check your iptables rules David Lang
On Mon, 12 Apr 2021, Erik.Moritz--- via rsyslog wrote:
Date: Mon, 12 Apr 2021 11:47:16 +0000 From: Erik.Moritz--- via rsyslog <[email protected]> To: [email protected] Cc: [email protected] Subject: Re: [rsyslog] rsyslog fails to collect FW traffic logs Hello, any ideas from anyone? Last try with updated config: # Provides UDP syslog reception $ModLoad imudp ruleset(name="remote") { *.* action(type="omfile" file="/app/FW_log/fw_traffic.log ") } $InputUDPServerBindRuleset remote #Define a new input and bind it to the "remote1" rule set $RuleSet RSYSLOG_DefaultRuleset #End the rule set by switching back to the default rule set $UDPServerRun 514 But didn't help to gather logs from FW Kind regards, Erik -----Ursprüngliche Nachricht----- Von: rsyslog <[email protected]> Im Auftrag von Erik.Moritz--- via rsyslog Gesendet: Freitag, 26. März 2021 16:30 An: [email protected] Cc: Moritz, Erik <[email protected]> Betreff: [rsyslog] rsyslog fails to collect FW traffic logs Hello, maybe someone can give me the hint I need. I am trying to collect traffic logs from FW by rsyslogd on e rhel7 system rsyslog-8.24.0-57.el7_9.x86_64 linux FW is disabled #firewall-cmd --state not running /etc/rsyslog.conf # Provides UDP syslog reception $ModLoad imudp $RuleSet remote *.* /app/FW_log/fw_traffic.log $InputUDPServerBindRuleset remote #Define a new input and bind it to the "remote1" rule set $RuleSet RSYSLOG_DefaultRuleset #End the rule set by switching back to the default rule set $UDPServerRun 514 Rsyslog is listening 514 netstat -tulpen | grep rsyslog udp 0 0 0.0.0.0:45073 0.0.0.0:* 0 204418 7730/rsyslogd udp 0 0 0.0.0.0:48919 0.0.0.0:* 0 204412 7730/rsyslogd udp 0 0 0.0.0.0:52741 0.0.0.0:* 0 204411 7730/rsyslogd udp 0 0 0.0.0.0:57513 0.0.0.0:* 0 204413 7730/rsyslogd udp 0 0 0.0.0.0:514 0.0.0.0:* 0 225843 7730/rsyslogd udp6 0 0 :::514 :::* 0 225844 7730/rsyslogd messages are being sent by the FW 160.xxx.xxx.xxx = dffmz01sysl01p 6.xxx.xxx.xxx = FW On the rsyslog server tcpdump -i any | more 13:24:36.640675 IP 6.xxx.xxx.xxx.9688 > 160.xxx.xxx.xxx.syslog: SYSLOG local7.notice, length: 647 13:24:36.640675 IP 6.xxx.xxx.xxx.9688 > 160.xxx.xxx.xxx.syslog: SYSLOG local7.notice, length: 647 FW is sending logs via port 514: 14:52:37.140824 IP 6.xxx.xxx.xxx.3353 > 160.xxx.xxx.xxx.514: SYSLOG local7.notice, length: 606 14:52:37.140823 IP 6.xxx.xxx.xxx.15482 > 160.xxx.xxx.xxx.514: SYSLOG local7.notice, length: 647 Ncat works for localhost and from the firewall [Expert@FW:0]# nc -u 160.xxx.xxx.xxx 514 test from admin firewall # tail -4 fw_traffic.log 2021-03-26T12:44:36.735062+01:00 testmessage by netcat udp 2021-03-26T13:21:50.162778+01:00 testmessage by netcat udp 2021-03-26T15:55:55.209019+01:00 test from admin firewall 2021-03-26T15:57:14.529362+01:00 test from admin firewall _______________________________________________ rsyslog mailing list https://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT. _______________________________________________ rsyslog mailing list https://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
_______________________________________________ rsyslog mailing list https://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
