POOL-1 lsys_id: 0
        0x0000:  3c31 343e 4d61 7220 3234 2031 333a 3436
        0x0010:  3a31 3320 3230 3230 2052 5443 474e 4d47
        0x0020:  4130 3130 3320 5254 5f4e 4154 3a20 5254
        0x0030:  5f53 5243 5f4e 4154 5f50 4241 5f41 4c4c
        0x0040:  4f43 3a20 5375 6273 6372 6962 6572 2031
        0x0050:  3030 2e36 342e 312e 3620 7573 6564 2f6d
        0x0060:  6178 696d 756d 205b 322f 325d 2062 6c6f
        0x0070:  636b 732c 2061 6c6c 6f63 6174 6573 2070
        0x0080:  6f72 7420 626c 6f63 6b20 5b34 3731 3034
        0x0090:  2d34 3731 3637 5d20 6672 6f6d 2031 3737
        0x00a0:  2e35 312e 3131 362e 3134 3620 696e 2073
        0x00b0:  6f75 7263 6520 706f 6f6c 2050 5542 4c49
        0x00c0:  432d 4e41 542d 504f 4f4c 2d31 206c 7379
        0x00d0:  735f 6964 3a20 30


What I need to analyze / verify, for syslog-ng will capture this type of package and convert it to a file.

Atenciosamente,

WILLIAM LUIZ R V SILVA
Mediation

Ericsson
Rua Maria Preste Maia, 300
02879-130, Brazil
Phone  +55 11   2760-3785
Mobile +55 11  97979-9886
wsilva_ericsson at timbrasil.com.br<mailto:wsilva_ericsson at timbrasil.com.br>
www.ericsson.com<http://www.ericsson.com/>

[Descricao: Descricao: Ericsson]<http://www.ericsson.com/>


Esta mensagem, incluindo seus anexos, pode conter informacoes privilegiadas e/ou de carater confidencial, nao podendo ser retransmitida sem autorizacao do remetente. Se voce nao e o destinatario ou pessoa autorizada para recebe-la, informamos que o seu uso, divulgacao, copia ou arquivamento sao proibidos. Portanto, se voce recebeu esta mensagem por engano, por favor nos informe respondendo imediatamente a este e-mail e delete o seu conteudo.

This message, including its attachments, may contain privileged or confidential information, and it must not be fowarded without the express authorization of the sender. If you are not the intended recipient, we hereby inform you that the use, disclosure, copy or filing are forbidden. So, if you received this message as a mistake, please inform us by answering this e-mail and deleting its contents

Questo messaggio, inclusi gli allegati, potrebbe contenere informazioni privilegiate e/o riservate, e non deve essere ritrasmesse senza l'autorizzazione del mittente. Se non siete il destinatario o la persona autorizzata a riceverlo, informiamo che il suo utilizzo, diffusione, copia o archiviazione sono proibite. Quindi, se avete ricevuto questo messaggio per errore, per cortesia ci informi rispondendo immediatamente a questa email e cancelli il suo contenuto
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20200325/cac168b8/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.gif
Type: image/gif
Size: 1488 bytes
Desc: image001.gif
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20200325/cac168b8/attachment-0002.gif>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.gif
Type: image/gif
Size: 2367 bytes
Desc: image002.gif
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20200325/cac168b8/attachment-0003.gif>

More information about the syslog-ng mailing list