[syslog-ng] Syslog-ng Not Working properly

Mon Jan 15 15:06:00 UTC 2024

Hello Sumanta!

Your config looks good.
The log about the statistics show that there are no incoming messages on
514 UDP and nothing is written to the files defined in the d_splunk
destination.

I think you could try to narrow down the scope of the problem with the
following ideas.

Try to send a message locally to 514 with:
  echo "foo bar" | nc -u -w0 localhost 514

If it does not work, I would suggest to change the receiving port of the
network() source to something larger, like port(12345), and trying again
with the following, just to see if the problem only occurs for the 514 port:
  echo "foo bar" | nc -u -w0 localhost 12345

You should see these kind of logs:
[2024-01-15T15:58:46.037255] Incoming log entry; input='foo bar\x0a',
msg='0x7f9bb0003020', rcptid='297'
...
[2024-01-15T15:58:46.037655] Initializing destination file writer;
template='......', filename='......', symlink_as='(null)'
...
[2024-01-15T15:58:46.037872] Outgoing message; message='bar'

My hunch is that this probably has something to do with SELinux, but
unfortunately my knowledge of it is very limited.

Regards,
Attila

On Sun, Jan 14, 2024 at 9:50 PM Sumanta Banerjee <sumanta.banerjee at aviva.com>
wrote:

> *Hi Team,*
>
>
>
>
>
> *I am trying to configure syslog-ng in one our linux instance to get
> NGIPS/FMC data via udp connection on its default port (514). I have
> configured syslog-ng.conf under /etc/syslog-ng and then we have set SE
> Linux as Permissive. I am using RHEL 8.7 and syslog version 4.0. Apparently
> all looked good to me however while checking in the destination path that
> is mentioned I don’t see any directory or logfile from for the said udp
> connection got created. *
>
> *Below is our observation and steps that we executed, can any of you
> please help me telling where I went wrong or if I am missing something,
> there is another testing in pipeline that is stalled for this – *
>
>
>
>    1. Define source, destination and log_file in syslog-ng.conf (file
>    attached).
>    2. Run the below SELinux command –
>
> # ausearch -c 'syslog-ng' --raw | audit2allow -M my-syslogng
> # semodule -X 300 -i my-syslogng.pp
>
>    1. Restart syslog-ng service –
>
> # systemctl restart syslog-ng.service (no error message received)
>
>    1. Check if the service is running –
>
>
>
>
>
>    1. Check if syslog-ng is listening to udp port 514 –
>
>
>
>    1. Checked and  we have incoming data stream from source using the
>    below command –
>
> *tcpdump -i any -c10 -nn -A port 514*
>
>
>
>    1. I have went through the syslog-ng troubleshooting steps mentioned
>    in the link –
>
>
> https://www.syslog-ng.com/technical-documents/doc/syslog-ng-open-source-edition/3.37/administration-guide/105#TOPIC-1829320
>
>
>
>
>
> *syslog-ng -Fdev command output is also attached.*
>
>
>
>    1. While running the following command got the below output - *# watch
>    '/usr/sbin/syslog-ng-ctl stats | grep "^center"'*
>
>
>
>    1. *# journaltctl command output (first 500 lines) attached*
>
>
>
>    1. Current SE Linux status :
>
>
>
>    1. Our syslog-ng is logging to /var/log/messages and we are getting
>    this message in /var/log/messages –
>
>
>
>
>
> Thanks & Regards,
>
> Sumanta Banerjee
>
> Splunk Admin | CISO | Aviva Group
>
> Tel: +91-8420892593
>
> 24x7x365: +44 1603 208 582
>
> sumanta.banerjee at aviva.com
>
> GlobalCyberSecurityEngineeringTeam at aviva.com
>
> www.aviva.com
>
> Wipro Technologies - SJP2, Bangalore, India
>
>
>
>
>
> Aviva: Internal
>
> Aviva plc, registered Office: St. Helen's, 1 Undershaft, London EC3P 3DQ.
> Registered in England No. 02468686. www.aviva.com
>
> This message and any attachments may be confidential or legally
> privileged. If you are not the intended recipient, please telephone or
> e-mail the sender and delete this message and any attachments from your
> system. Also, if you are not the intended recipient you must not copy this
> message or attachments or disclose the contents to any other person. Any
> views or opinions expressed are solely those of the author and do not
> necessarily represent those of Aviva.
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation:
> http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20240115/6feb8a0e/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.gif
Type: image/gif
Size: 3316 bytes
Desc: not available
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20240115/6feb8a0e/attachment-0001.gif>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.png
Type: image/png
Size: 26844 bytes
Desc: not available
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20240115/6feb8a0e/attachment-0006.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image003.png
Type: image/png
Size: 7580 bytes
Desc: not available
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20240115/6feb8a0e/attachment-0007.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image004.png
Type: image/png
Size: 3061 bytes
Desc: not available
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20240115/6feb8a0e/attachment-0008.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image005.png
Type: image/png
Size: 8575 bytes
Desc: not available
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20240115/6feb8a0e/attachment-0009.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image006.png
Type: image/png
Size: 10145 bytes
Desc: not available
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20240115/6feb8a0e/attachment-0010.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image007.png
Type: image/png
Size: 101145 bytes
Desc: not available
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20240115/6feb8a0e/attachment-0011.png>