• State Not Answered
  • Replies 0 replies
  • Subscribers 7 subscribers
  • Views 339 views
  • Users 0 members are here
Options
Related

syslog-ng unable to read from a UDP port

dlvahnsecurityshield
8 months ago

Hello,

I am fairly new to this and trying to figure out why syslog-ng is unable to read from a TCP/UDP port.

Syslog-ng is running on a server that has multiple interfaces and two of the interfaces have IP addresses assigned to them. We are receiving Apache logs from a remote server on 172.x.y.z:514. We have confirmed that we are receiving traffic on that port as we can see plenty of tcpdump pcaps on that port. Below is how our interfaces are configured.

 

em01: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500

        inet 172.x.x.x  netmask 255.255.255.0  broadcast 172.x.x.x

        …

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536

        inet 127.0.0.1  netmask 255.0.0.0

        inet6 ::1  prefixlen 128  scopeid 0x10<host>

        loop  txqueuelen 1000  (Local Loopback)

        RX packets 1764631902  bytes 567870007694 (528.8 GiB)

        RX errors 0  dropped 0  overruns 0  frame 0

        TX packets 1764631902  bytes 567870007694 (528.8 GiB)

        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

 

En1: flags=4419<UP,BROADCAST,RUNNING,PROMISC,MULTICAST>  mtu 1500

        …

        RX packets 2610789241  bytes 1641007923277 (1.4 TiB)

        RX errors 0  dropped 176  overruns 0  frame 0

        TX packets 16  bytes 1376 (1.3 KiB)

        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

        device interrupt 16 

 

en2: flags=4355<UP,BROADCAST,PROMISC,MULTICAST>  mtu 1500

        …

        RX packets 0  bytes 0 (0.0 B)

        RX errors 0  dropped 0  overruns 0  frame 0

        TX packets 0  bytes 0 (0.0 B)

        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

        device interrupt 17 

 

en3: flags=4355<UP,BROADCAST,PROMISC,MULTICAST>  mtu 1500

        …

        RX packets 0  bytes 0 (0.0 B)

        RX errors 0  dropped 0  overruns 0  frame 0

        TX packets 0  bytes 0 (0.0 B)

        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

        device interrupt 16 

 

en4: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500

        inet 172.x.y.z  netmask 255.255.255.0  broadcast 172.x.y.z

       

        RX packets 13445067  bytes 1895120794 (1.7 GiB)

        RX errors 0  dropped 105  overruns 0  frame 0

        TX packets 6847011  bytes 1327216427 (1.2 GiB)

        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

        device interrupt 17 

 

The server is running syslog-ng 3.5.6 along with other security tools like netsniff-ng, snort and zeek. on centos 7 OS. 

syslog-ng.conf  has the following statements and the destination output files are always empty. I tried tweaking the source statements to several different syslog-ng sources but it didn't make a difference. It appears as though syslog-ng is unable to read the traffic from the interface.

 

source s_syslog_fwd {

    udp(ip(0.0.0.0) port(514) flags(no-parse) );

    tcp(ip(0.0.0.0) port(514) flags(no-parse) );

};

destination d_syslog_server { file("/data/outputlogs/$HOST.log"); };

log { source(s_syslog_fwd); destination(d_syslog_server); };

 

Can anyone provide any insight on how to resolve this issue? I would greatly appreciate any help on this

Thank you,