LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices


Reply
  Search this Thread
Old 01-11-2016, 04:24 AM   #1
NM04
Member
 
Registered: Jan 2011
Distribution: Back Track,Fedora,centos
Posts: 240

Rep: Reputation: 14
How many hosts can be logged with syslog-ng OSE


Hi all,
I have managed to install and run syslog-ng OSE(v 3.2.5) as a central logging server, all I want to know is how many hosts can be logged with it ?
It is logging two hosts successfully of which one is localhost & one more in the network. The problem I faced to ask this question is, I configured one more host to send logs to this server, but unfortunately it wasn't logging the 3rd host, so I executed

tcpdump -i eth0 udp 'port 514' -v

and found that the logs are coming from the 3rd host but are not logged. I read a lot on the internet and increased the kernel receive buffer, but the problem is still there. Any Idea what's happeneing ??
Help is always appreciated.

Regards,
nm
 
Old 01-11-2016, 06:44 AM   #2
czanik
LQ Newbie
 
Registered: Dec 2010
Distribution: openSUSE Fedora FreeBSD
Posts: 9

Rep: Reputation: 2
There can be many problems preventing syslog-ng to log messages from the network:
- no network source configured
- SELinux
- firewall
So, make sure that you have a network source configured and check your logs for the other two. As a quick test you might disable temporarily these protections to see, if any of these prevent you from logging.
 
Old 01-11-2016, 07:07 AM   #3
NM04
Member
 
Registered: Jan 2011
Distribution: Back Track,Fedora,centos
Posts: 240

Original Poster
Rep: Reputation: 14
I can log one host from the network then why wouldn't the others ?? I have already disabled the firewall. Of-course the network source is configured, that is how I am receiving logs from a host on the network. SELinux -- what should I do "setenforce 0" ??
 
Old 01-11-2016, 09:05 AM   #4
Habitual
LQ Veteran
 
Registered: Jan 2011
Location: Abingdon, VA
Distribution: Catalina
Posts: 9,374
Blog Entries: 37

Rep: Reputation: Disabled
Quote:
Originally Posted by NM04 View Post
should I do "setenforce 0" ??
as a TEMPORARY debug measure, sure.
As the default, NO!
 
Old 01-15-2016, 05:52 AM   #5
NM04
Member
 
Registered: Jan 2011
Distribution: Back Track,Fedora,centos
Posts: 240

Original Poster
Rep: Reputation: 14
Are you sure that many hosts, not just 5-10 may be 20 hosts can be loggedd using syslog-ng OSE ?? One more question I have that is :: can I log routers, switches using syslog-ng OSE ??
 
Old 01-16-2016, 12:51 AM   #6
czanik
LQ Newbie
 
Registered: Dec 2010
Distribution: openSUSE Fedora FreeBSD
Posts: 9

Rep: Reputation: 2
You can log from as many hosts as you want. Just make sure, that max-connections() is set to a high enough number. This is 10 by default. Read the documentation at https://www.balabit.com/sites/defaul...gle/index.html for more details.
 
Old 01-18-2016, 04:05 AM   #7
NM04
Member
 
Registered: Jan 2011
Distribution: Back Track,Fedora,centos
Posts: 240

Original Poster
Rep: Reputation: 14
Hi all,
Still no success, even after executing 'setenforce 0' and restarting the syslog-ng service, but I still receive packets from a host which are not logged by syslog-ng and I can see them through== tcpdump .Please find my syslog-ng.conf file. Kindly suggest.


@version:3.2


# syslog-ng configuration file.

#
# This should behave pretty much like the original syslog on RedHat.
But
# it could be configured a lot smarter.

#
# See syslog-ng(8) and syslog-ng.conf(5) for more information.

#

options {
flush_lines (0);

time_reopen (10);

log_fifo_size (1000);

long_hostnames (off);

use_dns (no);

use_fqdn (no);

create_dirs (no);

keep_hostname (yes);

};



source s_sys {
file ("/proc/kmsg" program_override("kernel: "));

unix-stream ("/dev/log");

internal();

udp(ip(x.x.x.x) port(514));

};



destination d_cons { file("/dev/console"); };

destination d_mesg { file("/var/log/syslogng/${HOST}/messages_${YEAR}_${MONTH}_${DAY}.log" create-dirs(yes)); };

destination d_auth { file("/var/log/syslogng/${HOST}/secure_${YEAR}_${MONTH}_${DAY}.log"); };

destination d_mail { file("/var/log/syslogng/${HOST}/maillog_${YEAR}_${MONTH}_${DAY}.log" flush_lines(10)); };

destination d_spol { file("/var/log/syslogng/${HOST}/spooler_${YEAR}_${MONTH}_${DAY}.log"); };

destination d_boot { file("/var/log/syslogng/${HOST}/boot_${YEAR}_${MONTH}_${DAY}.log"); };

destination d_cron { file("/var/log/syslogng/${HOST}/cron_${YEAR}_${MONTH}_${DAY}.log"); };

destination d_kern { file("/var/log/syslogng/${HOST}/kern_${YEAR}_${MONTH}_${DAY}.log"); };

destination d_user { file("/var/log/syslogng/${HOST}/user_${YEAR}_${MONTH}_${DAY}.log"); };

destination d_mlal { usertty("*"); };



filter f_kernel { facility(kern); };

filter f_default { level(info..emerg) and
not (facility(mail)
or facility(authpriv)
or facility(cron)); };

filter f_auth { facility(authpriv); };

filter f_mail { facility(mail); };

filter f_emergency { level(emerg); };

filter f_news { facility(uucp) or
(facility(news) and level(crit..emerg)); };

filter f_boot { facility(local7); };

filter f_cron { facility(cron); };

filter f_kern { facility(kern); };

filter f_user { facility(user); };



#log { source(s_sys); filter(f_kernel); destination(d_cons); };

log { source(s_sys); filter(f_kernel); destination(d_kern); };

log { source(s_sys); filter(f_default); destination(d_mesg); };

log { source(s_sys); filter(f_auth); destination(d_auth); };

log { source(s_sys); filter(f_mail); destination(d_mail); };

log { source(s_sys); filter(f_emergency); destination(d_mlal); };

log { source(s_sys); filter(f_news); destination(d_spol); };

log { source(s_sys); filter(f_boot); destination(d_boot); };

log { source(s_sys); filter(f_cron); destination(d_cron); };

log { source(s_sys); filter(f_user); destination(d_user); };



# vim:ft=syslog-ng:ai:si:ts=4:sw=4:et:
 
Old 01-25-2016, 07:01 AM   #8
NM04
Member
 
Registered: Jan 2011
Distribution: Back Track,Fedora,centos
Posts: 240

Original Poster
Rep: Reputation: 14
Somebody please reply!! I am out of reasons why it is happening!!
 
Old 01-25-2016, 09:00 AM   #9
Habitual
LQ Veteran
 
Registered: Jan 2011
Location: Abingdon, VA
Distribution: Catalina
Posts: 9,374
Blog Entries: 37

Rep: Reputation: Disabled
Quote:
Originally Posted by NM04 View Post
I configured one more host to send logs to this server, but unfortunately it wasn't logging the 3rd host, so I executed

Code:
tcpdump -i eth0 udp 'port 514' -v
Executed on the syslog-ng 'server' or the "3rd host" 'client'?

Change setenforce back to its previous setting since you know that is not the issue.

This "3rd host" data is being received on the syslog-ng server?
 
Old 01-27-2016, 03:45 AM   #10
NM04
Member
 
Registered: Jan 2011
Distribution: Back Track,Fedora,centos
Posts: 240

Original Poster
Rep: Reputation: 14
Executed on the 'syslog-ng' server and found that the server is receiving the packets but not logging those packets. Yes the data is received on the mentioned interface.
 
Old 01-27-2016, 06:56 AM   #11
Habitual
LQ Veteran
 
Registered: Jan 2011
Location: Abingdon, VA
Distribution: Catalina
Posts: 9,374
Blog Entries: 37

Rep: Reputation: Disabled
2 Questions.
1 statement.
1 Answer.
=
I'm done.

Nothing personal.
 
Old 02-02-2016, 11:19 PM   #12
NM04
Member
 
Registered: Jan 2011
Distribution: Back Track,Fedora,centos
Posts: 240

Original Poster
Rep: Reputation: 14
Thanks! That really helped. And thanks to all I solved it. Started syslog on another interface and its working.
 
Old 02-03-2016, 08:48 AM   #13
Habitual
LQ Veteran
 
Registered: Jan 2011
Location: Abingdon, VA
Distribution: Catalina
Posts: 9,374
Blog Entries: 37

Rep: Reputation: Disabled
Quote:
Originally Posted by NM04 View Post
Thanks! That really helped. And thanks to all I solved it. Started syslog on another interface and its working.
Glad it worked out, but next time someone takes the time to ask two questions, they might expect 2 answers.

Have a good one!
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Failed logins are logged to syslog with the login id set to UNKNOWN or UNSET ssnodgra Linux - Security 1 06-12-2011 07:34 AM
Collect and manage logs from hosts - free syslog server kkoko Linux - Security 6 09-28-2010 02:43 AM
[SOLVED] how do I stop evdev events being repoted in dmesg, and being logged to syslog GlennsPref Mandriva 1 01-28-2010 12:35 AM
syslog-ng and many hosts jantman Linux - Server 2 07-30-2008 10:44 AM
How to find hosts that users are logged into jtoddman Linux - Networking 0 11-14-2004 06:28 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Server

All times are GMT -5. The time now is 09:19 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration