[News]

News:

[boert]

boert

boert

Send boert an email.

Show boert's last posts.

Show general stats for boert.

• 
• Newbie
• Posts: 5

Hi,
we run a SLES10 SP2 server as a syslog-ng server for a couple of month without errors. Now I added a secondary nic in the server an binded a subnet to the nic. The first switch from this subnet logs to syslog-ng fine, but every switch else in this subnet don't create a log-directory on the server. I've run ethereal an see that all switches send their packets to port 514 on the server, but syslog-ng do nothing with this packets. What can be wrong?

Regards, Boert

[mutex]

mutex

mutex

Show mutex's last posts.

Show general stats for mutex.

• 
• Administrator
• Newbie
• Posts: 782

It's hard to diagnose without more info, but here are some things to check:

Does the subnet mask for the second NIC match that of all the switches on the second network? 
Are you running a firewall on the syslog-ng server that needs to be updated?
In the syslog-ng config, do you have the proper filters set up to capture the priority that the switches are sending their logs with?
Start syslog-ng with the "-d -v" flags to enable verbose debug mode, and see if there are any clues in the output.

[boert]

boert

boert

Send boert an email.

Show boert's last posts.

Show general stats for boert.

• 
• Newbie
• Posts: 5

Hi,

it's syslog-ng version 1.6.8
The subnet mask is the same in the whole subnet. The firewall was updated for the second nic. One switch in the subnet will be sucessfully logged in /var/log/HOSTS the others will be not. The switches in the subnet of the first nic will be logged too.

[mutex]

mutex

mutex

Show mutex's last posts.

Show general stats for mutex.

• 
• Administrator
• Newbie
• Posts: 782

Did you take a look at the debug output and verify the priority that the switches are send the syslog messages out with?

[boert]

boert

boert

Send boert an email.

Show boert's last posts.

Show general stats for boert.

• 
• Newbie
• Posts: 5

Here comes the syslog-ng.conf:

#
# Global options.
#
#options { long_hostnames(off); sync(0); perm(0640); stats(3600); };
options {
#long_hostnames (on);
#stats(3600);
dir_perm(0600);
perm(0600);
#chain_hostnames(yes);
use_dns(yes);
create_dirs(yes);
#keep_hostname(yes);
};
#
# 'src' is our main source definition. you can add
# more sources driver definitions to it, or define
# your own sources, i.e.:
#
#source my_src { .... };
#
source src {
   #
   # include internal syslog-ng messages
   # note: the internal() soure is required!
   #
   internal();

   #
   # the following line will be replaced by the
   # socket list generated by SuSEconfig using
   # variables from /etc/sysconfig/syslog:
   #
   unix-dgram("/dev/log");

   #
   # uncomment to process log messages from network:
   #
#   udp(ip("0.0.0.0") port(514));
#   tcp(ip("0.0.0.0") port(514)keep-alive(yes));
};
#
#Source f. Netzwerk Uni
#
source uni {
   udp(ip("0.0.0.0") port(514));
   tcp(ip("0.0.0.0") port(514)keep-alive(yes));
};

#
# Filter definitions
#
filter f_iptables   { facility(kern) and match("IN=") and match("OUT="); };

filter f_console    { level(warn) and facility(kern) and not filter(f_iptables)
                      or level(err) and not facility(authpriv); };

filter f_newsnotice { level(notice) and facility(news); };
filter f_newscrit   { level(crit)   and facility(news); };
filter f_newserr    { level(err)    and facility(news); };
filter f_news       { facility(news); };

filter f_mailinfo   { level(info)      and facility(mail); };
filter f_mailwarn   { level(warn)      and facility(mail); };
filter f_mailerr    { level(err, crit) and facility(mail); };
filter f_mail       { facility(mail); };

filter f_cron       { facility(cron); };

filter f_local      { facility(local0, local1, local2, local3,
                               local4, local5, local6, local7); };

filter f_acpid      { match('^\[acpid\]:'); };
filter f_netmgm     { match('^NetworkManager:'); };

filter f_messages   { not facility(news, mail) and not filter(f_iptables); };
filter f_warn       { level(warn, err, crit) and not filter(f_iptables); };
filter f_alert      { level(alert); };

#
# Logging nach /var/log/HOSTS/
# Hosts from network
#
destination hosts {
file("/var/log/HOSTS/$HOST/$YEAR/$MONTH/$DAY");
#file("/var/log/HOSTS/$HOST/$YEAR/$MONTH/$DAY" owner(root)
#group(root) perm(0600) dir_perm(0600) create_dirs(yes));
};
log {source(uni); destination(hosts); };

#
# Most warning and errors on tty10 and on the xconsole pipe:
#
destination console  { pipe("/dev/tty10"    group(tty) perm(0620)); };
log { source(src); filter(f_console); destination(console); };

destination xconsole { pipe("/dev/xconsole" group(tty) perm(0400)); };
log { source(src); filter(f_console); destination(xconsole); };

# Enable this, if you want that root is informed immediately,
# e.g. of logins:
#
#destination root { usertty("root"); };
#log { source(src); filter(f_alert); destination(root); };


#
# News-messages in separate files:
#
destination newscrit   { file("/var/log/news/news.crit"
                              owner(news) group(news)); };
log { source(src); filter(f_newscrit); destination(newscrit); };

destination newserr    { file("/var/log/news/news.err"
                              owner(news) group(news)); };
log { source(src); filter(f_newserr); destination(newserr); };

destination newsnotice { file("/var/log/news/news.notice"
                              owner(news) group(news)); };
log { source(src); filter(f_newsnotice); destination(newsnotice); };

#
# and optionally also all in one file:
# (don't forget to provide logrotation config)
#
#destination news { file("/var/log/news.all"); };
#log { source(src); filter(f_news); destination(news); };


#
# Mail-messages in separate files:
#
destination mailinfo { file("/var/log/mail.info"); };
log { source(src); filter(f_mailinfo); destination(mailinfo); };

destination mailwarn { file("/var/log/mail.warn"); };
log { source(src); filter(f_mailwarn); destination(mailwarn); };

destination mailerr  { file("/var/log/mail.err" fsync(yes)); };
log { source(src); filter(f_mailerr);  destination(mailerr); };

#
# and also all in one file:
#
destination mail { file("/var/log/mail"); };
log { source(src); filter(f_mail); destination(mail); };

 
#
# acpid messages in one file:
#
destination acpid { file("/var/log/acpid"); };
log { source(src); filter(f_acpid); destination(acpid); flags(final); };

#
# NetworkManager messages in one file:
#
destination netmgm { file("/var/log/NetworkManager"); };
log { source(src); filter(f_netmgm); destination(netmgm); flags(final); };


#
# Cron-messages in one file:
# (don't forget to provide logrotation config)
#
#destination cron { file("/var/log/cron"); };
#log { source(src); filter(f_cron); destination(cron); };


#
# Some boot scripts use/require local[1-7]:
#
destination localmessages { file("/var/log/localmessages"); };
log { source(src); filter(f_local); destination(localmessages); };


#
# All messages except iptables and the facilities news and mail:
#
destination messages { file("/var/log/messages"); };
log { source(src); filter(f_messages); destination(messages); };


#
# Firewall (iptables) messages in one file:
#
destination firewall { file("/var/log/firewall"); };
log { source(src); filter(f_iptables); destination(firewall); };


#
# Warnings (except iptables) in one file:
#
destination warn { file("/var/log/warn" fsync(yes)); };
log { source(src); filter(f_warn); destination(warn); };

#
# Enable this, if you want to keep all messages in one file:
# (don't forget to provide logrotation config)
#
#destination allmessages { file("/var/log/allmessages"); };
#log { source(src); destination(allmessages); };

