Re: [rsyslog] Rsyslog bad external log encoding ??????

Wed, 25 May 2022 09:13:16 -0700

please write the logs with the template RSYSLOG_DebugFormat so we can see exactly what is arriving on the system.
Also, can you log on the client as well so we can see what it thinks it is sending? 

David Lang

On Wed, 25 May 2022, Grzegorz Zalewski via rsyslog wrote:


Date: Wed, 25 May 2022 13:02:47 +0000
From: Grzegorz Zalewski via rsyslog <rsyslog@lists.adiscon.com>
To: "rsyslog@lists.adiscon.com" <rsyslog@lists.adiscon.com>
Cc: Grzegorz Zalewski <grzegorz.zalew...@inteco.pl>
Subject: [rsyslog] Rsyslog bad external log encoding ??????

Hi
My version of rsyslogd on log sever:
rsyslogd  8.2106.0 (aka 2021.06) compiled with:
       PLATFORM:                               x86_64-suse-linux-gnu
       PLATFORM (lsb_release -d):
       FEATURE_REGEXP:                         Yes
       GSSAPI Kerberos 5 support:              Yes
       FEATURE_DEBUG (debug build, slow code): No
       32bit Atomic operations supported:      Yes
       64bit Atomic operations supported:      Yes
       memory allocator:                       system default
       Runtime Instrumentation (slow code):    No
       uuid support:                           Yes
       systemd support:                        Yes
       Config file:                            /etc/rsyslog.conf
       PID file:                               /var/run/rsyslogd.pid
       Number of Bits in RainerScript integers: 64

# ######### Receiving Messages from Remote Hosts ##########.
########### Encrypting Syslog Traffic with TLS ##########
# -- TLS Syslog Server:.
## make gtls driver the default
$DefaultNetstreamDriver gtls
#
## certificate files
$DefaultNetstreamDriverCAFile /etc/rsyslog-keys/CA_server.pem
$DefaultNetstreamDriverCertFile /etc/rsyslog-keys/server.pem
$DefaultNetstreamDriverKeyFile /etc/rsyslog-keys/server.pem

$ModLoad imtcp # load TCP listener
#
$InputTCPServerStreamDriverMode 1 # run driver in TLS-only mode
#$InputTCPServerStreamDriverAuthMode anon # client is NOT authenticated
$InputTCPServerStreamDriverAuthMode x509/name
$InputTCPServerStreamDriverPermittedPeer *.domain.com
$InputTCPServerRun 514 # start up listener at port 10514
#
#$EscapeControlCharactersOnReceive off
#$Escape8BitCharactersOnReceive off

$template RemoteServer, "/var/log/%HOSTNAME%/%SYSLOGFACILITY-TEXT%.log"
*.* ?RemoteServer

Client conf:
# certificate files - just CA for a client
$DefaultNetstreamDriverCAFile /etc/rsyslog-keys/CA_client.pem

# set up the action
$DefaultNetstreamDriver gtls # use gtls netstream driver
$ActionSendStreamDriverMode 1 # require TLS for the connection
$ActionSendStreamDriverAuthMode x509/name

#$ActionSendStreamDriverAuthMode anon # server is NOT authenticated

# Only send log to SERVER.EXAMPLE.COM host
$ActionSendStreamDriverPermittedPeer server.domain.com
*.* @@(o) server.domain.com:514 # send (all) messages

What have in log on server:
2022-05-25T14:44:32.782021+02:00 client.domain.com 
#010#005#005#003#010#010#006#001#010#013#010#006#006#003#002#001#002#003#000#026#000#000#000#027#000#000#000##000#000.#001#000#001#000#000#000#000#034#000#032#000#000#027server.
domain.coml#000#034#000#002@
2022-05-25T14:44:32.887714+02:00 client.domain.com 
#026#003#001#000.#001#000#000.#003#003·...愜#030J#026#004..#037)#021n.#030..#021..rw..F..#000#0002.,̩...
2022-05-25T14:44:32.887714+02:00 client.domain.com 
.+...#011.0̨.#024./.#023#000...#0005#000...#000/#000...#0009#000...#0003#001#000#000.#000#005#000#005#001#000#000#000#000
2022-05-25T14:44:32.887714+02:00 client.domain.com 
#000#026#000#024#000#027#000#030#000#031#000#035#000#036#001#000#001#001#001#002#001#003#001#004#000#013#000#002#001#000#000#015#000"#000
 #004#001#010#011#010#004#004#003#010#007#00
5#001#010

Before 15 may working fine.
I don’t have any idea what is wrong

_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.





















					Reply via email to