1

I have 3 Amazon EC instances with ubuntu 12.04

  1. Production Server (LAMP Server w/o MYSQL, syslog-ng client)
  2. Development Server (LAMP w/ MYSQL, syslog-ng client)
  3. Logging Server (syslog-ng Server)

I connect to all of these using an ssh connection also each of these has AIDE with Logwatch installed, for firewall I use UFW and iptables

My question is:

How do send all the logs from the 2 server to my logging server?

I have all the private IPs and I want to use them with syslog-ng. I've given firewall rules to open ports for syslog-ng and only allow connections from the production server and development server. But none of them are sending the logs.

What am I doing wrong?

slm
  • 7,615
  • 16
  • 56
  • 76
deadmantfa
  • 21
  • 8
  • What configuration have you done on both the source and the target syslog-ng? – Ladadadada Aug 08 '13 at 06:57
  • On the logging server I have set port 514 tcp/udp to allow incoming from Development and Production server by using their private IP's. On the Prod and Dev server I have set up only outbound to the logging server's private ip. I have done this in the console using ssh but as per dmourati comment below I gues creating a security group would be better I guess which I have done but does not help. – deadmantfa Aug 08 '13 at 07:51

1 Answers1

1

You have to configure syslog-ng on the clients to know about the server.

You need something like:

log { source(local_src); destination(d_messages); };

enter image description here Also, keep in mind that syslog-ng can work over either tcp or udp and that Amazon's security groups would require two separate rules, one tcp and one udp, to allow both traffic types.

You can verify the syslog-ng server is listening on port 514 with

netstat -ntpl

for tcp or

netstat -nulp

for udp.

dmourati
  • 25,540
  • 2
  • 42
  • 72
  • Thank you dmourati for your response. I have done the same, but still unable to capture the logs. But I do have a query do I need to set the security group AND set it using ufw or iptables using console? Or will it work if I do it in one place i.e. creating a security group and no changes in UFW and iptables – deadmantfa Aug 08 '13 at 07:45
  • All three places I would imagine. First, I'd start by shutting down UFW/iptables and see if the communication goes through. Then, create rules in UFW/iptables as necessary. (Note, I have no experience with UFW). – dmourati Aug 08 '13 at 07:50
  • Here is the log error I am getting kernel: [30336469.991425] [UFW BLOCK] IN=eth0 OUT= MAC=XXXX SRC=**DEV SERVER Private IP** DST=**Logging Server Private Ip ** LEN=60 TOS=0x00 PREC=0x00 TTL=57 ID=8637 DF PROTO=TCP SPT=52580 DPT=** PORT for LOG ** WINDOW=14600 RES=0x00 SYN URGP=0 – deadmantfa Aug 08 '13 at 08:01
  • sudo ufw disable ? – dmourati Aug 08 '13 at 08:03
  • Ok I shall try this. – deadmantfa Aug 08 '13 at 08:27
  • Tried the solution did not work ufw is disabled allowing port 514 Syslog connection failed; fd='15', server='AF_INET(*Logging server Private IP*:514)', error='Connection refused (111)', time_reopen='60' – deadmantfa Aug 08 '13 at 08:34
  • nmap show port is closed on the logging server. and is showing only tcp – deadmantfa Aug 08 '13 at 08:37
  • from the dev server log Syslog connection failed; fd='19', server='AF_INET(*Logging server Private IP*:514)', error='Connection refused (111)', time_reopen='60' – deadmantfa Aug 08 '13 at 09:06