New Syslog NG not receiving any log files from anywhare

syslog NG not  receiving any logs.
I am new to syslog but I think of configured the syslog-ng config file. but i am not receiving any logs from my ASA or any other device.

The syslog-ng  service has started correctly. Has anybody seen this issue before ?
syslog-server-new.rtf
thombieAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

David FavorLinux/LXD/WordPress/Hosting SavantCommented:
Best you start at the beginning.

Contrary to the marketing on the syslog-ng site, I've never seen a major Distro (in vanilla form) ship syslog-ng running by default.

Usually rsyslog is running...

Which means...

You had to replumb your system to destroy old syslog + install syslog-ng + try to get syslog-ng running.

Doing this (and having all logging work as expected) is super hard.

Unlikely you can just nuke rsyslog + install syslog-ng + expect... well... any logging to work...

Unless you really require syslog-ng (like with 100s-1000s of machines where central TCP logging is required) don't replumb your machine logging.

If you do require central logging for many machines, then post your /etc/os-release file + every single step you took to nuke your default logging system + install syslog-ng as a replacement.

Likely you just missed a step.
0
Mihai BarbosTrying to tame bits. They're nasty.Commented:
1. Check if the firewall(s) allows you to connect to the syslog port (514, if I remember correctly)

PS: Please attach files in text format (not rtf)
1
David FavorLinux/LXD/WordPress/Hosting SavantCommented:
Yep, might be as simple as mbarbos suggested above.

Typically if I have to setup syslog-ng I use netcat to verify whatever port I'm using correctly flows packets.

Run nc at both ends + verify you can connect over your IP/port/protocol triplet.
1
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

Mihai BarbosTrying to tame bits. They're nasty.Commented:
Well, I think telnet would do the job too ... ;)
0
David FavorLinux/LXD/WordPress/Hosting SavantCommented:
Netcat is far better for debugging.

With netcat you can in seconds start a TCP or UDP server on any random IP/port + have it listen forever.

Then one the client end issue repeated nc commands + debug + fix problems, till your connection works.

You can use telnet + you'll be hard pressed to get much usable debug info out of telnet (compared to running nc at both ends).
1

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Mihai BarbosTrying to tame bits. They're nasty.Commented:
I totally agree, David. netcat is a very useful tool. But I'm lazy ...
Just to check if I can connect to a TCP port, telnet is usually enough, if things get complicated then bigger guns are called for.

Indeed, netcat + openssl s_client / s_server are the real deal.
0
arnoldCommented:
check the LAN ip of the system about which you are talking.
lsof -i:514
ceck the ASA to make sure the IP in the first part is set as the log-server.....

it is not receiving files, it is sent events that it then based on coniguration sorts/stores them in files.

Are you using the existing server as a reference to set this one up?


This is a simplification combining the prior comments...
0
thombieAuthor Commented:
Its very  odd I can see the traffic   when I do tcpdump  but is not poplating the log

!658 # tcpdump -i eth0 -n udp 'port 514'
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
08:33:04.078539 IP 10.132.112.97.55449 > 10.132.112.193.syslog: SYSLOG local4.info, length: 145
08:33:04.078645 IP 10.132.112.97.55449 > 10.132.112.193.syslog: SYSLOG local4.info, length: 197
08:33:04.078797 IP 10.132.112.97.55449 > 10.132.112.193.syslog: SYSLOG local4.info, length: 172
08:33:04.078950 IP 10.132.112.97.55449 > 10.132.112.193.syslog: SYSLOG local4.info, length: 146
08:33:04.135470 IP 10.132.112.97.55449 > 10.132.112.193.syslog: SYSLOG local4.info, length: 145
08:33:04.135527 IP 10.132.112.97.55449 > 10.132.112.193.syslog: SYSLOG local4.info, length: 197
0
arnoldCommented:
Look at your syslo/rsyslog.conf file on how it deals with LOCAL4 events

08:33:04.078539 IP 10.132.112.97.55449 > 10.132.112.193.syslog: SYSLOG local4.info, length: 145

syslog/rsyslog epending on which you have installed is the one that would be writing the events into the log file.
0
thombieAuthor Commented:
Thanks Guys all suggestions it turned out to be a routing issue on my Firewall.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Linux

From novice to tech pro — start learning today.