Syslog-ng OSE ingesting logs from Varonis Server

Hello All,

I am running a Linux Centos8 Server with Syslog-ng OSE @version:3.36

I am having issues ingesting logs coming from Varonis. When running wireshark on the Syslog Server I see the test message being sent from the Varonis Server 10.*.*.196 to the Syslog Server 10.*.*.139.

Source: 10.*.*.196

Dest: 10.*.*.139

Dest port: 514 (UDP)


I can see the packet leave the Varonis server via wireshark and I can see the packet being received on the Syslog server via wireshark.

However, the logs are not populating to its defined destination path. *Note, I have other logs being populated properly. Only Varonis logs are causing a problem*

My Config file is below:

@include "scl.conf"

# syslog-ng configuration file.
# This should behave pretty much like the original syslog on RedHat. But
# it could be configured a lot smarter.
# See syslog-ng(8) and syslog-ng.conf(5) for more information.
# Note: it also sources additional configuration files (*.conf)
#       located in /etc/syslog-ng/conf.d/

options {
    flush_lines (0);
    time_reopen (10);
    log_fifo_size (1000);
    chain_hostnames (off);
    use_dns (no);
    use_fqdn (no);
    create_dirs (no);
    keep_hostname (yes);

source s_sys {
    udp(ip(10.*.*.139) port(514));

#Custom Destination
destination d_securden { file("/home/syslogadmin/logs/securden.log"); };
destination d_palo { file("/home/syslogadmin/logs/palo/palo.log"); };
destination d_meraki { file("/home/syslogadmin/logs/meraki/meraki.log"); };
destination d_varonis { file("/home/syslogadmin/logs/varonis.log"); };

#Custom Filter
filter f_securden { host("*.*.*.*"); };

filter f_palo { host("*.*.*.*")or
                host("*.*.*.*"); };

filter f_meraki { host("*.*.*.*")or
                  host("*.*.*.*"); };

filter f_varonis { host("10.*.*.196"); };

#Custom Logs

log { source(s_sys); filter(f_securden); destination(d_securden); };
log { source(s_sys); filter(f_palo); destination(d_palo); };
log { source(s_sys); filter(f_meraki); destination(d_meraki); };
log { source(s_sys); filter(f_varonis); destination(d_varonis); };

#system log paths
destination d_cons { file("/dev/console"); };
destination d_mesg { file("/var/log/messages"); };
destination d_auth { file("/var/log/secure"); };
destination d_mail { file("/var/log/maillog" flush_lines(10)); };
destination d_spol { file("/var/log/spooler"); };
destination d_boot { file("/var/log/boot.log"); };
destination d_cron { file("/var/log/cron"); };
destination d_kern { file("/var/log/kern"); };
destination d_mlal { usertty("*"); };

filter f_kernel     { facility(kern); };
filter f_default    { level(info..emerg) and
                        not (facility(mail)
                        or facility(authpriv)
                        or facility(cron)); };
filter f_auth       { facility(authpriv); };
filter f_mail       { facility(mail); };
filter f_emergency  { level(emerg); };
filter f_news       { facility(uucp) or
                        and level(crit..emerg)); };
filter f_boot   { facility(local7); };
filter f_cron   { facility(cron); };

#log { source(s_sys); filter(f_kernel); destination(d_cons); };
log { source(s_sys); filter(f_kernel); destination(d_kern); };
log { source(s_sys); filter(f_default); destination(d_mesg); };
log { source(s_sys); filter(f_auth); destination(d_auth); };
log { source(s_sys); filter(f_mail); destination(d_mail); };
log { source(s_sys); filter(f_emergency); destination(d_mlal); };
log { source(s_sys); filter(f_news); destination(d_spol); };
log { source(s_sys); filter(f_boot); destination(d_boot); };
log { source(s_sys); filter(f_cron); destination(d_cron); };

# Source additional configuration files (.conf extension only)
@include "/etc/syslog-ng/conf.d/*.conf"

I updated the file paths so SELinux wouldn't prevent writing.

semanage fcontext -a -t var_log_t  /home/syslogadmin/logs (and all its subfolders/files)

I can confirm that all other logs (securden, meraki, etc) are writing to this path. Varonis is the only one not generating.

Any help would be greatly appreciated. Please let me know if I need to provide additional information.