Return
-
Title
Logs Not Being Accepted by Syslog-ng -
Description
Logs are reaching the host, however, the logs are not being processed by Syslog-ng. Syslog-ng shows no errors. -
Cause
The rp_filter (reverse path filter) kernel parameter has been set to help prevent spoofing and is rejecting hosts from connecting which causes log loss. -
Resolution
The rp_filter needs to be disabled or a specific route needs to be set up in order to ensure the sources can connect and the logs can be processed.
To check and see if the rp_filter has been applied to the interface in which Syslog-ng is running please run the following command:sysctl -a | grep \\.rp_filter
If the interface ends with a 1 then the interface has the rp_filter enabled. Run the following command to disable the rp_filter temporarily to test if disabling the rp_filter allows the logs to be processed (Settings will default back after a reboot):
sysctl -w net.ipv4.conf..rp_filter=0
example:
sysctl -w net.ipv4.conf.eth0.rp_filter=0
If disabling the rp_filter temporarily allows logs to be processed then it will need to be disabled permanently or a specific route will need to be set up to ensure logs can be collected moving forward.