and here the debug output:
gc_mark: Marking object of class 'syslog_backend' (0)
gc_mark: Marking object of class 'syslog_config' (1)
gc_mark: Marking object of class 'resource_list' (2)
gc_mark: Marking object of class 'io_fd' (3)
gc_mark: Marking object of class 'pkt_buffer' (4)
gc_mark: Marking object of class 'io_fd' (4)
gc_mark: Marking object of class 'log_reader' (5)
gc_mark: Marking object of class 'afsocket_source_connection' (6)
gc_mark: Marking object of class 'afunix_source' (7)
gc_mark: Marking object of class 'unix_address_info' (
gc_mark: Marking object of class 'object_queue' (
gc_mark: Marking object of class 'log_source_group' (
gc_mark: Marking object of class 'log_source_driver' (9)
gc_mark: Marking object of class 'log_center' (9)
gc_mark: Marking object of class 'log_connection' (10)
gc_mark: Marking object of class 'log_endpoint_info' (11)
gc_mark: Marking object of class 'log_source_group' (12)
gc_mark: Marking object of class 'afinet_source' (13)
gc_mark: Marking object of class 'inet_address_info' (14)
gc_mark: Marking object of class 'object_queue' (14)
gc_mark: Marking object of class 'afsocket_source_connection' (15)
gc_mark: Marking object of class 'io_fd' (16)
gc_mark: Marking object of class 'log_reader' (17)
gc_mark: Marking object of class 'afsocket_source_close_callback' (17)
gc_mark: Marking object of class 'afinet_source' (14)
gc_mark: Marking object of class 'listen_fd' (15)
gc_mark: Marking object of class 'afsocket_accept_callback' (16)
gc_mark: Marking object of class 'inet_address_info' (15)
gc_mark: Marking object of class 'object_queue' (15)
gc_mark: Marking object of class 'log_endpoint_info' (11)
gc_mark: Marking object of class 'log_dest_group' (12)
gc_mark: Marking object of class 'affile_dest' (13)
gc_mark: Marking object of class 'affile_dest_writer' (14)
gc_mark: Marking object of class 'log_connection' (11)
gc_mark: Marking object of class 'log_endpoint_info' (12)
gc_mark: Marking object of class 'log_endpoint_info' (12)
gc_mark: Marking object of class 'log_filter' (13)
gc_mark: Marking object of class 'filter_expr_op' (14)
gc_mark: Marking object of class 'filter_expr_op' (15)
gc_mark: Marking object of class 'filter_expr_op' (16)
gc_mark: Marking object of class 'filter_expr_pri' (17)
gc_mark: Marking object of class 'filter_expr_pri' (17)
gc_mark: Marking object of class 'filter_expr_call' (16)
gc_mark: Marking object of class 'filter_expr_op' (15)
gc_mark: Marking object of class 'filter_expr_pri' (16)
gc_mark: Marking object of class 'filter_expr_pri' (16)
gc_mark: Marking object of class 'log_filter' (14)
gc_mark: Marking object of class 'filter_expr_op' (15)
gc_mark: Marking object of class 'filter_expr_op' (16)
gc_mark: Marking object of class 'filter_expr_pri' (17)
gc_mark: Marking object of class 'filter_expr_re' (17)
gc_mark: Marking object of class 'filter_expr_re' (16)
gc_mark: Marking object of class 'log_filter' (14)
gc_mark: Marking object of class 'filter_expr_op' (15)
gc_mark: Marking object of class 'filter_expr_pri' (16)
gc_mark: Marking object of class 'filter_expr_pri' (16)
gc_mark: Marking object of class 'log_filter' (15)
gc_mark: Marking object of class 'filter_expr_op' (16)
gc_mark: Marking object of class 'filter_expr_pri' (17)
gc_mark: Marking object of class 'filter_expr_pri' (17)
gc_mark: Marking object of class 'log_filter' (16)
gc_mark: Marking object of class 'filter_expr_op' (17)
gc_mark: Marking object of class 'filter_expr_pri' (18)
gc_mark: Marking object of class 'filter_expr_pri' (18)
gc_mark: Marking object of class 'log_filter' (17)
gc_mark: Marking object of class 'filter_expr_pri' (18)
gc_mark: Marking object of class 'log_filter' (18)
gc_mark: Marking object of class 'filter_expr_op' (19)
gc_mark: Marking object of class 'filter_expr_pri' (20)
gc_mark: Marking object of class 'filter_expr_pri' (20)
gc_mark: Marking object of class 'log_filter' (19)
