I can't tell you how many times I find that problems that initially seem
so complex end up boiling down to simple network connectivity problems.
I'm glad it was that simple.
David Lang
On Thu, 25 Oct 2012, John Inama wrote:
I think you may have given me the solution. When I try to telnet into my
desktop syslog server from the remote machine, I get a connection refused
error (because i don't have telnet set up), but when I try to telnet to the
actual central server from the remote machine, I get a "no route to host"
error. I have a call into my company's network people so hopefully that's
the issue.
On Wed, Oct 24, 2012 at 5:47 PM, <[email protected]> wrote:
One very odd thing I ran into with a central server on a complicated
network is that if you don't have a route to the source of the traffic, you
can see the traffic with tcpdump, but the networking stack will never send
it to rsyslog.
The only other time I have ever seen where traffic could be seen bia
tcpdump, but not by rsyslog (on the same machine) was where I was replaying
logs via tcpreplay and I didn't have tcpreplay fix the checksums in the
packets.
So, to confirm
1. do you see the logs via tcpdump on the central server.
2. can you ping the originating server from your central server
David Lang
On Wed, 24 Oct 2012, John Inama wrote:
I'm having a problem configuring a central logging server with rsyslog on
CentOS 6.3. It's set to accept incoming logs on UDP port 514 and TCP port
10514. Right now I have all logs, including local server logs, going to
the
same log file to confirm that my templates are working. SELinux is set to
Permissive and I have iptables set with incoming rules for both UDP port
514 and TCP port 10514.
I have two machines currently set to send logs to the central server. One
is a production server running CentOS 5.7 and using syslog (not rsyslog).
The other is my desktop running Ubuntu 12.04.1 using rsyslog. The server
is
using UDP and my desktop is using TCP.
Tcpdump shows that the logs are being sent from both machines to the
central server, but from there the logs aren't being processed by rsyslog.
I've tried everything I could find on the documentation with no success.
If anyone can help with this, let me know. I can send any config files you
need. Here is my rsyslog.conf file from the server:
#### MODULES ####
$ModLoad imuxsock # provides support for local system logging (e.g. via
logger command)
$ModLoad imklog # provides kernel logging support (previously done by
rklogd)
#$ModLoad immark # provides --MARK-- message capability
# Provides UDP syslog reception
$ModLoad imudp
$UDPServerAddress *
$UDPServerRun 514
$ModLoad imtcp
$InputTCPServerRun 10514
# Include all config files in /etc/rsyslog.d/
$IncludeConfig /etc/rsyslog.d/*.conf
# Templates
$template TestFileLoc,"/logging/test/%$**now%.log"
$template TestFileFormat,"%timestamp% %syslogfacility-text%
%syslogseverity-text% %msg% \n"
#### RULES ####
# test to dump everything to template location
*.* ?TestFileLoc;TestFileFormat
# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.* /dev/console
# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.**none;cron.none
/var/log/messages
# The authpriv file has restricted access.
authpriv.* /var/log/secure
# Log all the mail messages in one place.
mail.* -/var/log/maillog
# Log cron stuff
cron.* /var/log/cron
# Everybody gets emergency messages
*.emerg *
# Save news errors of level crit and higher in a special file.
uucp,news.crit /var/log/spooler
# Save boot messages also to boot.log
local7.* /var/log/boot.log
Thanks,
John
______________________________**_________________
rsyslog mailing list
http://lists.adiscon.net/**mailman/listinfo/rsyslog<http://lists.adiscon.net/mailman/listinfo/rsyslog>
http://www.rsyslog.com/**professional-services/<http://www.rsyslog.com/professional-services/>
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
DON'T LIKE THAT.
______________________________**_________________
rsyslog mailing list
http://lists.adiscon.net/**mailman/listinfo/rsyslog<http://lists.adiscon.net/mailman/listinfo/rsyslog>
http://www.rsyslog.com/**professional-services/<http://www.rsyslog.com/professional-services/>
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
