1

I am sorry for my bad writing but this is my first question.

So, the situation here is that i have a syslog-ng version 3.24 custom container, based on the Ubuntu:18.04 image, which should accept connections on port 514 in TCP, and after that it saves the logs in a file called "logs.txt". The problem here is that the logs inside the file are all like this:

--this is the output of the file logs.txt. 

2019-11-27T19:49:10+01:00 ip-client syslog-ng[8012]: EOF occurred while idle; fd='8'

2019-11-27T19:49:10+01:00 ip-client syslog-ng[8012]: Syslog connection broken; fd='8', server='AF_INET(ip-server:514)', time_reopen='10'

2019-11-27T19:49:20+01:00 ip-client syslog-ng[8012]: Syslog connection failed; fd='8', server='AF_INET(ip-server :514)', error='Connection refused (111)', time_reopen='10'

2019-11-27T19:49:30+01:00 ip-client syslog-ng[8012]: Syslog connection failed; fd='8', server='AF_INET(ip-server:514)', error='Connection refused (111)', time_reopen='10'

2019-11-27T19:50:01+01:00 ip-client systemd[1]: Started Session 1540 of user root.

My syslog-ng.conf configuration file is this:

    @version:3.24
    @include "scl.conf"

    options {
     ts_format(iso);
     use-dns(no);
    };

source u_net {
    syslog(
        ip("0.0.0.0") port(514)
        transport("tcp")
);
};
destination d_file{
file("logs.txt");
};

log {
source(u_net);
destination(d_file);
};

NOTE: the client is sending logs with the same syslog() driver used by the server, so it's not an issue of wrong driver used.

The client is trying to send logs in TCP, but it seems to me that the server is dumping them for some strange reason? What could be wrong? Sorry if information is a bit too scarce.

EDIT: I changed the output port to be 601, but my output file looks the same. Also, i receive messages from other facilities (such as cron,ecc. ) as shown here below:

    {"tags":".classifier.unknown,.source.u_net","msg":"syslog-ng starting up; version='3.5.6'","host":"ip-client","date":"1575040790"}
{"tags":".classifier.unknown,.source.u_net","msg":"Starting System Logger Daemon...","host":"ip-client","date":"1575040790"}
{"tags":".classifier.unknown,.source.u_net","msg":"Started System Logger Daemon.","host":"ip-client","date":"1575040790"}
{"tags":".classifier.unknown,.source.u_net","msg":"Unregistered Authentication Agent for unix-process:995:94462382 (system bus name :1.4031, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) (disconnected from bus)","host":"ip-client","date":"1575040790"}
{"tags":".classifier.unknown,.source.u_net","msg":"Started Session 1867 of user root.","host":"ip-client","date":"1575040801"}
{"tags":".classifier.unknown,.source.u_net","msg":"Starting Session 1867 of user root.","host":"ip-client","date":"1575040801"}
{"tags":".classifier.unknown,.source.u_net","msg":"(root) CMD (/usr/lib64/sa/sa1 1 1)","host":"ip-client","date":"1575040801"}
{"tags":".classifier.unknown,.source.u_net","msg":"Syslog connection failed; fd='16', server='AF_INET(ip-server)', error='Connection refused (111)', time_reopen='10'","host":"ip-client","date":"1575040810"}
{"tags":".classifier.unknown,.source.u_net","msg":"Syslog connection failed; fd='16', server='AF_INET(ip-server)', error='Connection refused (111)', time_reopen='10'","host":"ip-client","date":"1575040820"}
{"tags":".classifier.unknown,.source.u_net","msg":"Syslog connection failed; fd='16', server='AF_INET(ip-server)', error='Connection refused (111)', time_reopen='10'","host":"ip-client","date":"1575040830"}
{"tags":".classifier.unknown,.source.u_net","msg":"Syslog connection failed; fd='16', server='AF_INET(ip-server)', error='Connection refused (111)', time_reopen='10'","host":"ip-client","date":"1575040841"}
{"tags":".classifier.unknown,.source.u_net","msg":"Syslog connection failed; fd='15', server='AF_INET(ip-server)', error='Connection refused (111)', time_reopen='10'","host":"ip-client","date":"1575040851"}
{"tags":".classifier.unknown,.source.u_net","msg":"Syslog connection failed; fd='15', server='AF_INET(ip-server)', error='Connection refused (111)', time_reopen='10'","host":"ip-client","date":"1575040861"}

