0

I am relatively new to Linux and networking but was tasked with the following at work: I built up a CentOS VM machine ( using VirtualBox) on which I had to install Splunk Heavy Forwarder and syslog-ng. The idea is that syslog-ng will listen on a port for incoming logs and write them to a file. After that I will ingest these logs in Splunk doing file monitoring on that specific file.

I came to two problems.

  1. I am not sure that I configured syslog-ng correctly since I find it difficult to simulate traffic. I was told to try with netcat. What I did was as follows:

  • I create /var/log/syslog-ng/testlog.txt file which has the following permissions -rw-r--r--

  • My source driver in syslog-ng.conf -

    source s_test { network ( ip("127.0.0.1") transport("tcp") port(2514) ); };

  • My destination driver is -

destination d_tests { file ( "/var/log/syslog-ng/testlog.txt" ); };

  • My log statement is -

    log { source(s_test); destination(d_test); destination(d_tests); };

  • I tried to simulate traffic using nc -q0 127.0.0.1 2514 but it yields error that q is an invalid option for nc.

Any help would be much appreciated. Thank you.

Improve this question
1
  • Nevermind. I successfully simulated the traffic with echo "message" | nc 127.0.0.1 2514. Now I have another ask. CAn someone help me conf the syslog-ng conf file in such a manner that syslog-ng would listen on 3 different port for input from three different sources. I'd like to write each sources logs to a different file on the centos VM so that I can do 3 file monitors in Splunk?
    – lord_sommersby
    Commented Aug 4, 2020 at 5:48

1 Answer 1

Reset to default
0

Just create three different sources:

source s_test { network ( ip("127.0.0.1") transport("tcp") port(2514) ); };

source s_test2 { network ( ip("127.0.0.1") transport("tcp") port(2515) ); };

source s_test3 { network ( ip("127.0.0.1") transport("tcp") port(2516) ); };

Also create three destinations and log paths.

You can simulate traffic using the loggen command of syslog-ng.

Improve this answer
6
  • Yeah sound logical, isnt it lol.
    – lord_sommersby
    Commented Aug 4, 2020 at 9:33
  • I'll also try the loggen command
    – lord_sommersby
    Commented Aug 4, 2020 at 9:33
  • Something went incredibly wrong. I did as you said creating 3 sources, destinations and log paths and now when I try to restart it's throwing me error:
    – lord_sommersby
    Commented Aug 4, 2020 at 11:32
  • capabilities, capability management disabled; error='Operation not permitted' [2020-08-04T07:33:50.887591] Plugin module not found in 'module-path'; module-path='/usr/lib64/syslog-ng', module='http' [2020-08-04T07:33:50.889064] Plugin module not found in 'module-path'; module-path='/usr/lib64/syslog-ng', module='http' [2020-08-04T07:33:50.889359] Plugin module not found in 'module-path'; module-path='/usr/lib64/syslog-ng', module='http' [2020-08-04T07:33:50.892116] Error creating persistent state file; filename='/var/lib/syslog-ng/syslog-ng.persist-', error='Permission denied (13)'
    – lord_sommersby
    Commented Aug 4, 2020 at 11:34
  • It was permission issue. I logged in as a root and fiedit. Now it throws another error: Error initializing message pipeline; plugin_name='syslog', location='/etc/syslog-ng/syslog-ng.conf:35:9'
    – lord_sommersby
    Commented Aug 4, 2020 at 12:06

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .