[syslog-ng] Please Help! Syslog-ng Not Putting Logs in Destination
Attila Szakács
attila.szakacs at axoflow.com
Mon Jan 15 15:12:19 UTC 2024
There is a selinux policy setup script in the syslog-ng repository, you
might want to look at that to find some ideas.
I have seen that some ports are getting enabled by the script with the
semanage command, maybe this is what you are missing:
https://github.com/syslog-ng/syslog-ng/blob/master/contrib/selinux/syslog_ng.sh#L228
Cheers,
Attila
On Mon, Jan 15, 2024 at 4:07 PM Attila Szakács <attila.szakacs at axoflow.com>
wrote:
> Hello Sumanta!
>
> Your config looks good.
> The log about the statistics show that there are no incoming messages on
> 514 UDP and nothing is written to the files defined in the d_splunk
> destination.
>
> I think you could try to narrow down the scope of the problem with the
> following ideas.
>
> Try to send a message locally to 514 with:
> echo "foo bar" | nc -u -w0 localhost 514
>
> If it does not work, I would suggest to change the receiving port of the
> network() source to something larger, like port(12345), and trying again
> with the following, just to see if the problem only occurs for the 514 port:
> echo "foo bar" | nc -u -w0 localhost 12345
>
> You should see these kind of logs:
> [2024-01-15T15:58:46.037255] Incoming log entry; input='foo bar\x0a',
> msg='0x7f9bb0003020', rcptid='297'
> ...
> [2024-01-15T15:58:46.037655] Initializing destination file writer;
> template='......', filename='......', symlink_as='(null)'
> ...
> [2024-01-15T15:58:46.037872] Outgoing message; message='bar'
>
> My hunch is that this probably has something to do with SELinux, but
> unfortunately my knowledge of it is very limited.
>
> Regards,
> Attila
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20240115/b2a8df5a/attachment.htm>
More information about the syslog-ng
mailing list