thombie
asked on
New Syslog NG not receiving any log files from anywhare
syslog NG not receiving any logs.
I am new to syslog but I think of configured the syslog-ng config file. but i am not receiving any logs from my ASA or any other device.
The syslog-ng service has started correctly. Has anybody seen this issue before ?
syslog-server-new.rtf
I am new to syslog but I think of configured the syslog-ng config file. but i am not receiving any logs from my ASA or any other device.
The syslog-ng service has started correctly. Has anybody seen this issue before ?
syslog-server-new.rtf
1. Check if the firewall(s) allows you to connect to the syslog port (514, if I remember correctly)
PS: Please attach files in text format (not rtf)
PS: Please attach files in text format (not rtf)
Yep, might be as simple as mbarbos suggested above.
Typically if I have to setup syslog-ng I use netcat to verify whatever port I'm using correctly flows packets.
Run nc at both ends + verify you can connect over your IP/port/protocol triplet.
Typically if I have to setup syslog-ng I use netcat to verify whatever port I'm using correctly flows packets.
Run nc at both ends + verify you can connect over your IP/port/protocol triplet.
Well, I think telnet would do the job too ... ;)
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I totally agree, David. netcat is a very useful tool. But I'm lazy ...
Just to check if I can connect to a TCP port, telnet is usually enough, if things get complicated then bigger guns are called for.
Indeed, netcat + openssl s_client / s_server are the real deal.
Just to check if I can connect to a TCP port, telnet is usually enough, if things get complicated then bigger guns are called for.
Indeed, netcat + openssl s_client / s_server are the real deal.
check the LAN ip of the system about which you are talking.
lsof -i:514
ceck the ASA to make sure the IP in the first part is set as the log-server.....
it is not receiving files, it is sent events that it then based on coniguration sorts/stores them in files.
Are you using the existing server as a reference to set this one up?
This is a simplification combining the prior comments...
lsof -i:514
ceck the ASA to make sure the IP in the first part is set as the log-server.....
it is not receiving files, it is sent events that it then based on coniguration sorts/stores them in files.
Are you using the existing server as a reference to set this one up?
This is a simplification combining the prior comments...
ASKER
Its very odd I can see the traffic when I do tcpdump but is not poplating the log
!658 # tcpdump -i eth0 -n udp 'port 514'
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
08:33:04.078539 IP 10.132.112.97.55449 > 10.132.112.193.syslog: SYSLOG local4.info, length: 145
08:33:04.078645 IP 10.132.112.97.55449 > 10.132.112.193.syslog: SYSLOG local4.info, length: 197
08:33:04.078797 IP 10.132.112.97.55449 > 10.132.112.193.syslog: SYSLOG local4.info, length: 172
08:33:04.078950 IP 10.132.112.97.55449 > 10.132.112.193.syslog: SYSLOG local4.info, length: 146
08:33:04.135470 IP 10.132.112.97.55449 > 10.132.112.193.syslog: SYSLOG local4.info, length: 145
08:33:04.135527 IP 10.132.112.97.55449 > 10.132.112.193.syslog: SYSLOG local4.info, length: 197
!658 # tcpdump -i eth0 -n udp 'port 514'
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
08:33:04.078539 IP 10.132.112.97.55449 > 10.132.112.193.syslog: SYSLOG local4.info, length: 145
08:33:04.078645 IP 10.132.112.97.55449 > 10.132.112.193.syslog: SYSLOG local4.info, length: 197
08:33:04.078797 IP 10.132.112.97.55449 > 10.132.112.193.syslog: SYSLOG local4.info, length: 172
08:33:04.078950 IP 10.132.112.97.55449 > 10.132.112.193.syslog: SYSLOG local4.info, length: 146
08:33:04.135470 IP 10.132.112.97.55449 > 10.132.112.193.syslog: SYSLOG local4.info, length: 145
08:33:04.135527 IP 10.132.112.97.55449 > 10.132.112.193.syslog: SYSLOG local4.info, length: 197
Look at your syslo/rsyslog.conf file on how it deals with LOCAL4 events
08:33:04.078539 IP 10.132.112.97.55449 > 10.132.112.193.syslog: SYSLOG local4.info, length: 145
syslog/rsyslog epending on which you have installed is the one that would be writing the events into the log file.
08:33:04.078539 IP 10.132.112.97.55449 > 10.132.112.193.syslog: SYSLOG local4.info, length: 145
syslog/rsyslog epending on which you have installed is the one that would be writing the events into the log file.
ASKER
Thanks Guys all suggestions it turned out to be a routing issue on my Firewall.
Contrary to the marketing on the syslog-ng site, I've never seen a major Distro (in vanilla form) ship syslog-ng running by default.
Usually rsyslog is running...
Which means...
You had to replumb your system to destroy old syslog + install syslog-ng + try to get syslog-ng running.
Doing this (and having all logging work as expected) is super hard.
Unlikely you can just nuke rsyslog + install syslog-ng + expect... well... any logging to work...
Unless you really require syslog-ng (like with 100s-1000s of machines where central TCP logging is required) don't replumb your machine logging.
If you do require central logging for many machines, then post your /etc/os-release file + every single step you took to nuke your default logging system + install syslog-ng as a replacement.
Likely you just missed a step.