Sending to syslog-ng server on multiple ports doesn't work

pingu_2 · July 17, 2012, 2:35pm

We have a logserver running syslog-ng, all clients also use syslog-ng.
All servers run OpenSuse 12.1.
To test this, I installed 2 servers in VirtualBox, installed syslog-ng 3.1.1 via yast and removed rsyslogd (because plenty other servers runs syslog-ng).
Now we need to save the logs to different files on the log-server, tried doing that by sending to different ports. I have read lots and lots of documentation, all says this should work - but it doesn’t.
What happens is that logs are sent only to the first specified destination. I’m checking this with tcpdump on server and client.
Nothing is sent out on port configured for the second destination defined in senders syslog-ng.conf.
If I comment out the first destination, logs are sent fine to second destination.
I also tried using udp on one destination, tcp on the other both port 514 but no difference.

Details:
Clients syslog-ng.conf, relevant parts:

source src {
        internal();
        unix-dgram("/dev/log");
};
source tripwire {
        file(/var/log/tripwire/tripwire);
};
destination loganalyzer { udp(172.16.4.114 port(514)); };
log { source(src); destination(loganalyzer); };

destination triplog { udp(172.16.4.114 port(515)); };
log { source(tripwire); destination(triplog); };

Server syslog-ng.conf, relevant parts:
          
source srcExt {
        udp(ip("0.0.0.0") port(514));
};
source srcExtTrip {
        udp(ip("0.0.0.0") port(515));
};

# Receive from other
destination std { file("/var/log/Hosts/$YEAR-$MONTH/$HOST-$YEAR.$MONTH.log"); };
log {
        source(srcExt);
        destination(std);
};
# Receive from other - Tripwire
destination stdTrip { file(/var/log/Hosts/tripwire.log); };
log {
        source(srcExtTrip);
        destination(stdTrip);
};

I can’t post complete config files, the message then is far too long.

In short, logserver listens to both ports and writes as it shall to specified logfiles.
The problem is obviously the client that only sends to one port / server (sending to two different logservers works fine).

Why I want to do this is that I need to send Tripwire-logs to logserver from clients that must be completely isolated from the world.
I can’t send tripwire logs to standard logfile, as there is no clear identification then what lines belongs to tripwire.
Any ideas what is wrong?

I have discussed this over at linuxquestions, where I got the tip to instead of different ports use filter.
Tried that but that didn’t work either. And nobody seems to understand why syslog-ng doesn’t send on all defined ports?

czanik · July 17, 2012, 3:05pm

Could you do an upgrade to the latest available syslog-ng version and check it again? openSUSE 12.1 has 3.3.1 and updates have 3.3.5, which contains many-many bugfixes.

Czanik@BalaBit

pingu_2 · July 18, 2012, 1:52pm

Why didn’t I think of that??
So many hours spent, and such an easy solution!
Thanks, it works like a charm!