On Thu, 20 Mar 2014, Jeremy Hoel wrote:
Well, I've commented out the action part. It just has the imfile to read
the file and I've restarted and it's not sending any of the read dhcp
files, but it is sending the dns ones (not duplicated).
I put it back on, restart and it picks up the log and starts sending dups
again.
So very odd.
if you write those logs to a local file do you see the dups there as well?
David Lang
On Thu, Mar 20, 2014 at 5:24 PM, David Lang <da...@lang.hm> wrote:
On Thu, 20 Mar 2014, Jeremy Hoel wrote:
OK, but then the actions are two different ones based on the rsyslog-users
tags and they go to different ports. So there is one action to 10521 (for
dns) and one to 10522 (for dhcp). I've tried doing both imfile inputs in
one conf file and that didn't seem to make a difference.
I will try turning off the dhcp action when I get back, but its the same
setup on a different server with different files that is working, so I
figured the idea would be the same here.
I think you may have something in some other config file that sends the
logs as well, so when you turn it off in this one file, I think you will
still see one copy of the logs being sent.
David Lang
On Mar 19, 2014 6:16 PM, "David Lang" <da...@lang.hm> wrote:
On Thu, 20 Mar 2014, Jeremy Hoel wrote:
Also, I was on 7.6 and rolled back to 7.4.9.2 to see if it was a 7.6 bug
and it still happened. I don't have this on other servers, so It's
probably a conifg issue, but I'm not sure where to start.
It's not doing it on the dns logs, only the dhcp ones, so maybe it has
to
do with order of loading the .conf files? Just guessing.
Ok, with this information, I'll bet that if you were to comment out this
action you would still get a copy of the logs sent out.
remember that the order of the config file is not that the logs appear
where the input command is. Instead, you effectivly gather all the
inputs,
get the data from them, and then start going down through all the filters
and outputs.
David Lang
On Thu, Mar 20, 2014 at 12:06 AM, Jeremy Hoel <jth...@gmail.com> wrote:
I have rsyslog reading some bro logs, imfile gets loaded and it sends
the
logs great.
I added another .conf include file to read another (different) bro log
file and the log file is fine, one entry per line, no duplicates, but
when
I look at the tcpdump traffic going to a log collection, from the
client,
it sends the entries twice.
# cat /etc/rsyslog.d/bro_dhcp.conf
input(type="imfile" File="/usr/local/bro/logs/current/dhcp.log"
Tag="bro_dhcp"
StateFile="bro_dhcp_state"
Severity="info"
Facility="local0")
if $syslogtag == 'bro_dhcp' then {
local0.* action(type="omfwd" Protocol="tcp" target="10.10.189.102"
port="10522")
stop
}
previously we load imfile from:
# cat /etc/rsyslog.d/bro.conf
module(load="imfile" PollingInterval="10")
input(type="imfile" File="/usr/local/bro/logs/current/dns.log"
Tag="bro_dns"
StateFile="bro_dns_state"
Severity="info"
Facility="local0")
if $syslogtag == 'bro_dns' and $syslogfacility-text == 'local0' then {
local0.* action(type="omfwd" Protocol="tcp" target="10.10.189.102"
port="10521")
stop
}
Yet, with tcpdump we see the same entries get sent twice:
# tcpdump -i eth0 -nn tcp port 10522 -A
tcpdump: verbose output suppressed, use -v or -vv for full protocol
decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535
bytes
00:03:26.363648 IP 10.10.42.35.57541 > 10.10.189.102.10522: Flags [P.],
seq 702:1051, ack 1, win 115, options [nop,nop,TS val 2249596909 ecr
1122612769], length 349
E.....@.@.....*#...f..)..^.s..8....s,......
....B..!<134>Mar 20 00:03:26 resst001 bro_dhcp 1395273800.766258
Csy7wk2HIwqlZf31Y 161.217.43.12 68 255.255.255.255 67
00:21:9b:4f:4b:0a -
- 104477797 IIAKRESDFN51625 - DHCPINFORM
<134>Mar 20 00:03:26 resst001 bro_dhcp 1395273800.767137
C6Zmm02MLNrhEQ1ghb 255.255.255.255 68 10.10.42.61 67 00:21:9b:4f:4b:0a
255.255.255.255 0.000000 104477797 - - -
00:03:26.417592 IP 10.10.189.102.10522 > 10.10.42.35.57541: Flags [.],
ack
1051, win 358, options [nop,nop,TS val 1122622778 ecr 2249596909],
length 0
E..43.@.;......f..*#).....8..^.....f.......
B..:....
00:03:26.417609 IP 10.10.42.35.57541 > 10.10.189.102.10522: Flags [P.],
seq 1051:1400, ack 1, win 115, options [nop,nop,TS val 2249596963 ecr
1122622778], length 349
@.@.....*#...f..)..^....8....s,......
.. #B..:<134>Mar 20 00:03:26 resst001 bro_dhcp 1395273800.766258
Csy7wk2HIwqlZf31Y 10.10.43.12 68 255.255.255.255 67 00:21:9b:4f:4b:0a
- -
104477797 IIAKRESDFN51625 - DHCPINFORM
<134>Mar 20 00:03:26 resst001 bro_dhcp 1395273800.767137
C6Zmm02MLNrhEQ1ghb 255.255.255.255 68 10.10.42.61 67 00:21:9b:4f:4b:0a
255.255.255.255 0.000000 104477797 - - -
00:03:26.471105 IP 10.10.189.102.10522 > 10.10.42.35.57541: Flags [.],
ack
1400, win 379, options [nop,nop,TS val 1122622832 ecr 2249596963],
length 0
E..43.@.;......f..*#).....8..^.-...{.......
B..p.. #
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
