Re: [rsyslog] Help: compiled rsyslog 5.8.10 from source, no network logging?

2013-01-24 Thread David Lang 

On Thu, 24 Jan 2013, Forrest Aldrich wrote:

For various reasons, we have a few central syslog servers that are based on 
CentOS 6.3, which ships with rsyslog 5.8.x. Our other systems, based on 
CentOS 5.x, have an older version 3 available. It was decided that I would 
compile the lot and test it out first.


I've been able to compile it just fine, but for some bizarre reason that I'm 
unable to figure out, rsyslog will not log over the network, but only 
locally.


The compile flags:

Code:
http://kb.monitorware.com/#
  |./configure --prefix=/usr/local --enable-gnutls --disable-testbench
  --enable-imfile --enable-impstats --enable-imptcp --enable-mail
  --enable-omprog --enable-omuxsock --enable-pmlastmsg
  --enable-unlimited-select|



I grabbed these flags from the *.SPEC file of a RHEL SRPM and customized it. 
There's a lot we don't need.


I read the manpage, there doesn't appear to be a special flag to set other 
than -c 5 to allow for that. The configuration syntax for this is correct:


Code:
http://kb.monitorware.com/#
  |local2.*  /var/log/mapper/mapper.log
  local2.*  @@internalhost.ourdomain.com|


The log goes to file no problem, but is not sent to the internalhost -- I 
tested this otherwise, this works with the stock, supplied RPM on CentOS 6 
(no config changes).


The dev's want to keep the same version around the systems, which I can 
appreciate. I installed the RPM for 5.10 which created the need for a 
configuration change (I can't remember, but it had to do with using *). So 
for now, I would like to solve this little problem.


It's possible we will just roll our own under /usr/local and keep it all 
standard -- I would probably go with the latest/greatest version, provided it 
didn't create more configuration issues for what the dev's are doing.


I'm stumped as to what the issue could be. Anyone have any ideas?


first off a note that 5.8 is rather old, if you are going to be compiling your 
own anyway, consider going to a 6.x or 7.x version.




As for your problem, I would start with network troubleshooting 101

can you ping the destination?

what happens if you try and telnet to that destination on port 514?

does rsyslog log any errors (locally)?

does rsyslog say anything if you start it in debug mode?

what does a tcpdump show is happening on the network?

David Lang
___
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Re: [rsyslog] Help: compiled rsyslog 5.8.10 from source, no network logging?

2013-01-24 Thread David Lang 

On Thu, 24 Jan 2013, Forrest Aldrich wrote:

I am embarrassed to admit that, at some point during my production work, some 
nincompoop enabled iptables on the rsyslog server -- and that it only 
occurred to me to check that this afternoon.   I am pretty mad, but it won't 
happen again - I have puppet to keep that in check now :-)


Such things happen more frequently than you would think. That's why I suggested 
network troubleshooting 101 :-)


On a slightly related question, would the stock version of rsyslog3 suffice 
for sending TCP messages to a rsyslog-5.x server?  I would think so...


Yes, it will. later versions allow gathering significantly more (and more 
reilaible) information, as well as dealing with structured logs so that you can 
add metadata (like what app, business unit, etc) without it getting mixed up 
with the log data.


David Lang
___
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.