Before leaving for the day yesterday, I set up my Ubuntu workstation as a syslog server and set it up exactly the same (I actually copied the exact rsyslog.conf file from the CentOS server) and the logs are flowing in nicely. It must have something to do with the OS whether it's the version of rsyslog or something to do with selinux. If I can't figure it out I may just rebuild the server with Ubuntu and be done with it. I'll have enough work to do converting the config file from syslog-ng to rsyslog! :)
Thanks for your help. On Wed, Oct 24, 2012 at 5:57 PM, Augie Schwer <[email protected]>wrote: > The order of the stanzas matter, and you need to bind your rule sets > to your listeners: > > http://www.rsyslog.com/storing-and-forwarding-remote-messages/ > > I have basically the same exact thing setup and it is working fine; > here's my config.: > > # ######### Modules ######### > $ModLoad imuxsock # provides support for local system logging (e.g. > via logger command) > $ModLoad imklog # provides kernel logging support (previously done by > rklogd) > > # TCP Syslog Server: > $ModLoad imtcp > > # Input plugin for the RELP protocol. > $ModLoad imrelp > # Output plugin for the RELP protocol. > $ModLoad omrelp > > # UDP Syslog Server: > $ModLoad imudp > > # ######### Global directives ######### > # Display FQDN in logs > $PreserveFQDN on > > # ######### Templates ########## > $template RemoteHost,"/logs/rsyslog/%FROMHOST%/syslog.log" > > # ######### Rulesets ########## > # Local Logging > $RuleSet local > > # Don't log private authentication messages! > *.info;mail.none;authpriv.none;cron.none /var/log/messages > > # The authpriv file has restricted access. > authpriv.* /var/log/secure > > # Log all the mail messages in one place. > mail.* -/var/log/maillog > > # Log cron stuff > cron.* /var/log/cron > > # Everybody gets emergency messages > *.emerg :omusrmsg:* > > # Save news errors of level crit and higher in a special file. > uucp,news.crit /var/log/spooler > > # Save boot messages also to boot.log > local7.* /var/log/boot.log > > $DefaultRuleset local > > # Remote Logging > $RuleSet remote > *.* ?RemoteHost > > # ######### Listeners ########## > # bind ruleset to tcp listener > $InputTCPServerBindRuleset remote > $InputTCPServerRun 514 > > # bind ruleset to RELP listener > $InputRELPServerBindRuleset remote > $InputRELPServerRun 2514 > > # bind ruleset to udp listener > $InputUDPServerBindRuleset remote > $UDPServerAddress * > $UDPServerRun 514 > > > On Wed, Oct 24, 2012 at 3:18 PM, John Inama <[email protected]> wrote: > > I'm having a problem configuring a central logging server with rsyslog on > > CentOS 6.3. It's set to accept incoming logs on UDP port 514 and TCP port > > 10514. Right now I have all logs, including local server logs, going to > the > > same log file to confirm that my templates are working. SELinux is set to > > Permissive and I have iptables set with incoming rules for both UDP port > > 514 and TCP port 10514. > > > > I have two machines currently set to send logs to the central server. One > > is a production server running CentOS 5.7 and using syslog (not rsyslog). > > The other is my desktop running Ubuntu 12.04.1 using rsyslog. The server > is > > using UDP and my desktop is using TCP. > > > > Tcpdump shows that the logs are being sent from both machines to the > > central server, but from there the logs aren't being processed by > rsyslog. > > I've tried everything I could find on the documentation with no success. > > > > If anyone can help with this, let me know. I can send any config files > you > > need. Here is my rsyslog.conf file from the server: > > > > #### MODULES #### > > > > $ModLoad imuxsock # provides support for local system logging (e.g. via > > logger command) > > $ModLoad imklog # provides kernel logging support (previously done by > > rklogd) > > #$ModLoad immark # provides --MARK-- message capability > > > > # Provides UDP syslog reception > > $ModLoad imudp > > $UDPServerAddress * > > $UDPServerRun 514 > > > > $ModLoad imtcp > > $InputTCPServerRun 10514 > > > > # Include all config files in /etc/rsyslog.d/ > > $IncludeConfig /etc/rsyslog.d/*.conf > > > > # Templates > > > > $template TestFileLoc,"/logging/test/%$now%.log" > > $template TestFileFormat,"%timestamp% %syslogfacility-text% > > %syslogseverity-text% %msg% \n" > > > > #### RULES #### > > > > # test to dump everything to template location > > > > *.* ?TestFileLoc;TestFileFormat > > > > # Log all kernel messages to the console. > > # Logging much else clutters up the screen. > > #kern.* /dev/console > > > > # Log anything (except mail) of level info or higher. > > # Don't log private authentication messages! > > *.info;mail.none;authpriv.none;cron.none /var/log/messages > > > > # The authpriv file has restricted access. > > authpriv.* /var/log/secure > > > > # Log all the mail messages in one place. > > mail.* -/var/log/maillog > > > > > > # Log cron stuff > > cron.* /var/log/cron > > > > # Everybody gets emergency messages > > *.emerg * > > > > # Save news errors of level crit and higher in a special file. > > uucp,news.crit /var/log/spooler > > > > # Save boot messages also to boot.log > > local7.* /var/log/boot.log > > > > Thanks, > > John > > _______________________________________________ > > rsyslog mailing list > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > http://www.rsyslog.com/professional-services/ > > What's up with rsyslog? Follow https://twitter.com/rgerhards > > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > DON'T LIKE THAT. > > > > -- > Augie Schwer - [email protected] - http://schwer.us > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > DON'T LIKE THAT. > _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
