Results 1 to 3 of 3

Thread: Sending to syslog-ng server on multiple ports doesn't work

  1. #1

    Default Sending to syslog-ng server on multiple ports doesn't work

    We have a logserver running syslog-ng, all clients also use syslog-ng.
    All servers run OpenSuse 12.1.
    To test this, I installed 2 servers in VirtualBox, installed syslog-ng 3.1.1 via yast and removed rsyslogd (because plenty other servers runs syslog-ng).
    Now we need to save the logs to different files on the log-server, tried doing that by sending to different ports. I have read lots and lots of documentation, all says this should work - but it doesn't.
    What happens is that logs are sent only to the first specified destination. I'm checking this with tcpdump on server and client.
    Nothing is sent out on port configured for the second destination defined in senders syslog-ng.conf.
    If I comment out the first destination, logs are sent fine to second destination.
    I also tried using udp on one destination, tcp on the other both port 514 but no difference.

    Details:
    Clients syslog-ng.conf, relevant parts:
    Code:
    source src {
            internal();
            unix-dgram("/dev/log");
    };
    source tripwire {
            file(/var/log/tripwire/tripwire);
    };
    destination loganalyzer { udp(172.16.4.114 port(514)); };
    log { source(src); destination(loganalyzer); };
    
    destination triplog { udp(172.16.4.114 port(515)); };
    log { source(tripwire); destination(triplog); };
    Code:
    Server syslog-ng.conf, relevant parts:
              
    source srcExt {
            udp(ip("0.0.0.0") port(514));
    };
    source srcExtTrip {
            udp(ip("0.0.0.0") port(515));
    };
    
    # Receive from other
    destination std { file("/var/log/Hosts/$YEAR-$MONTH/$HOST-$YEAR.$MONTH.log"); };
    log {
            source(srcExt);
            destination(std);
    };
    # Receive from other - Tripwire
    destination stdTrip { file(/var/log/Hosts/tripwire.log); };
    log {
            source(srcExtTrip);
            destination(stdTrip);
    };
    I can't post complete config files, the message then is far too long.

    In short, logserver listens to both ports and writes as it shall to specified logfiles.
    The problem is obviously the client that only sends to one port / server (sending to two different logservers works fine).

    Why I want to do this is that I need to send Tripwire-logs to logserver from clients that must be completely isolated from the world.
    I can't send tripwire logs to standard logfile, as there is no clear identification then what lines belongs to tripwire.
    Any ideas what is wrong?

    I have discussed this over at linuxquestions, where I got the tip to instead of different ports use filter.
    Tried that but that didn't work either. And nobody seems to understand why syslog-ng doesn't send on all defined ports?

  2. #2
    Join Date
    Jul 2008
    Location
    Hungary
    Posts
    8

    Default Re: Sending to syslog-ng server on multiple ports doesn't work

    Could you do an upgrade to the latest available syslog-ng version and check it again? openSUSE 12.1 has 3.3.1 and updates have 3.3.5, which contains many-many bugfixes.

    Czanik@BalaBit

  3. #3

    Default Re: Sending to syslog-ng server on multiple ports doesn't work

    Why didn't I think of that??
    So many hours spent, and such an easy solution!
    Thanks, it works like a charm!

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •