[SOLVED] trouble with remote logging using syslog-ng

austinium · 10-07-2013, 02:40 AM

I am having trouble setting up remote logging...

I have added the following to the existing syslog-ng.conf file in the client that runs Ubuntu 13.04.

Code:

destination d_logServer {udp("syslog server's IP" port(514));};

log { source(s_src); destination(d_logServer); };

I have added the following to the syslog-ng server's (Debian) syslog-ng.conf file:

Code:

source s_netU { udp(ip("syslog server's IP")port(514)); };

destination d_remote { file("/var/log/HOSTS/$HOST.$YEAR.$MONTH.$DAY"); };

filter f_remote { host( "syslog client's IP" ); };

log { source(s_netU); filter(f_remote); destination(d_remote); };

The server is not receiving the logs, local logging on the client is working fine. Help!

acid_kewpie · 10-07-2013, 03:21 AM

is the issue on the client or the server? does a tcpdump show the traffic leaving the box? (tcpdump -vn port 514 -i eth0)

austinium · 10-07-2013, 04:53 AM

Thank you replying

I ran the command at the client. From the output of the command below it looks like messages are leaving the client?

Code:

# tcpdump -vn port 514 -i eth0
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
15:17:22.644226 IP (tos 0x0, ttl 64, id 12474, offset 0, flags [DF], proto UDP (17), length 127)
    SyslogClient's_IP.33079 > SyslogServer's_IP.514: SYSLOG, length: 99
	Facility kernel (0), Severity info (6)
	Msg: Oct  7 15:17:22 syslogclient kernel: [13274.558125] device eth0 entered promiscuous mode\0x0a

I already have a router sending it's syslog to the server, and the router's logs are arriving fine. Running the above command on the server shows the log lines from the router.

acid_kewpie · 10-07-2013, 05:46 AM

ok so is it reaching the server?

austinium · 10-07-2013, 06:27 AM

hi Chris,

I redirected tcpdump's output to a file, did some grep-ing, turns out the client is sending the log lines to the server. However log lines are not being written to file.

I believe this is the line responsible for writing to file:

Code:

destination d_remote { file("/var/log/HOSTS/$HOST.$YEAR.$MONTH.$DAY"); };

Am i missing something here?

acid_kewpie · 10-07-2013, 06:31 AM

looks fine offhand, run the serve rin foreground mode and see what it says.

looking at the manpage "syslog-ng -Fedv" looks like the chap, but some of those options might clash. I'd also add any command line parameters already in use, so run "ps -ef | grep syslog-ng" to see how it's currently being run and modify accordingly. Stop the service first of course.

austinium · 10-07-2013, 07:14 AM

i ran "ps -ef | grep syslog-ng", syslog-ng is running without any arguments.
i ran syslog-ng -Fedv > ~/test.txt 2>&1 ... then logged into the syslog client via ssh, just to generate some logs. tcpdump would have captured logs being generated in such cases as it did earlier in the day. However, nothing shows up in the output of syslog-ng being run in the foreground.

Is is possible that syslog-ng may be dropping logs without processing them...or is it that i am too tired

Do let me know what you think...if theres something else i should try.

thanks

acid_kewpie · 10-07-2013, 07:21 AM

No, it'd be logging the fact that it's received them from somewhere, even if it does drop them on the floor. If you're succesfully logging from the router already though, you should be able to see those logs in the debug trail. So if those router logs aren't visible in the debug either, something is going wrong in the debug commands themselves.

voleg · 10-07-2013, 10:42 AM

Remove "filter" for debugging. The message, probably, does not include IP, but hostname.

austinium · 10-09-2013, 12:02 PM

hi all,
sorry i haven't been able to post back. been caught up with other work.
havent been able to give time to this problem.

i have a doubt, the versions on syslog-ng running on the syslog server and the client are different, thouth only the minor numbers differ. It shouldn't make any difference, right?

@voleg: I will surely try out the configuration without the filter, but the same setup works for the Router. I am able to see the logs from the router being written properly to file. Any clue why it would be different in the case of a Linux machine?

thank you Chris and voleg...

acid_kewpie · 10-10-2013, 03:24 AM

It's not that it shouldn't make any difference, it's not allowed to make a difference. They are talking syslog. a standard protocol, they aren't allowed to have anything software / version specific anywhere in the interaction, otherwise it wouldn't be standard syslog traffic anymore.

austinium · 10-11-2013, 12:34 AM

When logging from Linux Servers syslog uses the machine's hostname and not the IP address as in the case of devices such as routers. Replacing the IP address of the server with it's hostname fixed the issue.