[syslog-ng] Syslogs not writing to disk

Balazs Scheidler bazsi77 at gmail.com
Sat May 2 04:22:20 UTC 2020


These filters in your config are wired into all of the log paths:

filter f_awanra1 { host("x.x.x.x"); };

filter f_bwanra1 { host("x.x.x.x"); };

filter f_cwanra1 { host("x.x.x.x"); };


If I understand your config properly, if the source $HOST doesn't match
these IP addresses it will be dropped.

On Fri, May 1, 2020, 20:17 Rose, Ed <Ed_Rose at mentor.com> wrote:

> We separate them by host so that Splunk can monitor each directory and
> ingest those logs.  Splunk can set the hostname of each directory by
> setting a parameter in the inputs.conf.  For Splunk Enterprise Security
> correlation searches for SIEM we need to know which host owns which logs so
> we can narrow down our investigations.
>
>
>
> -ed
>
>
>
> *From:* syslog-ng [mailto:syslog-ng-bounces at lists.balabit.hu] *On Behalf
> Of *Balazs Scheidler
> *Sent:* Friday, May 1, 2020 6:45 AM
> *To:* Syslog-ng users' and developers' mailing list <
> syslog-ng at lists.balabit.hu>
> *Subject:* Re: [syslog-ng] Syslogs not writing to disk
>
>
>
> Honestly I don't see your exact use-case, I noticed you were using host()
> and they seemed as if they were IP addresses.
>
>
>
> You can implement a wide set of policies using syslog-ng.
>
>
>
> On Fri, May 1, 2020, 14:32 Rose, Ed <Ed_Rose at mentor.com> wrote:
>
> But won’t using netmask defeat the whole purpose of separating out the
> logs?  Or will it still attempt to separate the devices by some arbitrary
> hostname that it does not exist?
>
>
>
>
>
> *From:* syslog-ng [mailto:syslog-ng-bounces at lists.balabit.hu] *On Behalf
> Of *Balazs Scheidler
> *Sent:* Friday, May 1, 2020 12:12 AM
> *To:* Syslog-ng users' and developers' mailing list <
> syslog-ng at lists.balabit.hu>
> *Subject:* Re: [syslog-ng] Syslogs not writing to disk
>
>
>
> the host filter that you apply to the incoming traffic is matching against
> the $HOST macro, ie. the text within the message. This can be an IP address
> or a hostname depending on various settings.
>
>
>
> Your messages don't contain a a hostname field, thus syslog-ng will try to
> "guess" it, normally based on the sending IP address but then would also
> potentially use DNS to resolve it to a name.
>
>
>
> If you want to filter on IP address, I suggest the netmask() filter.
>
>
>
> On Thu, Apr 30, 2020 at 7:34 PM Rose, Ed <Ed_Rose at mentor.com> wrote:
>
> The tcpdump looks good and there doesn’t appear to be any drops.  I should
> also mention that the syslog servers are behind a Netscaler load balancer
> doing round robin load balancing between two different syslog-ng servers
> that are setup exactly the same.  I have about 10 different sources send
> logs to these syslog servers and all of them are writing to disk except
> this particular source (cisco_asa).
>
>
>
> Thanks
>
> Ed
>
>
>
>
>
>
>
> 10:24:21.525178 IP (tos 0x0, ttl 254, id 3483, offset 0, flags [none],
> proto UDP (17), length 190)
>
>     x.x.x.x  > x.x.x.x: SYSLOG, length: 162
>
>         Facility local4 (20), Severity debug (7)
>
>         Msg: 2020-04-30T17:24:21Z: %ASA-7-734003: DAP: User blah, Addr
> x.x.x.x: Session Attribute endpoint.am["539"].description="Trend Micro
> OfficeScan Client"\0x0a
>
> 10:24:21.525179 IP (tos 0x0, ttl 254, id 15604, offset 0, flags [none],
> proto UDP (17), length 166)
>
>     x.x.x.x > x.x.x.x: SYSLOG, length: 138
>
>         Facility local4 (20), Severity debug (7)
>
>         Msg: 2020-04-30T17:24:21Z: %ASA-7-734003: DAP: User blah, Addr
> x.x.x.x: Session Attribute endpoint.am["539"].version="12.0.5400"\0x0a
>
