syslog-ng unable to capture syslog from ASA

Question

My syslog-ng.conf:

@version: 3.0
# Default configuration file for syslog-ng.
#
# For a description of syslog-ng configuration file directives, please read
# the syslog-ng Administrator's guide at:
#
# http://www.balabit.com/dl/html/syslog...
#

options {
flush_lines (0);
time_reopen (10);
log_fifo_size (10000);
use_dns (no);
use_fqdn (no);
create_dirs (no);
keep_hostname (yes);
ts_format (rfc3164);
};

######
# sources
source s_local {
# message generated by Syslog-NG
internal();
# standard Linux log source (this is the default place for the syslog()
# function to send logs to)
unix-stream("/dev/log");
# messages from the kernel
file("/proc/kmsg" program_override("kernel: "));
};

source all_tcp { tcp(ip(0.0.0.0) port(1470));
};

source all_udp { udp(ip(0.0.0.0) port(514));
};

######
# destinations
destination d_messages { file("/var/log/messages"); };
destination d_perf_test { file("/apps/logs/syslog_ng/perf_test.1"); };
destination d_prod { file("/apps/logs/syslog_ng/prod.1"); };
destination d_dr { file("/apps/logs/syslog_ng/dr.1"); };

destination d_covad { file("/apps/logs/syslog_ng/covad.1"); };

filter f_perf_test { (host(10.253.16.1) or host(10.253.16.111) or host(10.253.99.1) or host(10.253.16.100) or host(10.253.7.1) or host(10.253.16.101) or host(10.253.16.102) or host(10.253.16.103) or host(172.21.189.128) or host(172.21.189.129) or host(172.21.154.128) or host(172.21.148.128) or host(10.253.8.1)or host(10.253.8.111) or host(172.20.111.10) or host(10.253.8.112) or host(10.253.8.100) or host(10.253.8.101) or host(10.253.8.224) or host(10.253.8.225)); };

filter f_prod { (host(10.253.253.1) or host(10.253.253.3) or host(10.253.253.4) or host(10.253.12.100) or host(10.253.12.1) or host(10.253.12.101) or host(10.253.12.102) or host(10.253.12.103) or host(172.19.189.128) or host(172.19.189.129) or host(172.19.154.128) or host(172.19.148.128) or host(10.253.13.100) or host(10.253.13.1) or host(10.253.13.101) or host(10.253.13.224) or host(10.253.13.225) or host(10.253.101.10)); };

filter f_dr { (host(10.253.253.101) or host(10.253.253.103) or host(10.253.253.104) or host(10.253.253.105) or host(10.253.112.100) or host(10.253.112.1) or host(10.253.112.101) or host(10.253.112.102) or host(10.253.112.103) or host(172.29.189.128) or host(172.29.154.128) or host(172.29.148.128) or host(172.29.148.28) or host(10.253.113.100) or host(10.253.113.1) or host(10.253.113.101) or host(10.253.113.224) or host(10.253.113.225)); };

filter f_covad { (host(10.253.99.150) or host(10.253.99.1)); };

log { source(s_local); destination(d_messages); };

log { source(all_udp); filter(f_perf_test); destination(d_perf_test); };
log { source(all_udp); filter(f_prod); destination(d_prod); };
log { source(all_udp); filter(f_dr); destination(d_dr); };

log { source(all_udp); filter(f_covad); destination(d_covad); };

===================================

Syslog-ng was able to capture all other sources except 10.253.99.1 and 10.253.99.150 with destination of f_covad

Question: Is my configuration correct? Are there any other options that might benefit to troubleshoot this problem?

How do I check whether my NIC is receiving the log from covad source?

How do I check whether syslog-ng is listening and able to read the syslog message from covad address?

Any help will be appreciated.

Answer 1

In the past I have opted to quote IP addresses as part of the host section of a filter string. So using this as an example you should make the following changes:

filter f_covad { (host("10.253.99.150") or host("10.253.99.1")); };

Otherwise I see nothing wrong with your config. Next you should check your host firewall to see if UDP port 514 is open from your log sources. Next after that is seeing if the logs are even making it that far. What I often like to do for testing reception of syslog traffic is to simply use tcpdump. It will parse the message and display the appropriate data. For example:

packs@ node1:~> sudo tcpdump -i eth0 port 514
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
13:53:35.633091 IP remote.host.local.47007 > node1.local.syslog: SYSLOG user.info, length: 688
13:53:35.646322 IP remote.host.local.47007 > node1.local.syslog: SYSLOG local5.info, length: 204
13:53:35.654178 IP remote.host.local.47007 > node1.local.syslog: SYSLOG local5.info, length: 204

This gives us all the information we need to see if the messages are even getting to the host.

Answer 2

I like to organise my syslog-ng config slightly differently so that each log definition has flags(final); like this:

log { source(s_src); filter(f_auth); destination(d_auth); flags(final); };

This allows me to have a "catch all" log at the bottom of the config.

destination d_catchall { file("/var/log/$YEAR/$MONTH/catchall.$DAY.log" template("$DATE $FULLHOST $PROGRAM $MSG\n") template_escape(no)); };
#filter f_catchall { not host("192.168.0.254"); };
#log { source(s_src); filter(f_catchall); destination(d_catchall); };
log { source(s_src); destination(d_catchall); };

Anything that isn't explicitly logged earlier in the file is logged in the catchall log. This means I never drop any logs on the floor. It's surprisingly easy to not match the correct program or tag name or use host-based names when a DNS entry is missing or simply mistype an IP address.

The two commented out lines you can see there are for when I do need or want to ignore some logs, such as when some service is logging at the debug level but I don't actually want to store all those logs.