One very odd thing I ran into with a central server on a complicated
network is that if you don't have a route to the source of the traffic,
you can see the traffic with tcpdump, but the networking stack will never
send it to rsyslog.
The only other time I have ever seen where traffic could be seen bia
tcpdump, but not by rsyslog (on the same machine) was where I was
replaying logs via tcpreplay and I didn't have tcpreplay fix the checksums
in the packets.
So, to confirm
1. do you see the logs via tcpdump on the central server.
2. can you ping the originating server from your central server
David Lang
On Wed, 24 Oct 2012, John Inama
wrote:
I'm having a problem configuring a central logging server with rsyslog on
CentOS 6.3. It's set to accept incoming logs on UDP port 514 and TCP port
10514. Right now I have all logs, including local server logs, going to the
same log file to confirm that my templates are working. SELinux is set to
Permissive and I have iptables set with incoming rules for both UDP port
514 and TCP port 10514.
I have two machines currently set to send logs to the central server. One
is a production server running CentOS 5.7 and using syslog (not rsyslog).
The other is my desktop running Ubuntu 12.04.1 using rsyslog. The server is
using UDP and my desktop is using TCP.
Tcpdump shows that the logs are being sent from both machines to the
central server, but from there the logs aren't being processed by rsyslog.
I've tried everything I could find on the documentation with no success.
If anyone can help with this, let me know. I can send any config files you
need. Here is my rsyslog.conf file from the server:
#### MODULES ####
$ModLoad imuxsock # provides support for local system logging (e.g. via
logger command)
$ModLoad imklog # provides kernel logging support (previously done by
rklogd)
#$ModLoad immark # provides --MARK-- message capability
# Provides UDP syslog reception
$ModLoad imudp
$UDPServerAddress *
$UDPServerRun 514
$ModLoad imtcp
$InputTCPServerRun 10514
# Include all config files in /etc/rsyslog.d/
$IncludeConfig /etc/rsyslog.d/*.conf
# Templates
$template TestFileLoc,"/logging/test/%$now%.log"
$template TestFileFormat,"%timestamp% %syslogfacility-text%
%syslogseverity-text% %msg% \n"
#### RULES ####
# test to dump everything to template location
*.* ?TestFileLoc;TestFileFormat
# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.* /dev/console
# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none /var/log/messages
# The authpriv file has restricted access.
authpriv.* /var/log/secure
# Log all the mail messages in one place.
mail.* -/var/log/maillog
# Log cron stuff
cron.* /var/log/cron
# Everybody gets emergency messages
*.emerg *
# Save news errors of level crit and higher in a special file.
uucp,news.crit /var/log/spooler
# Save boot messages also to boot.log
local7.* /var/log/boot.log
Thanks,
John
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