> 10:24:21.525368 IP (tos 0x0, ttl 254, id 19622, offset 0, flags [none],
> proto UDP (17), length 193)
>
>     x.x.x.x > x.x.x.x: SYSLOG, length: 165
>
>         Facility local4 (20), Severity debug (7)
>
>         Msg: 2020-04-30T17:24:21Z: %ASA-7-734003: DAP: User blah, Addr
> x.x.x.x: Session Attribute endpoint.anyconnect.devicetype = "Dell Inc.
> Latitude 5290 2-in-1"\0x0a
>
>
>
> *From:* syslog-ng [mailto:syslog-ng-bounces at lists.balabit.hu] *On Behalf
> Of *Balazs Scheidler
> *Sent:* Thursday, April 30, 2020 10:50 AM
> *To:* Syslog-ng users' and developers' mailing list <
> syslog-ng at lists.balabit.hu>
> *Subject:* Re: [syslog-ng] Syslogs not writing to disk
>
>
>
> Tcpdump shows data that is later dropped by the packet filter, so make
> sure that iptables lets the packets through.
>
>
>
> Another potential culprit is selinux, check for violations in the kernel
> log.
>
>
>
>
>
> On Thu, Apr 30, 2020, 16:20 Rose, Ed <Ed_Rose at mentor.com> wrote:
>
> Hello All,
>
>
>
> I have syslog-ng setup currently setup to write to disk and forward events
> on to a different syslog server.  Syslog isn’t writing to disk it seems.  I
> do not see any errors either, unless I am not looking in the right place
> for the errors.  Tcpdump –v host x.x.x.x shows data coming in from the host
> but a tail –f ${HOST}/log_${HOST} shows no logs going to disk.
>
>
>
> Thanks
>
> Ed
>
>
>
>
>
> syslog-ng 3 (3.14.1)
>
> Config version: 3.14
>
> Installer-Version: 3.14.1
>
> Revision:
>
> Module-Directory: /usr/lib64/syslog-ng
>
> Module-Path: /usr/lib64/syslog-ng
>
> Available-Modules:
> afmongodb,sdjournal,linux-kmsg-format,appmodel,date,pseudofile,afamqp,syslogformat,csvparser,cef,tags-parser,affile,afsocket,afstomp,tfgetent,json-plugin,confgen,system-source,stardate,graphite,dbparser,afprog,xml,add-contextual-data,snmptrapd-parser,cryptofuncs,kvformat,disk-buffer,basicfuncs,afuser,map-value-pairs
>
> Enable-Debug: off
>
> Enable-GProf: off
>
> Enable-Memtrace: off
>
> Enable-IPv6: on
>
> Enable-Spoof-Source: on
>
> Enable-TCP-Wrapper: on
>
> Enable-Linux-Caps: on
>
> Enable-Systemd: on
>
>
>
>
>
> filter f_awanra1 { host("x.x.x.x"); };
>
> filter f_bwanra1 { host("x.x.x.x"); };
>
> filter f_cwanra1 { host("x.x.x.x"); };
>
>
>
> destination d_ciscoasa {
> file("/var/log2/gns/cisco_asa/${HOST}/log_${HOST}" create-dirs(yes)
> dir-perm(0755) dir-group(splunk) perm(0640) group(splunk)); };
>
>
>
> destination d_uid1 { tcp("x.x.x.x"  port(514) ); };
>
> destination d_uid2 { tcp("x.x.x.x"  port(514) ); };
>
> destination d_uid3 { tcp("x.x.x.x"  port(514) ); };
>
> destination d_uid4 { tcp("x.x.x.x"  port(514) ); };
>
>
>
> log { source(s_net); filter(f_amywanra1); destination(d_ciscoasa);
> destination(d_uid1); destination(d_uid2); destination(d_uid3);
> destination(d_uid4); flags(final); };
>
> log { source(s_net); filter(f_cnswanra1); destination(d_ciscoasa);
> destination(d_uid1); destination(d_uid2); destination(d_uid3);
> destination(d_uid4); flags(final); };
>
> log { source(s_net); filter(f_demwanra1); destination(d_ciscoasa);
> destination(d_uid1); destination(d_uid2); destination(d_uid3);
> destination(d_uid4); flags(final); };
>
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation:
> http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation:
> http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
>
>
> --
>
> Bazsi
>
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation:
> http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation:
> http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20200502/aa3d8460/attachment-0001.html>


More information about the syslog-ng mailing list