[syslog-ng] RES: Problem to Get UDP Packets - Syslog-ng

William Luiz Ribeiro Vasconcelos Da Silva wsilva_ericsson at timbrasil.com.br
Wed Mar 25 16:36:37 UTC 2020 

Hello again,

	I believe that  firewall settings, is not a problem because We can see the packet using tcpdump

	But, what can I check this other items: 

		- SELinux options

		- Is syslog-ng configured to bind to the right interface

	And what is the command to use: netcat to listening the 514 port

Tks,

Atenciosamente,

WILLIAM LUIZ R V SILVA 
Mediation

Ericsson
Mobile +55 11  97979-9886
www.ericsson.com 




-----Mensagem original-----
De: syslog-ng <syslog-ng-bounces at lists.balabit.hu> Em nome de Laszlo Szemere (lszemere)
Enviada em: quarta-feira, 25 de março de 2020 13:00
Para: Syslog-ng users' and developers' mailing list <syslog-ng at lists.balabit.hu>
Cc: HEBERT VASCONCELOS S (hebert.s.vasconcelos at ericsson.com) <hebert.s.vasconcelos at ericsson.com>; Hebert Silva Vasconcelos <hvasconcelos_ericsson at timbrasil.com.br>; Ana Carolina De Bastos Souza <absouza_ericsson at timbrasil.com.br>
Assunto: Re: [syslog-ng] Problem to Get UDP Packets - Syslog-ng

Hello,
 I can not remember a case from the recent past, where "can not receive UDP packets" was not an environment problem.
 Please check your:
 - firewall settings
 - SELinux options
 - Is syslog-ng configured to bind to the right interface

 Note: to rule out syslog-ng from the debugging process you can start "netcat" in listening mode, where it will print out EVERY message it receives. If you can not see any output from netcat, than you UDP packets do not reach the application level.

 IF the problem still exist, please share more details about your environment. (Distributions, version numbers, etc.)

Best regards,
Laci

________________________________________
From: syslog-ng <syslog-ng-bounces at lists.balabit.hu> on behalf of William Luiz Ribeiro Vasconcelos Da Silva <wsilva_ericsson at timbrasil.com.br>
Sent: Wednesday, March 25, 2020 16:48
To: Syslog-ng users' and developers' mailing list
Cc: Hebert Silva Vasconcelos; Ana Carolina De Bastos Souza; HEBERT VASCONCELOS S (hebert.s.vasconcelos at ericsson.com)
Subject: [syslog-ng] Problem to Get UDP Packets - Syslog-ng

CAUTION: This email originated from outside of the organization. Do not follow guidance, click links, or open attachments unless you recognize the sender and know the content is safe.

Hello Everyone,

I installed syslog-ng on a new machine, however in initial tests, there was no collection of UDP packages by syslog-ng.

Here are some points I checked:

sudo netstat -plunt | grep -e PID -e syslog
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 0.0.0.0:601             0.0.0.0:*               LISTEN      16169/syslog-ng
udp        0      0 10.96.145.42:514        0.0.0.0:*                           16169/syslog-ng

netstat -anu | grep 514
udp        0      0 10.96.145.42:514        0.0.0.0:*


[cgnat at mgalnxa01 etc]$ sudo systemctl status syslog-ng -l ● syslog-ng.service - System Logger Daemon
   Loaded: loaded (/usr/lib/systemd/system/syslog-ng.service; enabled; vendor preset: enabled)
   Active: active (running) since Wed 2020-03-25 12:38:08 -03; 5min ago
  Process: 114207 ExecReload=/bin/kill -HUP $MAINPID (code=exited, status=0/SUCCESS) Main PID: 16169 (syslog-ng)
   CGroup: /system.slice/syslog-ng.service
           └─16169 /opt/syslog-ng/libexec/syslog-ng -F --enable-core

Mar 25 12:38:08 mgalnxa01 systemd[1]: Starting System Logger Daemon...


Here is an example of the package received via tcpdump, but it was not captured by syslog-ng:

10:46:13.529331 IP (tos 0x20, ttl 251, id 33055, offset 0, flags [none], proto UDP (17), length 243)
    10.96.145.98.syslog > mgalnxa01.9514: [udp sum ok] SYSLOG, length: 215
        Facility user (1), Severity info (6)
        Msg: Mar 24 13:46:13 2020 RTCGNMGA0103 RT_NAT: RT_SRC_NAT_PBA_ALLOC: Subscriber 100.64.1.6 used/maximum [2/2] blocks, allocates port block [47104-47167] from 177.51.116.146 in source pool PUBLIC-NAT-POOL-1 lsys_id: 0
        0x0000:  3c31 343e 4d61 7220 3234 2031 333a 3436
        0x0010:  3a31 3320 3230 3230 2052 5443 474e 4d47
        0x0020:  4130 3130 3320 5254 5f4e 4154 3a20 5254
        0x0030:  5f53 5243 5f4e 4154 5f50 4241 5f41 4c4c
        0x0040:  4f43 3a20 5375 6273 6372 6962 6572 2031
        0x0050:  3030 2e36 342e 312e 3620 7573 6564 2f6d
        0x0060:  6178 696d 756d 205b 322f 325d 2062 6c6f
        0x0070:  636b 732c 2061 6c6c 6f63 6174 6573 2070
        0x0080:  6f72 7420 626c 6f63 6b20 5b34 3731 3034
        0x0090:  2d34 3731 3637 5d20 6672 6f6d 2031 3737
        0x00a0:  2e35 312e 3131 362e 3134 3620 696e 2073
        0x00b0:  6f75 7263 6520 706f 6f6c 2050 5542 4c49
        0x00c0:  432d 4e41 542d 504f 4f4c 2d31 206c 7379
        0x00d0:  735f 6964 3a20 30


What I need to analyze / verify, for syslog-ng will capture this type of package and convert it to a file.

Atenciosamente,

WILLIAM LUIZ R V SILVA
Mediation

Ericsson
Rua Maria Preste Maia, 300
02879-130, Brazil
Phone  +55 11   2760-3785
Mobile +55 11  97979-9886
wsilva_ericsson at timbrasil.com.br<mailto:wsilva_ericsson at timbrasil.com.br>
https://nam01.safelinks.protection.outlook.com/?url=www.ericsson.com&data=02%7C01%7Cwsilva_ericsson%40timbrasil.com.br%7Cb2d19eb73e334cb1031808d7d0d5903f%7C57b8c96eac2f4d78a149f1fc6817d3c4%7C0%7C0%7C637207487979138039&sdata=rVc%2FGQrqH5LdeDy7qOIsHoqozJ39ISFg%2Fc92BnEs%2Bu4%3D&reserved=0<https://nam01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.ericsson.com%2F&data=02%7C01%7Cwsilva_ericsson%40timbrasil.com.br%7Cb2d19eb73e334cb1031808d7d0d5903f%7C57b8c96eac2f4d78a149f1fc6817d3c4%7C0%7C0%7C637207487979138039&sdata=xlPd3OQBIPTDpY%2BRCRSd3C%2B1pwsUj6XArHl%2FZYe%2BIks%3D&reserved=0>

[Descrição: Descrição: Ericsson]<https://nam01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.ericsson.com%2F&data=02%7C01%7Cwsilva_ericsson%40timbrasil.com.br%7Cb2d19eb73e334cb1031808d7d0d5903f%7C57b8c96eac2f4d78a149f1fc6817d3c4%7C0%7C0%7C637207487979138039&sdata=xlPd3OQBIPTDpY%2BRCRSd3C%2B1pwsUj6XArHl%2FZYe%2BIks%3D&reserved=0>


Esta mensagem, incluindo seus anexos, pode conter informações privilegiadas e/ou de caráter confidencial, não podendo ser retransmitida sem autorização do remetente. Se você não é o destinatário ou pessoa autorizada para recebê-la, informamos que o seu uso, divulgação, cópia ou arquivamento são proibidos. Portanto, se você recebeu esta mensagem por engano, por favor nos informe respondendo imediatamente a este e-mail e delete o seu conteúdo.

This message, including its attachments, may contain privileged or confidential information, and it must not be fowarded without the express authorization of the sender. If you are not the intended recipient, we hereby inform you that the use, disclosure, copy or filing are forbidden. So, if you received this message as a mistake, please inform us by answering this e-mail and deleting its contents

Questo messaggio, inclusi gli allegati, potrebbe contenere informazioni privilegiate e/o riservate, e non deve essere ritrasmesse senza l'autorizzazione del mittente. Se non siete il destinatario o la persona autorizzata a riceverlo, informiamo che il suo utilizzo, diffusione, copia o archiviazione sono proibite. Quindi, se avete ricevuto questo messaggio per errore, per cortesia ci informi rispondendo immediatamente a questa email e cancelli il suo contenuto

More information about the syslog-ng mailing list