Was removed when I tested it Pozdrawiam/ Best regards,
Grzegorz Zalewski IT Security Specialist tel. +48 608 798 364 e-mail: grzegorz.zalew...@inteco.pl<mailto:grzegorz.zalew...@inteco.pl> ________________________________ [cid:image002.png@01D871A5.8C612970] InTeco Business Solutions Sp. z o.o. Mickiewicza 52, 64-510 Wronki tel: +48 67 254 6813 www.inteco.pl<http://www.inteco.pl> Sąd Rejonowy Poznań-Nowe Miasto i Wilda w Poznaniu, VIII Wydział Gospodarczy KRS 0000325012 | REGON 301044119 | NIP 778-146-12-47 Zawarte w niniejszej wiadomości lub w załączonych dokumentach informacje są POUFNE i przeznaczone tylko dla oznaczonego adresata. Rozpowszechnianie ujawnianie i kopiowanie tych informacji jest zabronione. Jeżeli niniejsza wiadomość dotarła do Państwa przez pomyłkę, bardzo prosimy o powiadomienie nas o tym fakcie i natychmiastowe jej zniszczenie. The information contained in this e-mail or attached documents is CONFIDENTIAL and is intended only for the use of the individual to whom is addressed. If you are not the intended recipient or employee responsible to deliver to the intended recipient, you are hereby notified that any dissemination, distribution or copying of the communication is strictly prohibited. If you have received the e-mail in error please immediately notify us and destroy it. From: Rainer Gerhards <rgerha...@hq.adiscon.com> Sent: Friday, May 27, 2022 7:57 AM To: rsyslog-users <rsyslog@lists.adiscon.com> Cc: Grzegorz Zalewski <grzegorz.zalew...@inteco.pl> Subject: Re: [rsyslog] Rsyslog bad external log encoding ?????? [EXTERNAL EMAIL] Please report any suspicious attachments, links, or requests for sensitive information. It's commented out... Remove hash marks. Sent from phone, thus brief. Grzegorz Zalewski via rsyslog <rsyslog@lists.adiscon.com<mailto:rsyslog@lists.adiscon.com>> schrieb am Fr., 27. Mai 2022, 07:45: I`m put on top my /etc/rsyslog.d/my.conf file When I put it #$DebugFile /var/log/rsyslog.debug #$DebugLevel 2 On top rsyslogd.conf nothing happends. No new logs in debug file ☹ -----Original Message----- From: Rainer Gerhards <rgerha...@hq.adiscon.com<mailto:rgerha...@hq.adiscon.com>> Sent: Thursday, May 26, 2022 6:33 PM To: rsyslog-users <rsyslog@lists.adiscon.com<mailto:rsyslog@lists.adiscon.com>> Cc: Grzegorz Zalewski <grzegorz.zalew...@inteco.pl<mailto:grzegorz.zalew...@inteco.pl>> Subject: Re: [rsyslog] Rsyslog bad external log encoding ?????? [EXTERNAL EMAIL] Please report any suspicious attachments, links, or requests for sensitive information. Did you use the regular method right at the top of rsyslog.conf? I ask because only the shutdown can be seen, not the startup. Rainer El jue, 26 may 2022 a las 13:21, Grzegorz Zalewski via rsyslog (<rsyslog@lists.adiscon.com<mailto:rsyslog@lists.adiscon.com>>) escribió: > > Debug log: > > 5028.756561447:main thread : rsyslogd.c: > 5028.756591154:main thread : rsyslogd.c: > 5028.756599828:main thread : rsyslogd.c: > ******************************************************************************** > 5028.756602615:main thread : rsyslogd.c: Switching debugging_on to true at > 08:03:48 > 5028.756604775:main thread : rsyslogd.c: > ******************************************************************************** > 5028.756609995:main