Quick question: Have you posted your config files (or a simplified test case that can reproduce the problem) somewhere? Others could take a look and compare against their own setup to see if the problem can be better spotted that way.
-----Original Message----- From: rsyslog <[email protected]> On Behalf Of Eric Blomquist via rsyslog Sent: Sunday, July 5, 2020 2:42 PM To: 'Rainer Gerhards' <[email protected]>; 'rsyslog-users' <[email protected]> Cc: Eric Blomquist <[email protected]> Subject: Re: [rsyslog] imkmsg absent from 8.2006; How to get imuxsock to read kernel messages? Thanks for responding. Yes, of course. imklog was the first thing I tried, and it has been configured to load throughout this process. In fact, I experimented with a great number of alternative configurations before I thought to try substituting imkmsg for imklog, only to discover that imkmsg was/is missing. No matter what we do, no rule in an imuxsock ruleset (even *.*) reads iptables log messages. We know the messages exist, both from running dmesg and because standalone rules (outside an imuxsock ruleset) read the messages. I experimented with all varieties of syntax, filter, filter text, operator, and property. None had any effect. I experimented with imuxsock listeners on all obvious sockets, and all failed. I also experimented with both means of interfacing with systemd-journald (i.e., configuring journald.conf with the "ForwardToSyslog=yes" directive, and via imjournal), with no effect. All that seems to be left (besides giving imkmsg a try) is something to do with the imuxsock module and how it handles kernel messages, and we can't figure it out. Having ruleset capability for iptables messages would be a big help, and this seems to depend on imuxsock. Thoughts? -ERB -----Original Message----- From: Rainer Gerhards [mailto:[email protected]] Sent: Sunday, July 05, 2020 2:01 AM To: rsyslog-users Cc: Eric Blomquist Subject: Re: [rsyslog] imkmsg absent from 8.2006; How to get imuxsock to read kernel messages? Did you have a look at imklog? That's the original module for kernel messages. I admit I do not remember why exactly imkmsg was contributed. Rainer El vie., 3 jul. 2020 a las 20:10, Eric Blomquist via rsyslog (<[email protected]>) escribió: > > Does anyone have any idea how to get imuxsock to read kernel messages? > > > > We have been having trouble getting any rule in an imuxsock ruleset to read > kernel messages, in particular those from iptables. Without this, ruleset > functionality is not available. > > > > Possibly, the difficulty is that imkmsg is absent on our systems and from > the latest rsyslog package available from the Adiscon repository (8.2006.0). > No obvious means exists to obtain or install this module. Does anyone have > this module installed? > > > > imklog permits a standalone rule (i.e., outside an imuxsock ruleset) to > capture kernel messages, so at least they're not lost, but again, no ruleset > functionality is available. > > > > We have attempted any number of configurations spanning rsyslog.conf, > journald.conf, and sysctl.conf, including creating listeners specifically > for /dev/kmsg, /proc/kmsg, /dev/log, and /run/systemd/journal/syslog, all > without success. > > > > Many thanks for any suggestions. > > _______________________________________________ > rsyslog mailing list > https://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of > sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T > LIKE THAT. _______________________________________________ rsyslog mailing list https://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT. _______________________________________________ rsyslog mailing list https://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