{"tags":".classifier.unknown,.source.u_net","msg":"[system] Activating via systemd: service name='net.reactivated.Fprint' unit='fprintd.service'","host":"ip-client","date":"1575041013"}
{"tags":".classifier.unknown,.source.u_net","msg":"Starting Fingerprint Authentication Daemon...","host":"ip-client","date":"1575041013"}
{"tags":".classifier.unknown,.source.u_net","msg":"[system] Successfully activated service 'net.reactivated.Fprint'","host":"ip-client","date":"1575041013"}
{"tags":".classifier.unknown,.source.u_net","msg":"Started Fingerprint Authentication Daemon.","host":"ip-client","date":"1575041013"}
{"tags":".classifier.unknown,.source.u_net","msg":"Launching FprintObject","host":"ip-client","date":"1575041013"}
{"tags":".classifier.unknown,.source.u_net","msg":"D-Bus service launched with name: net.reactivated.Fprint","host":"ip-client","date":"1575041013"}
{"tags":".classifier.unknown,.source.u_net","msg":"entering main loop","host":"ip-client","date":"1575041013"}
{"tags":".classifier.unknown,.source.u_net","msg":"(to root) developer on pts/0","host":"ip-client","date":"1575041017"}
{"tags":".classifier.system,.classifier.unknown,.source.u_net,login","msg":"pam_unix(su-l:session): session opened for user root by developer(uid=1234)","host":"ip-client","date":"1575041017"}
{"tags":".classifier.unknown,.source.u_net","msg":"[system] Activating service name='org.freedesktop.problems' (using servicehelper)","host":"ip-client","date":"1575041017"}
{"tags":".classifier.unknown,.source.u_net","msg":"[system] Successfully activated service 'org.freedesktop.problems'","host":"ip-client","date":"1575041017"}
{"tags":".classifier.unknown,.source.u_net","msg":"Syslog connection failed; fd='16', server='AF_INET(ip-server)', error='Connection refused (111)', time_reopen='10'","host":"ip-client","date":"1575041021"}
{"tags":".classifier.unknown,.source.u_net","msg":"Syslog connection failed; fd='16', server='AF_INET(ip-server)', error='Connection refused (111)', time_reopen='10'","host":"ip-client","date":"1575041031"}
{"tags":".classifier.unknown,.source.u_net","msg":"Syslog connection failed; fd='16', server='AF_INET(ip-server)', error='Connection refused (111)', time_reopen='10'","host":"ip-client","date":"1575041041"}
{"tags":".classifier.unknown,.source.u_net","msg":"No devices in use, exit","host":"ip-client","date":"1575041044"}
{"tags":".classifier.unknown,.source.u_net","msg":"Syslog connection failed; fd='16', server='AF_INET(ip-server)', error='Connection refused (111)', time_reopen='10'","host":"ip-client","date":"1575041051"}
{"tags":".classifier.unknown,.source.u_net","msg":"Syslog connection failed; fd='16', server='AF_INET(ip-server)', error='Connection refused (111)', time_reopen='10'","host":"ip-client","date":"1575041061"}
{"tags":".classifier.unknown,.source.u_net","msg":"Syslog connection failed; fd='16', server='AF_INET(ip-server)', error='Connection refused (111)', time_reopen='10'","host":"ip-client","date":"1575041071"}
{"tags":".classifier.unknown,.source.u_net","msg":"Syslog connection failed; fd='15', server='AF_INET(ip-server)', error='Connection refused (111)', time_reopen='10'","host":"ip-client","date":"1575041081"}
{"tags":".classifier.unknown,.source.u_net","msg":"Syslog connection failed; fd='15', server='AF_INET(ip-server)', error='Connection refused (111)', time_reopen='10'","host":"ip-client","date":"1575041091"}
{"tags":".classifier.unknown,.source.u_net","msg":"Syslog connection failed; fd='15', server='AF_INET(ip-server)', error='Connection refused (111)', time_reopen='10'","host":"ip-client","date":"1575041101"}
{"tags":".classifier.unknown,.source.u_net","msg":"Syslog connection failed; fd='15', server='AF_INET(ip-server)', error='Connection refused (111)', time_reopen='10'","host":"ip-client","date":"1575041111"}
{"tags":".classifier.unknown,.source.u_net","msg":"Syslog connection failed; fd='15', server='AF_INET(ip-server)', error='Connection refused (111)', time_reopen='10'","host":"ip-client","date":"1575041121"}
{"tags":".classifier.unknown,.source.u_net","msg":"Syslog connection failed; fd='15', server='AF_INET(ip-server)', error='Connection refused (111)', time_reopen='10'","host":"ip-client","date":"1575041131"}

