Configure syslog-ng to stream multiple individual log files not working
-
I've installed the syslog-ng package v1.15 on pfsense 2.4.2p1. I'm trying to send a few log files (DNSBL, Firewal, Squid/Squidguard, suricata) from pfsense local filesystem to a unique remote destination IP:PORT per file src. Problem I'm seeing is only one of the files (DNSBL) is streamed to all 5 destinations instead of each dst having a unique src file being sent. The configuration has what appears to be valid but something isn't right. I've added the screenshot from the web UI as well as the output of the syslog-ng.conf.
PackageServices: Syslog-ng AdvancedAdvanced
Object Type Object Name Description
destination dst_squidGuard Destination for squidGuard Block Log
destination dst_Suricata Destination for Suricata to Logstash
destination dst_Squid Destination for Squid Proxy Access Log
destination dst_Firewall Destination for Firewall Log
destination dst_DNSBL Destination for DNSBL Alert Log
destination _DEFAULT
log log_Suricata Log Line for Suricata
log log_squidGuard Log Line for squidGuard Block Log
log log_Squid Log Line for Squid Proxy Access Log
log log_DNSBL Log Line for DNSBL
log log_Firewall Log Line for Firewall
log _DEFAULT
options global Global Options for Syslog-NG
source src_Squid Source for Squid Proxy Access Log
source src_Suricata Source for Suricata eve.json file
source src_DNSBL Source for DNSBL Alert Log
source src_squidGuard Source for squidGuard Block Log
source src_Firewall Source for Firewall Log
source _DEFAULTContent of /usr/local/etc/syslog-ng.conf: destination dst_squidGuard { tcp("x.x.x.x" port(2003)); };
destination dst_Suricata { tcp("x.x.x.x" port(1999)); };
destination dst_Squid { tcp("x.x.x.x" port(2000)); };
destination dst_Firewall { tcp("x.x.x.x" port(2002)); };
destination dst_DNSBL { tcp("x.x.x.x" port(2001)); };
destination _DEFAULT { file("/var/syslog-ng/default.log"); };
log { source(src_Suricata); destination(dst_Suricata); flags(final);};
log { source(src_squidGuard); destination(dst_squidGuard); flags(final);};
log { source(src_Squid); destination(dst_Squid); flags(final);};
log { source(src_DNSBL); destination(dst_DNSBL); flags(final);};
log { source(src_Firewall); destination(dst_Firewall); flags(final);};
log { source(_DEFAULT); destination(_DEFAULT); };
options { use_dns(no); flush_lines(10000); log_fifo_size(1024); threaded(yes); };
source src_Squid { file("/var/log/squid/access.log" multi-line-mode(indented)); };
source src_Suricata { file("/var/log/suricata/suricata_igb032838/eve.json" multi-line-mode(indented)); };
source src_DNSBL { file("/var/log/pfblockerng/dnsbl.log" multi-line-mode(indented)); };
source src_squidGuard { file("/var/squidGuard/log/block.log" multi-line-mode (indented)); };
source src_Firewall { file("/var/log/filter.log" multi-line-mode(indented)); };
source _DEFAULT { internal(); syslog(transport(tcp) port(5140) ip(x.x.x.y)); };Feel like I'm missing something basic or stupid but don't see it. Input appreciated.
Developer Question:
1. Shouldn't the config file build in the proper order? options, src, dst, log for format. -
Anyone have any inut on this? I've been fighting this for a couple of weeks. Not seeing the problem. Also manually re-ordered the lines to be options, src, dst, log but no change in behavior.
-
After more testing, and the update to v2.4.3 I'm not seeing any difference in behavior. Anyone know of anything I can try to change? Also, is there a good way to report a bug or is that directly to the redmine project site?