How many hosts can be logged with syslog-ng OSE
Hi all,
I have managed to install and run syslog-ng OSE(v 3.2.5) as a central logging server, all I want to know is how many hosts can be logged with it ? It is logging two hosts successfully of which one is localhost & one more in the network. The problem I faced to ask this question is, I configured one more host to send logs to this server, but unfortunately it wasn't logging the 3rd host, so I executed tcpdump -i eth0 udp 'port 514' -v and found that the logs are coming from the 3rd host but are not logged. I read a lot on the internet and increased the kernel receive buffer, but the problem is still there. Any Idea what's happeneing ?? Help is always appreciated. Regards, nm |
There can be many problems preventing syslog-ng to log messages from the network:
- no network source configured - SELinux - firewall So, make sure that you have a network source configured and check your logs for the other two. As a quick test you might disable temporarily these protections to see, if any of these prevent you from logging. |
I can log one host from the network then why wouldn't the others ?? I have already disabled the firewall. Of-course the network source is configured, that is how I am receiving logs from a host on the network. SELinux -- what should I do "setenforce 0" ??
|
Quote:
As the default, NO! |
Are you sure that many hosts, not just 5-10 may be 20 hosts can be loggedd using syslog-ng OSE ?? One more question I have that is :: can I log routers, switches using syslog-ng OSE ??
|
You can log from as many hosts as you want. Just make sure, that max-connections() is set to a high enough number. This is 10 by default. Read the documentation at https://www.balabit.com/sites/defaul...gle/index.html for more details.
|
Hi all,
Still no success, even after executing 'setenforce 0' and restarting the syslog-ng service, but I still receive packets from a host which are not logged by syslog-ng and I can see them through== tcpdump .Please find my syslog-ng.conf file. Kindly suggest. @version:3.2 # syslog-ng configuration file. # # This should behave pretty much like the original syslog on RedHat. But # it could be configured a lot smarter. # # See syslog-ng(8) and syslog-ng.conf(5) for more information. # options { flush_lines (0); time_reopen (10); log_fifo_size (1000); long_hostnames (off); use_dns (no); use_fqdn (no); create_dirs (no); keep_hostname (yes); }; source s_sys { file ("/proc/kmsg" program_override("kernel: ")); unix-stream ("/dev/log"); internal(); udp(ip(x.x.x.x) port(514)); }; destination d_cons { file("/dev/console"); }; destination d_mesg { file("/var/log/syslogng/${HOST}/messages_${YEAR}_${MONTH}_${DAY}.log" create-dirs(yes)); }; destination d_auth { file("/var/log/syslogng/${HOST}/secure_${YEAR}_${MONTH}_${DAY}.log"); }; destination d_mail { file("/var/log/syslogng/${HOST}/maillog_${YEAR}_${MONTH}_${DAY}.log" flush_lines(10)); }; destination d_spol { file("/var/log/syslogng/${HOST}/spooler_${YEAR}_${MONTH}_${DAY}.log"); }; destination d_boot { file("/var/log/syslogng/${HOST}/boot_${YEAR}_${MONTH}_${DAY}.log"); }; destination d_cron { file("/var/log/syslogng/${HOST}/cron_${YEAR}_${MONTH}_${DAY}.log"); }; destination d_kern { file("/var/log/syslogng/${HOST}/kern_${YEAR}_${MONTH}_${DAY}.log"); }; destination d_user { file("/var/log/syslogng/${HOST}/user_${YEAR}_${MONTH}_${DAY}.log"); }; destination d_mlal { usertty("*"); }; filter f_kernel { facility(kern); }; filter f_default { level(info..emerg) and not (facility(mail) or facility(authpriv) or facility(cron)); }; filter f_auth { facility(authpriv); }; filter f_mail { facility(mail); }; filter f_emergency { level(emerg); }; filter f_news { facility(uucp) or (facility(news) and level(crit..emerg)); }; filter f_boot { facility(local7); }; filter f_cron { facility(cron); }; filter f_kern { facility(kern); }; filter f_user { facility(user); }; #log { source(s_sys); filter(f_kernel); destination(d_cons); }; log { source(s_sys); filter(f_kernel); destination(d_kern); }; log { source(s_sys); filter(f_default); destination(d_mesg); }; log { source(s_sys); filter(f_auth); destination(d_auth); }; log { source(s_sys); filter(f_mail); destination(d_mail); }; log { source(s_sys); filter(f_emergency); destination(d_mlal); }; log { source(s_sys); filter(f_news); destination(d_spol); }; log { source(s_sys); filter(f_boot); destination(d_boot); }; log { source(s_sys); filter(f_cron); destination(d_cron); }; log { source(s_sys); filter(f_user); destination(d_user); }; # vim:ft=syslog-ng:ai:si:ts=4:sw=4:et: |
Somebody please reply!! I am out of reasons why it is happening!!
|
Quote:
Change setenforce back to its previous setting since you know that is not the issue. This "3rd host" data is being received on the syslog-ng server? |
Executed on the 'syslog-ng' server and found that the server is receiving the packets but not logging those packets. Yes the data is received on the mentioned interface.
|
2 Questions.
1 statement. 1 Answer. = I'm done. Nothing personal. |
Thanks! That really helped. And thanks to all I solved it. Started syslog on another interface and its working.
|
Quote:
Have a good one! |
All times are GMT -5. The time now is 02:40 AM. |