{"tags":".classifier.unknown,.source.u_net","msg":"device if010 entered promiscuous mode","host":"ip-client","date":"1575041242"}
{"tags":".classifier.unknown,.source.u_net","msg":"Syslog connection failed; fd='15', server='AF_INET(ip-server)', error='Connection refused (111)', time_reopen='10'","host":"ip-client","date":"1575041251"}
{"tags":".classifier.unknown,.source.u_net","msg":"Syslog connection failed; fd='15', server='AF_INET(ip-server)', error='Connection refused (111)', time_reopen='10'","host":"ip-client","date":"1575041261"}
{"tags":".classifier.unknown,.source.u_net","msg":"device if010 left promiscuous mode","host":"ip-client","date":"1575041262"}
{"tags":".classifier.unknown,.source.u_net","msg":"Syslog connection failed; fd='15', server='AF_INET(ip-server)', error='Connection refused (111)', time_reopen='10'","host":"ip-client","date":"1575041271"}
{"tags":".classifier.unknown,.source.u_net","msg":"Syslog connection failed; fd='15', server='AF_INET(ip-server)', error='Connection refused (111)', time_reopen='10'","host":"ip-client","date":"1575041281"}
{"tags":".classifier.unknown,.source.u_net","msg":"Syslog connection failed; fd='15', server='AF_INET(ip-server)', error='Connection refused (111)', time_reopen='10'","host":"ip-client","date":"1575041291"}
{"tags":".classifier.unknown,.source.u_net","msg":"Syslog connection failed; fd='15', server='AF_INET(ip-server)', error='Connection refused (111)', time_reopen='10'","host":"ip-client","date":"1575041301"}
{"tags":".classifier.unknown,.source.u_net","msg":"Syslog connection failed; fd='15', server='AF_INET(ip-server)', error='Connection refused (111)', time_reopen='10'","host":"ip-client","date":"1575041311"}
{"tags":".classifier.unknown,.source.u_net","msg":"Syslog connection failed; fd='15', server='AF_INET(ip-server)', error='Connection refused (111)', time_reopen='10'","host":"ip-client","date":"1575041321"}
{"tags":".classifier.unknown,.source.u_net","msg":"Syslog connection failed; fd='15', server='AF_INET(ip-server)', error='Connection refused (111)', time_reopen='10'","host":"ip-client","date":"1575041331"}

{"tags":".classifier.unknown,.source.u_net","msg":"Log statistics; processed='destination(d_spol)=0', processed='src.internal(s_sys#2)=61', stamp='src.internal(s_sys#2)=1575041381', processed='center(received)=61', processed='destination(d_mesg)=78', processed='destination(d_mail)=0', processed='destination(d_auth)=2', processed='destination(d_mlal)=0', processed='center(queued)=167', processed='src.none()=0', stamp='src.none()=0', processed='destination(d_cron)=1', processed='global(payload_reallocs)=2', processed='global(sdata_updates)=0', dropped='dst.syslog(remote#0,tcp,ip-server:601)=0', processed='dst.syslog(remote#0,tcp,ip-server:601)=81', stored='dst.syslog(remote#0,tcp,ip-server:601)=81', processed='destination(d_boot)=0', processed='destination(d_kern)=5', processed='global(msg_clones)=0', processed='source(s_sys)=61', processed='destination(remote)=81'","host":"ip-client","date":"1575041390"}
{"tags":".classifier.unknown,.source.u_net","msg":"Syslog connection failed; fd='8', server='AF_INET(ip-server)', error='Connection refused (111)', time_reopen='10'","host":"ip-client","date":"1575041391"}
{"tags":".classifier.unknown,.source.u_net","msg":"Syslog connection failed; fd='8', server='AF_INET(ip-server)', error='Connection refused (111)', time_reopen='10'","host":"ip-client","date":"1575041401"}

The only message that I should classify is this one though, the others need to be dropped:

{"tags":".classifier.system,.classifier.unknown,.source.u_net,login","msg":"pam_unix(su-l:session): session opened for user root by developer(uid=1234)","host":"ip-client","date":"1575041017"}

How is this possible? maybe there are too much programs sending their logs and my server can't keep up? If that's the case, what should I do about it?

Mark7713
  • 11
  • 3
  • The well-known syslog port is UDP 514, but the well-known TCP 514 port is for the shell. See the IANA _[Service Name and Transport Protocol Port Number Registry](https://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtml)_, and search for `514` in the box on the page. – Ron Maupin Nov 28 '19 at 00:08
  • I switched to port 601, but the error still remains. I edited my question as shown above. I don't really know which error is causing broken syslog connections. – Mark7713 Nov 30 '19 at 11:34

0 Answers0