Move the forwarding rule to the top, that should solve your issue. Rainer
Sent from phone, thus brief. David Lang via rsyslog <rsyslog@lists.adiscon.com> schrieb am Do., 17. Aug. 2023, 19:16: > all of those &stop lines are telling rsyslog that if it matches the filter > and > writes it to the file that it should stop processing that message. > > As a result, anything that gets written to a local file will stop > processing > before it gets down to your udp sending action > > David Lang > > On Thu, 17 Aug 2023, kathy lyons wrote: > > > Date: Thu, 17 Aug 2023 13:12:03 -0400 > > From: kathy lyons <kathy.ly...@zayo.com> > > To: David Lang <da...@lang.hm> > > Cc: kathy lyons via rsyslog <rsyslog@lists.adiscon.com> > > Subject: Re: [rsyslog] rsyslog - problem sending udp traffic > > > > Here it is: > > > > module(load="imfile") > > module(load="imuxsock") > > module(load="imklog") > > module(load="imjournal") > > > > timezone(id="UTC") > > $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat > > > > $RepeatedMsgReduction on > > > > $FileOwner syslog > > $FileGroup adm > > > > global(net.enableDNS="off" workDirectory="/var/spool/rsyslog" > > maxMessageSize="128K") > > > > $IncludeConfig /etc/rsyslog.d/*.conf > > > > audit.* action(type="omfile" file="/var/log/audit/audit.log") > > & stop > > auth.warning;authpriv.info.* action(type="omfile" > > file="/var/log/auth.log") > > & stop > > auth,authpriv.none action(type="omfile" > > file="/var/log/syslog") > > & stop > > cron.info action(type="omfile" > > file="/var/log/cron.log") > > & stop > > daemon.info action(type="omfile" file="/var/log/daemon.log") > > & stop > > kern.info action(type="omfile" file="/var/log/kern.log") > > & stop > > user.info action(type="omfile" file="/var/log/user.log") > > & stop > > > > local7.* action(type="omfile" file="/var/log/boot.log") > > & stop > > > > *.* @x.x.x.x > > > > rsyslogd -N1 shows no errors. strace shows no errors. > > > > On Wed, Aug 16, 2023 at 12:15 PM David Lang <da...@lang.hm> wrote: > > > >> please post your full config. > >> > >> I would also check your firewall config (iptables/nftables) on the > system > >> to see > >> if it's blocking the connection. > >> > >> Also make sure you have a route to the destination IP (you probably > have a > >> default route that does this, but it is something we've run across) > >> > >> are you seeing any startup errors? or config errors (start rsyslog > >> manually with > >> rsyslogd -N1 > >> > >> if none of that helps, we may need to get debug info, but start with the > >> simpler > >> stuff. Normally this 'just works' so I'd guess that it's a syntax error > >> somewhere in the config. > >> > >> David Lang > >> > >> On Wed, 16 Aug 2023, kathy lyons via rsyslog wrote: > >> > >>> I hope this is the right place to ask this question. I have a basic > >>> rsyslog setup sending udp data from a Debian 11 host to a remote > server. > >>> At the bottom of my rsyslog.conf file I have: > >>> > >>> *.* @x.x.x.x > >>> > >>> Logs are being sent to /var/log/daemon.log, /var/log/syslog, etc. so I > am > >>> not worried about that. The problem is that on the device itself I do > not > >>> see any logs leaving the device. Nor do I see them at the firewall > >>> (x.x.x.x). I have used netcat to see if the remote port is open and > >>> reachable and it is. I have re-install rsyslog and restarted it. > >> Nothing > >>> seems to work. > >>> > >>> However, when I issue the logger command: > >>> > >>> logger -n x.x.x.x -P 514 -d "This is a test" > >>> > >>> I see that data. What else can I check with my rsyslog setup? Thank > >> you. > >>> _______________________________________________ > >>> rsyslog mailing list > >>> https://lists.adiscon.net/mailman/listinfo/rsyslog > >>> http://www.rsyslog.com/professional-services/ > >>> What's up with rsyslog? Follow https://twitter.com/rgerhards > >>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a > myriad > >> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > >> DON'T LIKE THAT. > >>> > >> > > > _______________________________________________ > rsyslog mailing list > https://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > DON'T LIKE THAT. _______________________________________________ rsyslog mailing list https://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
