-   Linux - Software (
-   -   Events not being logged in aggregator (

Mark_667 03-16-2017 11:15 AM

Events not being logged in aggregator
I'm trying to get a SLES 11 system using syslog-ng to log to a syslog aggregator on a second (Cent OS) server using rsyslog.

I stripped down the config to the bare minimum. Here's syslog-ng's configuration from Server1.

# /etc/syslog-ng/syslog-ng.conf

# Global options.
options { long_hostnames(off); flush-lines(1); perm(0640); stats(3600); };

source src {
        # include internal syslog-ng messages
        # note: the internal() soure is required!

        # the default log socket for local logging:

# Enable this and adopt IP to send log messages to a log server.
destination logserver { udp("Server2's IP here" port(514)); };
log { source(src); destination(logserver); };

rsyslog changes on server 2. I uncommented:

# Provides UDP syslog reception
$ModLoad imudp
$UDPServerRun 514

# Provides TCP syslog reception
$ModLoad imtcp
$InputTCPServerRun 514

It looks foolproof enough but when I run the following command I can only see it on server 1.
logger -p kern.crit "Test from server 1"
I've disabled the firewalls on both and the IP address is correct.

I installed remote syslog2 from
on server 1. Running the same logger command I got an entry in server 2's /var/log/messages albeit with garbled encoding.

I added the following line to the end of /etc/syslog.conf on an openSuse VM, call it server 3.
*.* Server2's IP here:514
after restarting syslog and again using the logger command I can only see it output in /var/log/messages locally.

As recommended in this article
on the aggregator machine I did:
strace -s 500 -tfp 8639
ran the logger command and got nothing.

On the client I did:
sudo tcpdump -n -s 1500 -X port 514
Ran the logger command and also got nothing.

So what's remote syslog2 doing that my client config isn't?

All times are GMT -5. The time now is 12:50 PM.