My syslog-ng.conf:
@version: 3.0
# Default configuration file for syslog-ng.
#
# For a description of syslog-ng configuration file directives, please read
# the syslog-ng Administrator's guide at:
#
# http://www.balabit.com/dl/html/syslog...
#
options {
flush_lines (0);
time_reopen (10);
log_fifo_size (10000);
use_dns (no);
use_fqdn (no);
create_dirs (no);
keep_hostname (yes);
ts_format (rfc3164);
};
######
# sources
source s_local {
# message generated by Syslog-NG
internal();
# standard Linux log source (this is the default place for the syslog()
# function to send logs to)
unix-stream("/dev/log");
# messages from the kernel
file("/proc/kmsg" program_override("kernel: "));
};
source all_tcp { tcp(ip(0.0.0.0) port(1470));
};
source all_udp { udp(ip(0.0.0.0) port(514));
};
######
# destinations
destination d_messages { file("/var/log/messages"); };
destination d_perf_test { file("/apps/logs/syslog_ng/perf_test.1"); };
destination d_prod { file("/apps/logs/syslog_ng/prod.1"); };
destination d_dr { file("/apps/logs/syslog_ng/dr.1"); };
destination d_covad { file("/apps/logs/syslog_ng/covad.1"); };
filter f_perf_test { (host(10.253.16.1) or host(10.253.16.111) or host(10.253.99.1) or host(10.253.16.100) or host(10.253.7.1) or host(10.253.16.101) or host(10.253.16.102) or host(10.253.16.103) or host(172.21.189.128) or host(172.21.189.129) or host(172.21.154.128) or host(172.21.148.128) or host(10.253.8.1)or host(10.253.8.111) or host(172.20.111.10) or host(10.253.8.112) or host(10.253.8.100) or host(10.253.8.101) or host(10.253.8.224) or host(10.253.8.225)); };
filter f_prod { (host(10.253.253.1) or host(10.253.253.3) or host(10.253.253.4) or host(10.253.12.100) or host(10.253.12.1) or host(10.253.12.101) or host(10.253.12.102) or host(10.253.12.103) or host(172.19.189.128) or host(172.19.189.129) or host(172.19.154.128) or host(172.19.148.128) or host(10.253.13.100) or host(10.253.13.1) or host(10.253.13.101) or host(10.253.13.224) or host(10.253.13.225) or host(10.253.101.10)); };
filter f_dr { (host(10.253.253.101) or host(10.253.253.103) or host(10.253.253.104) or host(10.253.253.105) or host(10.253.112.100) or host(10.253.112.1) or host(10.253.112.101) or host(10.253.112.102) or host(10.253.112.103) or host(172.29.189.128) or host(172.29.154.128) or host(172.29.148.128) or host(172.29.148.28) or host(10.253.113.100) or host(10.253.113.1) or host(10.253.113.101) or host(10.253.113.224) or host(10.253.113.225)); };
filter f_covad { (host(10.253.99.150) or host(10.253.99.1)); };
log { source(s_local); destination(d_messages); };
log { source(all_udp); filter(f_perf_test); destination(d_perf_test); };
log { source(all_udp); filter(f_prod); destination(d_prod); };
log { source(all_udp); filter(f_dr); destination(d_dr); };
log { source(all_udp); filter(f_covad); destination(d_covad); };
===================================
Syslog-ng was able to capture all other sources except 10.253.99.1 and 10.253.99.150 with destination of f_covad
Question:
Is my configuration correct? Are there any other options that might benefit to troubleshoot this problem?
How do I check whether my NIC is receiving the log from covad source?
How do I check whether syslog-ng is listening and able to read the syslog message from covad address?
Any help will be appreciated.
Best Answer
In the past I have opted to quote IP addresses as part of the host section of a filter string. So using this as an example you should make the following changes:
Otherwise I see nothing wrong with your config. Next you should check your host firewall to see if UDP port 514 is open from your log sources. Next after that is seeing if the logs are even making it that far. What I often like to do for testing reception of syslog traffic is to simply use tcpdump. It will parse the message and display the appropriate data. For example:
This gives us all the information we need to see if the messages are even getting to the host.