Syslog-ng, /var/log/messages, and alert levels

I am trying to run down a logging issue with the current syslog-ng implementation on turris omnia.

I have snort up and running with a directive in snort.conf to use syslog:
output alert_syslog: LOG_AUTH LOG_ALERT

syslog-ng.conf:

cat /etc/syslog-ng.conf
@version:3.0

options {
 chain_hostnames(no);
 flush_lines(0);
 stats_freq(0);
 flush_lines(0);
 log_msg_size(65536);
};

source src {
 internal();
 unix-dgram("/dev/log");
};

source kernel {
        file("/proc/kmsg" program_override("kernel"));
};

filter f_turris_iptables {
 not match(".*turris[^:]*: .*" value(MESSAGE)) or not level(debug);
};

destination messages {
 file("/var/log/messages" suppress(5) template("${ISODATE} ${PRIORITY} ${PROGRAM}[${PID}]: ${MSGONLY}\n") log_fifo_size(256));
};

log {
 source(src);
 source(kernel);
 filter(f_turris_iptables);
 destination(messages);
};

include "/etc/syslog-ng.d/";

When I cat /var/log/messages - the output does not show snort messages or alerts. However, if I cat /var/log/messages |grep snort - suddenly I have alerts.

In addition, I have all my logs being forwarded to an instance of graylog. The snort alerts do not appear there either.

This is rather strange behavior to me…can anyone offer insight or guidance?

Well, somewhat embarrassing, but I did “find” the log messages in /var/log/messages using line numbers to guide my way. Perhaps I had not had enough coffee earlier this morning.

However, I am still not seeing anything going upstream to graylog from snort.

Do you have a section in your configuration which fofwards events to Graylog? The above configuration snippet does not include anything to achieve that.

I have a separate file for it.

destination graylog {
        syslog("xx.xx.xx.xx" port(5514)
        ); #syslog end
};


log {
        source(src);
        source(kernel);
        destination(graylog);
};

This configuration works! I had previous had a tcp() connection vs. a syslog() connection. Once I switched over, everything started showing up!