gc_mark: Marking object of class 'filter_expr_op' (20)
gc_mark: Marking object of class 'filter_expr_pri' (21)
gc_mark: Marking object of class 'filter_expr_pri' (21)
gc_mark: Marking object of class 'log_filter' (20)
gc_mark: Marking object of class 'filter_expr_op' (21)
gc_mark: Marking object of class 'filter_expr_pri' (22)
gc_mark: Marking object of class 'filter_expr_pri' (22)
gc_mark: Marking object of class 'log_filter' (21)
gc_mark: Marking object of class 'filter_expr_pri' (22)
gc_mark: Marking object of class 'log_filter' (22)
gc_mark: Marking object of class 'filter_expr_pri' (23)
gc_mark: Marking object of class 'log_filter' (23)
gc_mark: Marking object of class 'filter_expr_pri' (24)
gc_mark: Marking object of class 'log_filter' (24)
gc_mark: Marking object of class 'filter_expr_re' (25)
gc_mark: Marking object of class 'log_filter' (25)
gc_mark: Marking object of class 'filter_expr_re' (26)
gc_mark: Marking object of class 'log_filter' (26)
gc_mark: Marking object of class 'filter_expr_op' (27)
gc_mark: Marking object of class 'filter_expr_pri' (28)
gc_mark: Marking object of class 'filter_expr_call' (28)
gc_mark: Marking object of class 'log_filter' (27)
gc_mark: Marking object of class 'filter_expr_op' (28)
gc_mark: Marking object of class 'filter_expr_pri' (29)
gc_mark: Marking object of class 'filter_expr_call' (29)
gc_mark: Marking object of class 'log_filter' (28)
gc_mark: Marking object of class 'filter_expr_pri' (29)
gc_mark: Marking object of class 'log_endpoint_info' (12)
gc_mark: Marking object of class 'log_dest_group' (13)
gc_mark: Marking object of class 'affile_dest' (14)
gc_mark: Marking object of class 'log_connection' (12)
gc_mark: Marking object of class 'log_endpoint_info' (13)
gc_mark: Marking object of class 'log_endpoint_info' (13)
gc_mark: Marking object of class 'log_endpoint_info' (13)
gc_mark: Marking object of class 'log_dest_group' (14)
gc_mark: Marking object of class 'affile_dest' (15)
gc_mark: Marking object of class 'log_connection' (13)
gc_mark: Marking object of class 'log_endpoint_info' (14)
gc_mark: Marking object of class 'log_endpoint_info' (14)
gc_mark: Marking object of class 'log_endpoint_info' (14)
gc_mark: Marking object of class 'log_dest_group' (15)
gc_mark: Marking object of class 'affile_dest' (16)
gc_mark: Marking object of class 'log_connection' (14)
gc_mark: Marking object of class 'log_endpoint_info' (15)
gc_mark: Marking object of class 'log_endpoint_info' (15)
gc_mark: Marking object of class 'log_endpoint_info' (15)
gc_mark: Marking object of class 'log_dest_group' (16)
gc_mark: Marking object of class 'affile_dest' (17)
gc_mark: Marking object of class 'log_connection' (15)
gc_mark: Marking object of class 'log_endpoint_info' (16)
gc_mark: Marking object of class 'log_endpoint_info' (16)
gc_mark: Marking object of class 'log_endpoint_info' (16)
gc_mark: Marking object of class 'log_dest_group' (17)
gc_mark: Marking object of class 'affile_dest' (18)
gc_mark: Marking object of class 'log_connection' (16)
gc_mark: Marking object of class 'log_endpoint_info' (17)
gc_mark: Marking object of class 'log_endpoint_info' (17)
gc_mark: Marking object of class 'log_endpoint_info' (17)
gc_mark: Marking object of class 'log_dest_group' (18)
gc_mark: Marking object of class 'affile_dest' (19)
gc_mark: Marking object of class 'log_connection' (17)
gc_mark: Marking object of class 'log_endpoint_info' (18)
gc_mark: Marking object of class 'log_endpoint_info' (18)
gc_mark: Marking object of class 'log_endpoint_info' (18)
gc_mark: Marking object of class 'log_dest_group' (19)
gc_mark: Marking object of class 'affile_dest' (20)
gc_mark: Marking object of class 'log_connection' (18)
gc_mark: Marking object of class 'log_endpoint_info' (19)
gc_mark: Marking object of class 'log_endpoint_info' (19)
gc_mark: Marking object of class 'log_endpoint_info' (19)
gc_mark: Marking object of class 'log_dest_group' (20)
gc_mark: Marking object of class 'affile_dest' (21)
gc_mark: Marking object of class 'log_connection' (19)
gc_mark: Marking object of class 'log_endpoint_info' (20)
gc_mark: Marking object of class 'log_endpoint_info' (20)
gc_mark: Marking object of class 'log_endpoint_info' (20)
gc_mark: Marking object of class 'log_dest_group' (21)
gc_mark: Marking object of class 'affile_dest' (22)
gc_mark: Marking object of class 'log_connection' (20)
gc_mark: Marking object of class 'log_endpoint_info' (21)
gc_mark: Marking object of class 'log_endpoint_info' (21)
gc_mark: Marking object of class 'log_endpoint_info' (21)
gc_mark: Marking object of class 'log_dest_group' (22)
gc_mark: Marking object of class 'affile_dest' (23)
gc_mark: Marking object of class 'log_connection' (21)
gc_mark: Marking object of class 'log_endpoint_info' (22)
gc_mark: Marking object of class 'log_endpoint_info' (22)
gc_mark: Marking object of class 'log_endpoint_info' (22)
gc_mark: Marking object of class 'log_dest_group' (23)
gc_mark: Marking object of class 'affile_dest' (24)
gc_mark: Marking object of class 'log_connection' (22)
gc_mark: Marking object of class 'log_endpoint_info' (23)
gc_mark: Marking object of class 'log_endpoint_info' (23)
gc_mark: Marking object of class 'log_endpoint_info' (23)
gc_mark: Marking object of class 'log_dest_group' (24)
gc_mark: Marking object of class 'affile_dest' (25)
gc_mark: Marking object of class 'log_connection' (23)
gc_mark: Marking object of class 'log_endpoint_info' (24)
gc_mark: Marking object of class 'log_endpoint_info' (24)
gc_mark: Marking object of class 'log_endpoint_info' (24)
gc_mark: Marking object of class 'log_dest_group' (25)
gc_mark: Marking object of class 'affile_dest' (26)
gc_mark: Marking object of class 'log_connection' (24)
gc_mark: Marking object of class 'log_endpoint_info' (25)
gc_mark: Marking object of class 'log_endpoint_info' (25)
gc_mark: Marking object of class 'log_endpoint_info' (25)
gc_mark: Marking object of class 'log_dest_group' (26)
gc_mark: Marking object of class 'affile_dest' (27)
gc_mark: Marking object of class 'log_connection' (25)
gc_mark: Marking object of class 'log_endpoint_info' (26)
gc_mark: Marking object of class 'log_endpoint_info' (26)
gc_mark: Marking object of class 'log_endpoint_info' (26)
gc_mark: Marking object of class 'log_dest_group' (27)
gc_mark: Marking object of class 'affile_dest' (28)
gc_mark: Marking object of class 'afsocket_source_close_callback' (5)
gc_mark: Marking object of class 'UNKNOWN' (1)
gc_mark: Marking object of class 'affile_dest_reaper' (1)
gc_mark: Marking object of class 'UNKNOWN' (1)
Marking fd 3 for closing.

[mutex]

mutex

mutex

Show mutex's last posts.

Show general stats for mutex.

• 
• Administrator
• Newbie
• Posts: 782

The cause of the problem you are having is not apparent to me.  If I were troubleshooting this, I would compare a captured syslog message using ethereal or tcpdump from the switch that is working and the switch that is not working to see what differences there are.

[boert]

boert

boert

Send boert an email.

Show boert's last posts.

Show general stats for boert.

• 
• Newbie
• Posts: 5

I checked the captured packets from 2 switches to the syslog-ng server. They are exactly the same. One switch has a entry in /var/etc/HOSTS/ the other not. The logging settings on both cisco switches are the same. The syslog-ng server still don't create a directory for new switches in /var/log/HOSTS/

[mutex]

mutex

mutex

Show mutex's last posts.

Show general stats for mutex.

• 
• Administrator
• Newbie
• Posts: 782

I would recommend joining the syslog-ng list here https://lists.balabit.hu/mailman/listinfo/syslog-ng  and posting the question there.  I can't see why it is not working for you.

[boert]

boert

boert

Send boert an email.

Show boert's last posts.

Show general stats for boert.

• 
• Newbie
• Posts: 5

Ok, I'll try this way. Thanks for your help!

Regards
Boert