Yes, I can see the logs via tcpdump and I can ping the originating server from the central server. I think it may have something to do with selinux, even though it's in permissive mode. I may try to disable it and reboot to see if that fixes the issue.
On Wed, Oct 24, 2012 at 5:47 PM, <[email protected]> wrote: > One very odd thing I ran into with a central server on a complicated > network is that if you don't have a route to the source of the traffic, you > can see the traffic with tcpdump, but the networking stack will never send > it to rsyslog. > > The only other time I have ever seen where traffic could be seen bia > tcpdump, but not by rsyslog (on the same machine) was where I was replaying > logs via tcpreplay and I didn't have tcpreplay fix the checksums in the > packets. > > So, to confirm > > 1. do you see the logs via tcpdump on the central server. > > 2. can you ping the originating server from your central server > > David Lang > > > > On Wed, 24 Oct 2012, John Inama wrote: > > I'm having a problem configuring a central logging server with rsyslog on >> CentOS 6.3. It's set to accept incoming logs on UDP port 514 and TCP port >> 10514. Right now I have all logs, including local server logs, going to >> the >> same log file to confirm that my templates are working. SELinux is set to >> Permissive and I have iptables set with incoming rules for both UDP port >> 514 and TCP port 10514. >> >> I have two machines currently set to send logs to the central server. One >> is a production server running CentOS 5.7 and using syslog (not rsyslog). >> The other is my desktop running Ubuntu 12.04.1 using rsyslog. The server >> is >> using UDP and my desktop is using TCP. >> >> Tcpdump shows that the logs are being sent from both machines to the >> central server, but from there the logs aren't being processed by rsyslog. >> I've tried everything I could find on the documentation with no success. >> >> If anyone can help with this, let me know. I can send any config files you >> need. Here is my rsyslog.conf file from the server: >> >> #### MODULES #### >> >> $ModLoad imuxsock # provides support for local system logging (e.g. via >> logger command) >> $ModLoad imklog # provides kernel logging support (previously done by >> rklogd) >> #$ModLoad immark # provides --MARK-- message capability >> >> # Provides UDP syslog reception >> $ModLoad imudp >> $UDPServerAddress * >> $UDPServerRun 514 >> >> $ModLoad imtcp >> $InputTCPServerRun 10514 >> >> # Include all config files in /etc/rsyslog.d/ >> $IncludeConfig /etc/rsyslog.d/*.conf >> >> # Templates >> >> $template TestFileLoc,"/logging/test/%$**now%.log" >> $template TestFileFormat,"%timestamp% %syslogfacility-text% >> %syslogseverity-text% %msg% \n" >> >> #### RULES #### >> >> # test to dump everything to template location >> >> *.* ?TestFileLoc;TestFileFormat >> >> # Log all kernel messages to the console. >> # Logging much else clutters up the screen. >> #kern.* /dev/console >> >> # Log anything (except mail) of level info or higher. >> # Don't log private authentication messages! >> *.info;mail.none;authpriv.**none;cron.none >> /var/log/messages >> >> # The authpriv file has restricted access. >> authpriv.* /var/log/secure >> >> # Log all the mail messages in one place. >> mail.* -/var/log/maillog >> >> >> # Log cron stuff >> cron.* /var/log/cron >> >> # Everybody gets emergency messages >> *.emerg * >> >> # Save news errors of level crit and higher in a special file. >> uucp,news.crit /var/log/spooler >> >> # Save boot messages also to boot.log >> local7.* /var/log/boot.log >> >> Thanks, >> John >> ______________________________**_________________ >> rsyslog mailing list >> http://lists.adiscon.net/**mailman/listinfo/rsyslog<http://lists.adiscon.net/mailman/listinfo/rsyslog> >> http://www.rsyslog.com/**professional-services/<http://www.rsyslog.com/professional-services/> >> What's up with rsyslog? Follow https://twitter.com/rgerhards >> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad >> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you >> DON'T LIKE THAT. >> >> ______________________________**_________________ > rsyslog mailing list > http://lists.adiscon.net/**mailman/listinfo/rsyslog<http://lists.adiscon.net/mailman/listinfo/rsyslog> > http://www.rsyslog.com/**professional-services/<http://www.rsyslog.com/professional-services/> > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > DON'T LIKE THAT. > _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
