LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Software (https://www.linuxquestions.org/questions/linux-software-2/)
-   -   Events not being logged in aggregator (https://www.linuxquestions.org/questions/linux-software-2/events-not-being-logged-in-aggregator-4175601923/)

Mark_667 03-16-2017 11:15 AM

Events not being logged in aggregator
 
I'm trying to get a SLES 11 system using syslog-ng to log to a syslog aggregator on a second (Cent OS) server using rsyslog.

I stripped down the config to the bare minimum. Here's syslog-ng's configuration from Server1.
Code:

#
# /etc/syslog-ng/syslog-ng.conf
#

#
# Global options.
#
options { long_hostnames(off); flush-lines(1); perm(0640); stats(3600); };

source src {
        #
        # include internal syslog-ng messages
        # note: the internal() soure is required!
        #
        internal();

        #
        # the default log socket for local logging:
        #
        unix-dgram("/dev/log");
};


#
# Enable this and adopt IP to send log messages to a log server.
#
destination logserver { udp("Server2's IP here" port(514)); };
log { source(src); destination(logserver); };

rsyslog changes on server 2. I uncommented:
Code:


# Provides UDP syslog reception
$ModLoad imudp
$UDPServerRun 514

# Provides TCP syslog reception
$ModLoad imtcp
$InputTCPServerRun 514

It looks foolproof enough but when I run the following command I can only see it on server 1.
logger -p kern.crit "Test from server 1"
I've disabled the firewalls on both and the IP address is correct.

I installed remote syslog2 from
http://help.papertrailapp.com/kb/con...remote_syslog2
on server 1. Running the same logger command I got an entry in server 2's /var/log/messages albeit with garbled encoding.

I added the following line to the end of /etc/syslog.conf on an openSuse VM, call it server 3.
*.* Server2's IP here:514
after restarting syslog and again using the logger command I can only see it output in /var/log/messages locally.

As recommended in this article
http://help.papertrailapp.com/kb/con...-reachability/
on the aggregator machine I did:
strace -s 500 -tfp 8639
ran the logger command and got nothing.

On the client I did:
sudo tcpdump -n -s 1500 -X port 514
Ran the logger command and also got nothing.

So what's remote syslog2 doing that my client config isn't?


All times are GMT -5. The time now is 12:50 PM.