Hi David,
SELinux is disabled on all hosts. Other logs do get through from remote hosts and are stored on a local disk. In this test setup I only enabled the config for Bash history. I did this to exclude any configuration that might intercept or drop the Bash history logs. But when I include the other configs again, they log just fine locally. So I think we can exclude systemd or a firewall in that case. Also, when I use netcat, I can send over messages over those ports and see them also with tcpdump. > on the receiving system, log the messages with the template RSYSLOG_DebugFormat and give us a sample message. What exactly do you mean by this? Could you please elaborate on that? At the moment no messages are logged for the Bash history. How can I use this template to enhance the debugging? Thanks! -- Kees de Jong | Supercomputing | https://www.surf.nl/en/about-surf OpenPGP fingerprint: 0x0E45C98AB51428E6 On Mon, 2024-03-25 at 04:16 -0700, David Lang wrote: > on the receiving system, log the messages with the template > RSYSLOG_DebugFormat > and give us a sample message. > > note that there are other reasons why you may see a log message with > tcpdump but > rsyslog will not process it, including if there is not a route back > to the > sender, or if there are firewall rules blocking that port. It's > possible that > SELinux or systemd are also preventing rsyslog from accessing that > port. > > David Lang > > On Mon, 25 Mar 2024, Kees de Jong via rsyslog wrote: > > > Date: Mon, 25 Mar 2024 10:25:23 +0000 > > From: Kees de Jong via rsyslog <rsyslog@lists.adiscon.com> > > To: "rsyslog@lists.adiscon.com" <rsyslog@lists.adiscon.com> > > Cc: Kees de Jong <kees.dej...@surf.nl> > > Subject: Re: [rsyslog] Bash history --> rsyslog relay --> Elastic > > > > Hi, > > > > > > I've reset the rsyslog configuration on the rsyslog server to the > > Red > > Hat default and confirmed it with `rpmverify`, I'm running version > > rsyslog-8.2102.0-7.el8_6.1.x86_64. > > > > Then I only added the config to receive and process the Bash > > history > > logs: > > > > cat /etc/rsyslog.d/00-a.conf > > if $programname == '-bash' or $programname == 'bash' and $msg > > contains > > 'HISTORY:' then { > > @127.0.0.1:10514 > > /var/log/bash-history.log > > & stop > > } > > > > The default /etc/rsyslog.conf (without comments) is shown below: > > > > # rg -v '^#' /etc/rsyslog.conf > > 2: > > 6: > > 8: > > 9:module(load="imuxsock" # provides support for local > > system > > logging (e.g. via logger command) > > 10: SysSock.Use="off") # Turn off message reception via local > > log > > socket; > > 11: # local messages are retrieved through > > imjournal now. > > 12:module(load="imjournal" # provides access to the > > systemd > > journal > > 13: StateFile="imjournal.state") # File to store the position > > in > > the journal > > 16: > > 21: > > 26: > > 28: > > 30:global(workDirectory="/var/lib/rsyslog") > > 31: > > 33:module(load="builtin:omfile" > > Template="RSYSLOG_TraditionalFileFormat") > > 34: > > 36:include(file="/etc/rsyslog.d/*.conf" mode="optional") > > 37: > > 39: > > 43: > > 46:*.info;mail.none;authpriv.none;cron.none > > /var/log/messages > > 47: > > 49:authpriv.* > > /var/log/secure > > 50: > > 52:mail.* - > > /var/log/maillog > > 53: > > 54: > > 56:cron.* > > /var/log/cron > > 57: > > 59:*.emerg > > :omusrmsg:* > > 60: > > 62:uucp,news.crit > > /var/log/spooler > > 63: > > 65:local7.* > > /var/log/boot.log > > 66: > > 67: > > > > As you can see, I both forward the logs to a local UDP socket and a > > local file. I also commented out one of them each time, to make > > sure > > there is no issue with either the socket or file setup. > > > > When I run a `tcpdump` on the rsyslog server, I do see that the > > messages are coming in from the client: > > > > 10:49:00.007063 IP (tos 0x0, ttl 64, id 30789, offset 0, flags > > [DF], > > proto UDP (17), length 98) > > x.x.x.x.50145 > y.y.y.y.syslog: SYSLOG, length: 70 > > Facility user (1), Severity info (6) > > Msg: Mar 25 10:48:59 rsyslogclient -bash[398711]: HISTORY: > > PID=398711 UID=0 ls > > > > However, the rsyslog server does not process these logs. The > > receiving > > server forwards the logs to a local socket which is setup with > > `netcat`, it does not show any output of messages. The local log > > file > > remains empty as well. It's writable by anyone (-rw-rw-rw- 1 root > > root > > 0 Mar 25 10:52 /var/log/bash-history.log) > > > > I've ran the same setup also on a VM with Fedora with version > > rsyslog- > > 8.2310.0-1.fc39.x86_64, with that version and setup it works fine. > > Could it be that there is a syntax change somewhere? Or maybe > > something > > else is wrong here? If it could be a syntax issue, what change > > could I > > test? > > > > Just to summarize: > > * The client is able to forward the Bash history messages through > > syslog. > > * The server receives these messages as well. > > * However, for some reason it does not match with the filter and > > thus > > no action is taken by rsyslog to forward it to either a local > > socket or > > a local file. > > > > > > > _______________________________________________ > rsyslog mailing list > https://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a > myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT > POST if you DON'T LIKE THAT.
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ rsyslog mailing list https://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.