Hello,
I am fairly new to this and trying to figure out why syslog-ng is unable to read from a TCP/UDP port.
Syslog-ng is running on a server that has multiple interfaces and two of the interfaces have IP addresses assigned to them. We are receiving Apache logs from a remote server on 172.x.y.z:514. We have confirmed that we are receiving traffic on that port as we can see plenty of tcpdump pcaps on that port. Below is how our interfaces are configured.
em01: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 172.x.x.x netmask 255.255.255.0 broadcast 172.x.x.x
…
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 1764631902 bytes 567870007694 (528.8 GiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 1764631902 bytes 567870007694 (528.8 GiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
En1: flags=4419<UP,BROADCAST,RUNNING,PROMISC,MULTICAST> mtu 1500
…
RX packets 2610789241 bytes 1641007923277 (1.4 TiB)
RX errors 0 dropped 176 overruns 0 frame 0
TX packets 16 bytes 1376 (1.3 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
device interrupt 16
en2: flags=4355<UP,BROADCAST,PROMISC,MULTICAST> mtu 1500
…
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
device interrupt 17
en3: flags=4355<UP,BROADCAST,PROMISC,MULTICAST> mtu 1500
…
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
device interrupt 16
en4: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 172.x.y.z netmask 255.255.255.0 broadcast 172.x.y.z
…
RX packets 13445067 bytes 1895120794 (1.7 GiB)
RX errors 0 dropped 105 overruns 0 frame 0
TX packets 6847011 bytes 1327216427 (1.2 GiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
device interrupt 17
The server is running syslog-ng 3.5.6 along with other security tools like netsniff-ng, snort and zeek. on centos 7 OS.
syslog-ng.conf has the following statements and the destination output files are always empty. I tried tweaking the source statements to several different syslog-ng sources but it didn't make a difference. It appears as though syslog-ng is unable to read the traffic from the interface.
source s_syslog_fwd {
udp(ip(0.0.0.0) port(514) flags(no-parse) );
tcp(ip(0.0.0.0) port(514) flags(no-parse) );
};
destination d_syslog_server { file("/data/outputlogs/$HOST.log"); };
log { source(s_syslog_fwd); destination(d_syslog_server); };
Can anyone provide any insight on how to resolve this issue? I would greatly appreciate any help on this
Thank you,