You should move the forwarding rule really to the top, above the include statement. Thus I really meant top because it solves all such rule dependency issues (I am not a fan of splitting configs, it unnecessarily complicates things, at least in almost all cases) 😉.
Rainer kathy lyons <kathy.ly...@zayo.com> schrieb am Mo., 21. Aug. 2023, 13:07: > That works - thanks! The only thing it does not do is forward the logs we > have configured in /etc/rsyslog.d. Is that correct or is there potentially > a different issue? We put the stops in there because the audit logs were > appearing in /var/log/syslog. > > On Fri, Aug 18, 2023 at 3:18 AM Rainer Gerhards <rgerha...@hq.adiscon.com> > wrote: > >> Move the forwarding rule to the top, that should solve your issue. >> >> Rainer >> >> Sent from phone, thus brief. >> >> David Lang via rsyslog <rsyslog@lists.adiscon.com> schrieb am Do., 17. >> Aug. 2023, 19:16: >> >>> all of those &stop lines are telling rsyslog that if it matches the >>> filter and >>> writes it to the file that it should stop processing that message. >>> >>> As a result, anything that gets written to a local file will stop >>> processing >>> before it gets down to your udp sending action >>> >>> David Lang >>> >>> On Thu, 17 Aug 2023, kathy lyons wrote: >>> >>> > Date: Thu, 17 Aug 2023 13:12:03 -0400 >>> > From: kathy lyons <kathy.ly...@zayo.com> >>> > To: David Lang <da...@lang.hm> >>> > Cc: kathy lyons via rsyslog <rsyslog@lists.adiscon.com> >>> > Subject: Re: [rsyslog] rsyslog - problem sending udp traffic >>> > >>> > Here it is: >>> > >>> > module(load="imfile") >>> > module(load="imuxsock") >>> > module(load="imklog") >>> > module(load="imjournal") >>> > >>> > timezone(id="UTC") >>> > $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat >>> > >>> > $RepeatedMsgReduction on >>> > >>> > $FileOwner syslog >>> > $FileGroup adm >>> > >>> > global(net.enableDNS="off" workDirectory="/var/spool/rsyslog" >>> > maxMessageSize="128K") >>> > >>> > $IncludeConfig /etc/rsyslog.d/*.conf >>> > >>> > audit.* action(type="omfile" file="/var/log/audit/audit.log") >>> > & stop >>> > auth.warning;authpriv.info.* action(type="omfile" >>> > file="/var/log/auth.log") >>> > & stop >>> > auth,authpriv.none action(type="omfile" >>> > file="/var/log/syslog") >>> > & stop >>> > cron.info action(type="omfile" >>> > file="/var/log/cron.log") >>> > & stop >>> > daemon.info action(type="omfile" file="/var/log/daemon.log") >>> > & stop >>> > kern.info action(type="omfile" file="/var/log/kern.log") >>> > & stop >>> > user.info action(type="omfile" file="/var/log/user.log") >>> > & stop >>> > >>> > local7.* action(type="omfile" file="/var/log/boot.log") >>> > & stop >>> > >>> > *.* @x.x.x.x >>> > >>> > rsyslogd -N1 shows no errors. strace shows no errors. >>> > >>> > On Wed, Aug 16, 2023 at 12:15 PM David Lang <da...@lang.hm> wrote: >>> > >>> >> please post your full config. >>> >> >>> >> I would also check your firewall config (iptables/nftables) on the >>> system >>> >> to see >>> >> if it's blocking the connection. >>> >> >>> >> Also make sure you have a route to the destination IP (you probably >>> have a >>> >> default route that does this, but it is something we've run across) >>> >> >>> >> are you seeing any startup errors? or config errors (start rsyslog >>> >> manually with >>> >> rsyslogd -N1 >>> >> >>> >> if none of that helps, we may need to get debug info, but start with >>> the >>> >> simpler >>> >> stuff. Normally this 'just works' so I'd guess that it's a syntax >>> error >>> >> somewhere in the config. >>> >> >>> >> David Lang >>> >> >>> >> On Wed, 16 Aug 2023, kathy lyons via rsyslog wrote: >>> >> >>> >>> I hope this is the right place to ask this question. I have a basic >>> >>> rsyslog setup sending udp data from a Debian 11 host to a remote >>> server. >>> >>> At the bottom of my rsyslog.conf file I have: >>> >>> >>> >>> *.* @x.x.x.x >>> >>> >>> >>> Logs are being sent to /var/log/daemon.log, /var/log/syslog, etc. so >>> I am >>> >>> not worried about that. The problem is that on the device itself I >>> do not >>> >>> see any logs leaving the device. Nor do I see them at the firewall >>> >>> (x.x.x.x). I have used netcat to see if the remote port is open and >>> >>> reachable and it is. I have re-install rsyslog and restarted it. >>> >> Nothing >>> >>> seems to work. >>> >>> >>> >>> However, when I issue the logger command: >>> >>> >>> >>> logger -n x.x.x.x -P 514 -d "This is a test" >>> >>> >>> >>> I see that data. What else can I check with my rsyslog setup? Thank >>> >> you. >>> >>> _______________________________________________ >>> >>> rsyslog mailing list >>> >>> https://lists.adiscon.net/mailman/listinfo/rsyslog >>> >>> http://www.rsyslog.com/professional-services/ >>> >>> What's up with rsyslog? Follow https://twitter.com/rgerhards >>> >>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a >>> myriad >>> >> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you >>> >> DON'T LIKE THAT. >>> >>> >>> >> >>> > >>> _______________________________________________ >>> rsyslog mailing list >>> https://lists.adiscon.net/mailman/listinfo/rsyslog >>> http://www.rsyslog.com/professional-services/ >>> What's up with rsyslog? Follow https://twitter.com/rgerhards >>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad >>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you >>> DON'T LIKE THAT. >> >> _______________________________________________ rsyslog mailing list https://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.