Sending to syslog-ng server on multiple ports doesn't work
We have a logserver running syslog-ng, all clients also use syslog-ng.
As of today, we use Splunk on the logserver to analyze logs. All servers run OpenSuse 12.1 Now we need to save the logs to different files on the log-server, tried doing that by sending to different ports. I have read lots and lots of documentation, all says this should work - but it doesn't. What happens is that logs are sent only to the first specified destination. I'm checking this with tcpdump on server, also configured Splunk to listen to ports 514 & 515 - same result. Nothing is received on the second destination defined in senders syslog-ng.conf. If I comment out the first destination, logs are sent fine to second destination. I also tried using udp on one destination, tcp on the other but no difference. Details: Clients syslog-ng.conf, relevant parts: Code:
source src { Code:
source srcExt { Code:
app10:~ # cat /etc/syslog-ng/syslog-ng.conf I can't send tripwire logs to standard logfile, as there is no clear identification then what lines belongs to tripwire. Any ideas what is wrong? Or tips of other ways to achieve the same result? |
So is data being sent by the client or not? run a tcpdump and filter on port 515
|
Nope, no data is sent on port 515 - until I comment out first destination, then data is sent on port 515.
So it must be either that syslog-ng is wrongly configured or it is not doing what it should (aka "bug"). |
You can use:
Code:
program_override("tripwire") default-facility(daemon) default-priority(info) |
This is crazy...
I did what you suggested, changed the source to Code:
source tripwire { Code:
app10:~ # service syslog restart I'm beginning to think syslog-ng is severly broken, is thta possible? Version is 2.0.9 - pretty old! But obviously the version OpenSuse uses. Maybe syntax differs, I'll go ahead and check that! |
Oh, yes. I use it on 3.1. Sorry, didn’t think about it. But you can download the source and compile it. In the end it’s only to drop in the executable in /sbin. OTOH: in openSUSE 12.1 there is 3.2 included AFAICS.
Update: Did you upgrade the system? By default they install now rsyslogd, but in YaST you can still switch to syslog-ng. |
I still can't see why this behaviour is happening at all. Maybe there's some dedeuplication going on? Doubt it... what happens if you change the log() statements around so tripwire is first?
|
First of all let me say I'm sorry I've given false information.
Thing is, we don't have OpenSuse 12.1 on all servers! Logserver is OpenSuse 12.1 but the web-server ("app10") is actually SLES 11. OpenSuse uses syslog-ng 3.3.5, SLES uses 2.0.9 The documentation I've followed is for 3.# so of course it doesn't work (that program_override for instance is new in 3.0, was "log_prefix" in 2.0) Anyway, this is not good, we don't want completely different versions of system logger. So, decision to be taken: manually install syslog-ng 3.2 on our SLES-servers, or switch to rsyslog on all? Switching to rsyslog means I need to spend some time learning something new, but it's almost the same version on all - OpenSuse = rsyslog 5.8.5, SLES11 = rsyslog 5.8.7 Sorry to have fooled you originally, but now that we're discussing: What do you think, can rsyslog do everything syslog-ng can - specifically, can it solve my problem? |
My opinion is, that rsyslog is a competitor syslog daemon to syslog-ng, but not the successor per se. I’m happy with syslog-ng and I will continue to use it. If you are happy with the syntax and the features it offers, I would stay with it.
|
syslog-ng is great, I far prefer it to rsyslog, not that it's really something to lose sleep over.
|
So we decided to stick to syslog-ng, at least for now.
But I just can't get this to work in any way! I have set up 2 OpenSuse 12.1 in Virtualbox, removed rsyslogd & installed syslog-ng. Both servers now use syslog-ng 3.1.1, also no app-armor, no firewall, same subnet. Tried several things: 1) Configuration copied in exactly as in first post 2) Used "program_override" & filter instead, as suggested by Reuti, like this: Client: Code:
destination loganalyzer { udp(172.16.4.19 port(514)); }; Code:
source srcExt { The "filter" method, as I understand it, whenever something is written to /var/log/tripwire/tripwire on client it should be sent to server with "program" set to "tripwire", correct? But nothing is sent at all. Using the method with different ports and commenting out first destination, /var/log/Hosts/tripwire.log is written to. No other config receives anything for tripwire. I also tried to change the log() statements around like acid_kewpie suggested, both on sender and receiver (one at a time) but to no avail. Funny thing is, still using the "ports" method, even if I change portnumbers around so "tripwire" is first and sends to port 514, all other logs sent to port 515 - now server receives on port 515! This is really weird, I must be doing something wrong but I just can't figure out what? I've read & read & read examples, docs, howtos... all saying both these methods should work! |
By setting the program name, you don’t need two ports any longer. I only use the usual 515 to transfer all logs messages. To exclude the tripwire logs from other logs you can use a negated filter.
|
Yes, I should have mentioned that when using the "filter" method I used only one port.
But the problem is still there, the tripwire logs are not sent at all so it's obviously something on the client side (for both methods). |
This isn't intended as a solution, and syslog-ng can totally work fine here, but you might want to generally consider using splunk as a light forwarder on the client as well as the server side. it can make things like managing host names and times better with the data passing across the network in splunk format already.
|
Is the file continually updated? Additional options I use are follow_freq(600) flags(no-parse,no-multi-line).
|
All times are GMT -5. The time now is 05:18 AM. |