[syslog-ng] Syslogs not writing to disk

Rose, Ed Ed_Rose at mentor.com
Fri May 1 18:17:13 UTC 2020


We separate them by host so that Splunk can monitor each directory and ingest those logs.  Splunk can set the hostname of each directory by setting a parameter in the inputs.conf.  For Splunk Enterprise Security correlation searches for SIEM we need to know which host owns which logs so we can narrow down our investigations.

-ed

From: syslog-ng [mailto:syslog-ng-bounces at lists.balabit.hu] On Behalf Of Balazs Scheidler
Sent: Friday, May 1, 2020 6:45 AM
To: Syslog-ng users' and developers' mailing list <syslog-ng at lists.balabit.hu>
Subject: Re: [syslog-ng] Syslogs not writing to disk

Honestly I don't see your exact use-case, I noticed you were using host() and they seemed as if they were IP addresses.

You can implement a wide set of policies using syslog-ng.

On Fri, May 1, 2020, 14:32 Rose, Ed <Ed_Rose at mentor.com<mailto:Ed_Rose at mentor.com>> wrote:
But won’t using netmask defeat the whole purpose of separating out the logs?  Or will it still attempt to separate the devices by some arbitrary hostname that it does not exist?


From: syslog-ng [mailto:syslog-ng-bounces at lists.balabit.hu<mailto:syslog-ng-bounces at lists.balabit.hu>] On Behalf Of Balazs Scheidler
Sent: Friday, May 1, 2020 12:12 AM
To: Syslog-ng users' and developers' mailing list <syslog-ng at lists.balabit.hu<mailto:syslog-ng at lists.balabit.hu>>
Subject: Re: [syslog-ng] Syslogs not writing to disk

the host filter that you apply to the incoming traffic is matching against the $HOST macro, ie. the text within the message. This can be an IP address or a hostname depending on various settings.

Your messages don't contain a a hostname field, thus syslog-ng will try to "guess" it, normally based on the sending IP address but then would also potentially use DNS to resolve it to a name.

If you want to filter on IP address, I suggest the netmask() filter.

On Thu, Apr 30, 2020 at 7:34 PM Rose, Ed <Ed_Rose at mentor.com<mailto:Ed_Rose at mentor.com>> wrote:
The tcpdump looks good and there doesn’t appear to be any drops.  I should also mention that the syslog servers are behind a Netscaler load balancer doing round robin load balancing between two different syslog-ng servers that are setup exactly the same.  I have about 10 different sources send logs to these syslog servers and all of them are writing to disk except this particular source (cisco_asa).

Thanks
Ed



10:24:21.525178 IP (tos 0x0, ttl 254, id 3483, offset 0, flags [none], proto UDP (17), length 190)
    x.x.x.x  > x.x.x.x: SYSLOG, length: 162
        Facility local4 (20), Severity debug (7)
        Msg: 2020-04-30T17:24:21Z: %ASA-7-734003: DAP: User blah, Addr x.x.x.x: Session Attribute endpoint.am<http://endpoint.am>["539"].description="Trend Micro OfficeScan Client"\0x0a
10:24:21.525179 IP (tos 0x0, ttl 254, id 15604, offset 0, flags [none], proto UDP (17), length 166)
    x.x.x.x > x.x.x.x: SYSLOG, length: 138
        Facility local4 (20), Severity debug (7)
        Msg: 2020-04-30T17:24:21Z: %ASA-7-734003: DAP: User blah, Addr x.x.x.x: Session Attribute endpoint.am<http://endpoint.am>["539"].version="12.0.5400"\0x0a
10:24:21.525368 IP (tos 0x0, ttl 254, id 19622, offset 0, flags [none], proto UDP (17), length 193)
    x.x.x.x > x.x.x.x: SYSLOG, length: 165
        Facility local4 (20), Severity debug (7)
        Msg: 2020-04-30T17:24:21Z: %ASA-7-734003: DAP: User blah, Addr x.x.x.x: Session Attribute endpoint.anyconnect.devicetype = "Dell Inc. Latitude 5290 2-in-1"\0x0a

From: syslog-ng [mailto:syslog-ng-bounces at lists.balabit.hu<mailto:syslog-ng-bounces at lists.balabit.hu>] On Behalf Of Balazs Scheidler
Sent: Thursday, April 30, 2020 10:50 AM
To: Syslog-ng users' and developers' mailing list <syslog-ng at lists.balabit.hu<mailto:syslog-ng at lists.balabit.hu>>
Subject: Re: [syslog-ng] Syslogs not writing to disk

Tcpdump shows data that is later dropped by the packet filter, so make sure that iptables lets the packets through.

Another potential culprit is selinux, check for violations in the kernel log.


On Thu, Apr 30, 2020, 16:20 Rose, Ed <Ed_Rose at mentor.com<mailto:Ed_Rose at mentor.com>> wrote:
Hello All,

I have syslog-ng setup currently setup to write to disk and forward events on to a different syslog server.  Syslog isn’t writing to disk it seems.  I do not see any errors either, unless I am not looking in the right place for the errors.  Tcpdump –v host x.x.x.x shows data coming in from the host but a tail –f ${HOST}/log_${HOST} shows no logs going to disk.

Thanks
Ed


syslog-ng 3 (3.14.1)
Config version: 3.14
Installer-Version: 3.14.1
Revision:
Module-Directory: /usr/lib64/syslog-ng
Module-Path: /usr/lib64/syslog-ng
Available-Modules: afmongodb,sdjournal,linux-kmsg-format,appmodel,date,pseudofile,afamqp,syslogformat,csvparser,cef,tags-parser,affile,afsocket,afstomp,tfgetent,json-plugin,confgen,system-source,stardate,graphite,dbparser,afprog,xml,add-contextual-data,snmptrapd-parser,cryptofuncs,kvformat,disk-buffer,basicfuncs,afuser,map-value-pairs
Enable-Debug: off
Enable-GProf: off
Enable-Memtrace: off
Enable-IPv6: on
Enable-Spoof-Source: on
Enable-TCP-Wrapper: on
Enable-Linux-Caps: on
Enable-Systemd: on


filter f_awanra1 { host("x.x.x.x"); };
filter f_bwanra1 { host("x.x.x.x"); };
filter f_cwanra1 { host("x.x.x.x"); };

destination d_ciscoasa { file("/var/log2/gns/cisco_asa/${HOST}/log_${HOST}" create-dirs(yes) dir-perm(0755) dir-group(splunk) perm(0640) group(splunk)); };

destination d_uid1 { tcp("x.x.x.x"  port(514) ); };
destination d_uid2 { tcp("x.x.x.x"  port(514) ); };
destination d_uid3 { tcp("x.x.x.x"  port(514) ); };
destination d_uid4 { tcp("x.x.x.x"  port(514) ); };

log { source(s_net); filter(f_amywanra1); destination(d_ciscoasa); destination(d_uid1); destination(d_uid2); destination(d_uid3); destination(d_uid4); flags(final); };
log { source(s_net); filter(f_cnswanra1); destination(d_ciscoasa); destination(d_uid1); destination(d_uid2); destination(d_uid3); destination(d_uid4); flags(final); };
log { source(s_net); filter(f_demwanra1); destination(d_ciscoasa); destination(d_uid1); destination(d_uid2); destination(d_uid3); destination(d_uid4); flags(final); };
______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq
______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq


--
Bazsi
______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20200501/e9665b68/attachment-0001.html>


More information about the syslog-ng mailing list