• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Syslog-ng not binding to multiple interfaces (incorrect config being generated)

Scheduled Pinned Locked Moved 2.4 Development Snapshots
1 Posts 1 Posters 1.9k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • ?
    A Former User
    last edited by Mar 8, 2018, 4:20 PM

    Tracing through why syslog-ng was not recording log entries from my networks, even though everything, including firewall logs, show packets being received,  I found that syslog-ng is only binding to the last configured interface.  Look at the configuration being generated by pfSense, it is placing all the IP address to bind too in a single syslog() driver statement.  This results in syslog-ng only binding to the last defined IP (interface) in the syslog() driver declaration.  This can be verified by logging into a command shell and check active listening ports using 'netstat -n | grep 5140'

    Looking through the syslog-ng 3.13 documentation, it does not indicate that multiple ip() directives can be used inside a syslog() driver definition, and various configuration examples I could find show using multiple source driver statements in the source definition block.

    Modifying the configuration file to break up the "ip(xx.xx.xx.xx)" bindings to multiple syslog() driver statements and then manually starting syslog-ng, it correctly binds to all defined interfaces.

    Example pfSense generated config (/usr/local/etc/syslog-ng.conf) that will only bind to the last defined interface:

    # This file is automatically generated by pfSense
# Do not edit manually !
@version:3.13
destination _DEFAULT { file("/var/syslog-ng/default.log"); };
log { source(_DEFAULT); destination(_DEFAULT); };
source _DEFAULT { internal(); syslog(transport(udp) port(5140) ip(192.168.1.1) ip(192.168.3.1) ip(192.168.6.1) ip(192.168.9.1) ip(127.0.0.1)); };

    Modified configuration that binds all defined interfaces.

    @version:3.13
destination _DEFAULT { file("/var/syslog-ng/default.log"); };
log { source(_DEFAULT); destination(_DEFAULT); };
source _DEFAULT { internal(); syslog(transport(udp) port(5140) ip(192.168.1.1));
syslog(transport(udp) port(5140) ip(192.168.3.1)); syslog(transport(udp) port(5140) ip(192.168.6.1)); syslog(transport(udp) port(5140) ip(192.168.9.1)); syslog(transport(udp) port(5140) ip(127.0.0.1)); };

    References:

    https://syslog-ng.com/documents/html/syslog-ng-ose-3.13-guides/en/syslog-ng-ose-guide-admin/html/configuring-sources-syslog.html

    https://syslog-ng.com/documents/html/syslog-ng-ose-3.13-guides/en/syslog-ng-ose-guide-admin/html/reference-source-syslog-chapter.html

    Unrelated to the interface bindings, but also noticed errors in the system log about syslog-ng failing daemon stop/start calls:

    /pkg_edit.php: The command '/usr/local/etc/rc.d/syslog-ng.sh stop' returned exit code '1', the output was ''

    Running /usr/local/etc/rc.d/syslog-ng stop from command shell produces the following output:

    Cannot 'stop' syslog_ng.  Set syslog_ng_enable to YES in /etc/rc.conf or use 'onestop' instead of 'stop'.

    Running /usr/local/etc/rc.d/syslog-ng onestop  or onestart, syslog-ng stops and starts without error.

    1 Reply Last reply Reply Quote 0
    1 out of 1
    • First post
      1/1
      Last post
    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
      This community forum collects and processes your personal information.
      consent.not_received