Snare does support TCP logging, just not in the free version. http://www.snarealliance.com/snare-enterprise-agent-features
On Thu, Jun 5, 2014 at 7:05 PM, David Lang <[email protected]> wrote: > Snare is sending the logs via UDP, if nothing is listening, UDP gets > dropped. > > Now, if rsyslog was unable to write the logs, there are things that could > be done to make rsyslog queue more of them for writing later. Or you can > setup rsyslog on a highly available pair of machines so that when it goes > down on one machine, the other machine can take over so that you only loose > a small amount of logs. > > Snare doesn't support logging over TCP (which still doesn't prevent you > from loosing logs in all cases, but does eliminate it for some common cases. > > David Lang > > > On Thu, 5 Jun 2014, Muhammad Asif wrote: > > Hi Everyone! >> >> I have installed snare (open source free version ) in windows 2008 Server. >> I configured snare to send logs to rsyslog and rsyslog is writing logs in >> a >> file for testing. Windows server is very busy server. Problem is that >> rsyslog stop receiving logs from snare for couple of minutes some time one >> hour. When we restart rsyslog service it start receiving logs. Logs of >> windows server generated in that time are missed from rsyslog. Please >> guide >> me in this issue. >> >> ------------------------------------------------------------ >> ----------------------------------------------------------------- >> # rsyslog configuration file >> # note that most of this config file uses old-style format, >> # because it is well-known AND quite suitable for simple cases >> # like we have with the default config. For more advanced >> # things, RainerScript configuration is suggested. >> >> # For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html >> # If you experience problems, see >> http://www.rsyslog.com/doc/troubleshoot.html >> >> #### MODULES #### >> >> module(load="imuxsock") # provides support for local system logging (e.g. >> via logger command) >> module(load="imklog") # provides kernel logging support (previously done >> by rklogd) >> #module(load"immark") # provides --MARK-- message capability >> >> # Provides UDP syslog reception >> # for parameters see http://www.rsyslog.com/doc/imudp.html >> module(load="imudp") # needs to be done just once >> input(type="imudp" port="514") >> >> >> if ($fromhost-ip == '172.20.8.3') then /var/log/ciit_dc.log >> & ~ >> >> >> # Provides TCP syslog reception >> # for parameters see http://www.rsyslog.com/doc/imtcp.html >> module(load="imtcp") # needs to be done just once >> input(type="imtcp" port="514") >> >> $template msgonly,"%rawmsg%\n" >> #*.* @@127.0.0.1:520;msgonly >> module(load="omrelp") >> action(type="omrelp" target="127.0.0.1" port="520") >> >> >> module(load="impstats" interval="1800" severity="7" >> resetCounters="on" >> log.syslog="off" >> log.file="/var/log/stats.log") >> >> >> #### GLOBAL DIRECTIVES #### >> >> # Use default timestamp format >> $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat >> >> # File syncing capability is disabled by default. This feature is usually >> not required, >> # not useful and an extreme performance hit >> #$ActionFileEnableSync on >> >> # Include all config files in /etc/rsyslog.d/ >> $IncludeConfig /etc/rsyslog.d/*.conf >> >> >> #### RULES #### >> >> # Log all kernel messages to the console. >> # Logging much else clutters up the screen. >> #kern.* /dev/console >> >> # Log anything (except mail) of level info or higher. >> # Don't log private authentication messages! >> *.info;mail.none;authpriv.none;cron.none /var/log/messages >> >> # The authpriv file has restricted access. >> authpriv.* /var/log/secure >> >> # Log all the mail messages in one place. >> mail.* /var/log/maillog >> >> >> # Log cron stuff >> cron.* /var/log/cron >> >> # Everybody gets emergency messages >> *.emerg :omusrmsg:* >> >> # Save news errors of level crit and higher in a special file. >> uucp,news.crit /var/log/spooler >> >> # Save boot messages also to boot.log >> local7.* /var/log/boot.log >> >> >> # ### begin forwarding rule ### >> # The statement between the begin ... end define a SINGLE forwarding >> # rule. They belong together, do NOT split them. If you create multiple >> # forwarding rules, duplicate the whole block! >> # Remote Logging (we use TCP for reliable delivery) >> # >> # An on-disk queue is created for this action. If the remote host is >> # down, messages are spooled to disk and sent when it is up again. >> #$WorkDirectory /var/lib/rsyslog # where to place spool files >> #$ActionQueueFileName fwdRule1 # unique name prefix for spool files >> #$ActionQueueMaxDiskSpace 1g # 1gb space limit (use as much as possible) >> #$ActionQueueSaveOnShutdown on # save messages to disk on shutdown >> #$ActionQueueType LinkedList # run asynchronously >> #$ActionResumeRetryCount -1 # infinite retries if host is down >> # remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional >> #*.* @@remote-host:514 >> # ### end of the forwarding rule ### >> ------------------------------------------------------------ >> ------------------------------------------------------------- >> Regards >> M.Asif >> _______________________________________________ >> rsyslog mailing list >> http://lists.adiscon.net/mailman/listinfo/rsyslog >> http://www.rsyslog.com/professional-services/ >> What's up with rsyslog? Follow https://twitter.com/rgerhards >> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad >> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you >> DON'T LIKE THAT. >> >> _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > DON'T LIKE THAT. > _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
