Hello,
any ideas from anyone?
Last try with updated config:
# Provides UDP syslog reception
$ModLoad imudp
ruleset(name="remote") {
*.* action(type="omfile" file="/app/FW_log/fw_traffic.log ")
}
$InputUDPServerBindRuleset remote #Define a new input and bind it to the
"remote1" rule set
$RuleSet RSYSLOG_DefaultRuleset #End the rule set by switching back to the
default rule set
$UDPServerRun 514
But didn't help to gather logs from FW
Kind regards,
Erik
-----Ursprüngliche Nachricht-----
Von: rsyslog <[email protected]> Im Auftrag von Erik.Moritz---
via rsyslog
Gesendet: Freitag, 26. März 2021 16:30
An: [email protected]
Cc: Moritz, Erik <[email protected]>
Betreff: [rsyslog] rsyslog fails to collect FW traffic logs
Hello,
maybe someone can give me the hint I need. I am trying to collect traffic logs
from FW by rsyslogd on e rhel7 system
rsyslog-8.24.0-57.el7_9.x86_64
linux FW is disabled
#firewall-cmd --state
not running
/etc/rsyslog.conf
# Provides UDP syslog reception
$ModLoad imudp
$RuleSet remote
*.* /app/FW_log/fw_traffic.log
$InputUDPServerBindRuleset remote #Define a new input and bind it to the
"remote1" rule set
$RuleSet RSYSLOG_DefaultRuleset #End the rule set by switching back to the
default rule set
$UDPServerRun 514
Rsyslog is listening 514
netstat -tulpen | grep rsyslog
udp 0 0 0.0.0.0:45073 0.0.0.0:*
0 204418 7730/rsyslogd
udp 0 0 0.0.0.0:48919 0.0.0.0:*
0 204412 7730/rsyslogd
udp 0 0 0.0.0.0:52741 0.0.0.0:*
0 204411 7730/rsyslogd
udp 0 0 0.0.0.0:57513 0.0.0.0:*
0 204413 7730/rsyslogd
udp 0 0 0.0.0.0:514 0.0.0.0:*
0 225843 7730/rsyslogd
udp6 0 0 :::514 :::*
0 225844 7730/rsyslogd
messages are being sent by the FW
160.xxx.xxx.xxx = dffmz01sysl01p
6.xxx.xxx.xxx = FW
On the rsyslog server
tcpdump -i any | more
13:24:36.640675 IP 6.xxx.xxx.xxx.9688 > 160.xxx.xxx.xxx.syslog: SYSLOG
local7.notice, length: 647
13:24:36.640675 IP 6.xxx.xxx.xxx.9688 > 160.xxx.xxx.xxx.syslog: SYSLOG
local7.notice, length: 647
FW is sending logs via port 514:
14:52:37.140824 IP 6.xxx.xxx.xxx.3353 > 160.xxx.xxx.xxx.514: SYSLOG
local7.notice, length: 606
14:52:37.140823 IP 6.xxx.xxx.xxx.15482 > 160.xxx.xxx.xxx.514: SYSLOG
local7.notice, length: 647
Ncat works for localhost and from the firewall
[Expert@FW:0]# nc -u 160.xxx.xxx.xxx 514 test from admin firewall
# tail -4 fw_traffic.log
2021-03-26T12:44:36.735062+01:00 testmessage by netcat udp
2021-03-26T13:21:50.162778+01:00 testmessage by netcat udp
2021-03-26T15:55:55.209019+01:00 test from admin firewall
2021-03-26T15:57:14.529362+01:00 test from admin firewall
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is
a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our
control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
