Sunday 11 August 2013

Syslog not logging events though the server is receiving syslog packets

Recent issue with a new centos syslog-ng box which was configured as a syslog destination for a number of devices, but we weren't seeing logs being generated.

Things we tested

 - Checked syslog-ng.conf - all good.
 - Sent test syslogs via a command line syslog generator - all good.
 - Ran tcpdump on the interface receiving syslog via 'tcpdump -A -i bond1 udp port 514' and could see traffic for syslog successfully.
 - Re-ran syslog, still no traffic

Solution

 - Issue was resolved after adding the following to /etc/sysctl.conf and running sysctl -p.

# Drop packets that look like they are spoofed.  Default = 1.
# 0 = don't check;
# 1 = drop packets that as sourced at a directly connected interface
#     but were input from another interface;
# 2 = drop any packets that look spoofed.
net.ipv4.conf.default.rp_filter = 0
net.ipv4.conf.bond1.rp_filter = 0

Posted by at No comments:
Subscribe to: Posts (Atom)