thread : janitor.c: janitorRun() called > 5033.189177560:main thread : rsyslogd.c: DoDie called. > 5033.189238695:main thread : rsyslogd.c: awaking mainthread > 5033.189262942:main thread : janitor.c: janitorRun() called > 5033.189269019:main thread : errmsg.c: Called LogMsg, msg: rsyslogd > shutting down > 5033.189271584:main thread : operatingstate.c: osf: MSG rsyslogd shutting > down: signaling new internal message via SIGTTOU: 'rsyslogd shutting down > [v8.2106.0 try https://www.rsyslog.com/e/0 ]' > 5033.189289381:main thread : rsyslogd.c: exiting on signal 2 > 5033.189291603:main thread : rsyslogd.c: Terminating input threads... > 5033.189295410:main thread : ../threads.c: request term via SIGTTIN for > input thread 'immark' 0x7ffab236f700 > 5033.189298582:main thread : ../threads.c: thread immark: initiating > termination, timeout 1000 ms > 5033.189348883:immark.c : ../threads.c: thrdStarter: usrThrdMain immark > - 0x7ffab236f700 returned with iRet 0, exiting now. > 5033.189379910:main thread : ../threads.c: non-cancel input thread > termination succeeded for thread immark 0x7ffab236f700 > 5033.189585841:main thread : ../threads.c: request term via SIGTTIN for > input thread 'imuxsock' 0x7ffab1f6e700 > 5033.189589416:main thread : ../threads.c: thread imuxsock: initiating > termination, timeout 1000 ms > 5033.189613241:imuxsock.c : ../threads.c: thrdStarter: usrThrdMain > imuxsock - 0x7ffab1f6e700 returned with iRet 0, exiting now. > 5033.189653202:main thread : ../threads.c: non-cancel input thread > termination succeeded for thread imuxsock 0x7ffab1f6e700 > 5033.189665632:main thread : imuxsock.c: imuxsock: unlinking unix socket > file[0] /dev/log > 5033.189678050:main thread : ../threads.c: request term via canceling for > input thread imklog > 5033.189730551:main thread : ../threads.c: request term via SIGTTIN for > input thread 'imtcp' 0x7ffab176c700 > 5033.189734384:main thread : ../threads.c: thread imtcp: initiating > termination, timeout 1000 ms > 5033.189757496:imtcp.c : nsdsel_ptcp.c: nsdsel_ptcp received EINTR > 5033.189774472:imtcp.c : tcpsrv.c: tcpsrv terminating, waiting for 0 > workers > 5033.189778040:imtcp.c : ../threads.c: thrdStarter: usrThrdMain imtcp > - 0x7ffab176c700 returned with iRet 0, exiting now. > 5033.189787733:main thread : ../threads.c: non-cancel input thread > termination succeeded for thread imtcp 0x7ffab176c700 > 5033.189862021:main thread : modules.c: file netstrms.c released module > 'lmnsd_gtls', reference count now 1 > 5033.189873247:main thread : iminternal.c: signaling new internal message > via SIGTTOU: '[origin software="rsyslogd" swVersion="8.2106.0" x-pid="19998" > x-info="https://www.rsyslog.com";] exiting on signal 2.' > 5033.190033534:main thread : rsyslogd.c: Terminating main queue... > 5033.190038517:main thread : main Q: queue.c: shutdown: begin to destruct > queue > 5033.190041457:main thread : main Q: queue.c: initiating worker thread > shutdown sequence 0x55dc13dff4d0 > 5033.190043715:main thread : main Q: queue.c: trying shutdown of regular > workers > 5033.190050545:main thread : wti.c: sent SIGTTIN to worker thread > 0x7ffaa3fff700 > 5033.190054214:main thread : wtp.c: main Q:Reg: waiting 1499ms on worker > thread termination, 1 still running > 5033.190070048:main Q:Reg/w0 : wti 0x55dc13e0df60: wti.c: worker > awoke from idle processing 5033.190074442:main Q:Reg/w0 : queue.c: > DeleteProcessedBatch: we deleted 0 objects and enqueued 0 objects > 5033.190076537:main Q:Reg/w0 : queue.c: rger: deleteBatchFromQStore, > nElem 0 5033.190079265:main Q:Reg/w0 : queue.c: doDeleteBatch: delete > batch from store, new sizes: log 0, phys 0 5033.190082092:main > Q:Reg/w0 : main Q: queue.c: dequeued 0 consumable elements, szlog 0 > sz phys 0 5033.190103817:main Q:Reg/w0 : queue.c: regular consumer > finished, iret=4, szlog 0 sz phys 0 5033.190106754:main Q:Reg/w0 : > wti 0x55dc13e0df60: wti.c: terminating worker terminateRet=5, > bInactivityTOOccured=0 5033.190109572:main Q:Reg/w0 : wti.c: DDDD: > wti 0x55dc13e0df60: worker cleanup action instances 5033.190111828:main > Q:Reg/w0 : wti.c: wti 0x55dc13e0df60, action 0, ptr 0x7ffa98000f30 > 5033.190115766:main Q:Reg/w0 : wti.c: wti 0x55dc13e0df60, action 1, ptr > 0x7ffa98001190 5033.190143536:main Q:Reg/w0 : modules.c: file netstrms.c > released module 'lmnsd_gtls', reference count now 0 5033.190147864:main > Q:Reg/w0 : modules.c: module 'lmnsd_gtls' has zero reference count, > unloading... > 5033.190150937:main Q:Reg/w0 : modules.c: Unloading module lmnsd_gtls > 5033.190165121:main Q:Reg/w0 : modules.c: file nsdsel_gtls.c released > module 'lmnsd_ptcp', reference count now 1 5033.190206154:main > Q:Reg/w0 : modules.c: file nsd_gtls.c released module 'lmnsd_ptcp', > reference count now 0 5033.190208707:main Q:Reg/w0 : modules.c: module > 'lmnsd_ptcp' has zero reference count, unloading... > 5033.190210845:main Q:Reg/w0 : modules.c: Unloading module lmnsd_ptcp > 5033.190215279:main Q:Reg/w0 : modules.c: file nsd_ptcp.c released > module 'lmnetstrms', reference count now 5 5033.190245353:main > Q:Reg/w0 : modules.c: file nsd_gtls.c released module 'lmnet', > reference count now 5 5033.190251310:main Q:Reg/w0 : wti.c: wti > 0x55dc13e0df60, action 2, ptr (nil) 5033.190253540:main Q:Reg/w0 : > wti.c: wti 0x55dc13e0df60, action 3, ptr (nil) 5033.190255659:main > Q:Reg/w0 : wti.c: wti 0x55dc13e0df60, action 4, ptr (nil) > 5033.190257753:main Q:Reg/w0 : wti.c: wti 0x55dc13e0df60, action 5, > ptr (nil) 5033.190259842:main Q:Reg/w0 : wti.c: wti 0x55dc13e0df60, > action 6, ptr (nil) 5033.190262021:main Q:Reg/w0 : wti.c: wti > 0x55dc13e0df60, action 7, ptr (nil) 5033.190264115:main Q:Reg/w0 : > wti.c: wti 0x55dc13e0df60, action 8, ptr (nil) 5033.190266224:main > Q:Reg/w0 : wti.c: wti 0x55dc13e0df60, action 9, ptr (nil) > 5033.190268445:main Q:Reg/w0 : wti.c: wti 0x55dc13e0df60, action 10, > ptr (nil) 5033.190270854:main Q:Reg/w0 : wti.c: wti 0x55dc13e0df60, > action 11, ptr (nil) 5033.190272890:main Q:Reg/w0 : wti.c: wti > 0x55dc13e0df60, action 12, ptr (nil) 5033.190274894:main Q:Reg/w0 : > wti.c: wti 0x55dc13e0df60, action 13, ptr (nil) 5033.190276953:main > Q:Reg/w0 : wti.c: wti 0x55dc13e0df60, action 14, ptr 0x7ffa98005980 > 5033.190280073:main Q:Reg/w0 : wti.c: wti 0x55dc13e0df60, action 15, > ptr (nil) 5033.190282197:main Q:Reg/w0 : wti.c: wti 0x55dc13e0df60, action > 16, ptr (nil) 5033.190284591:main Q:Reg/w0 : wti.c: wti 0x55dc13e0df60, > action 17, ptr (nil) 5033.190286640:main Q:Reg/w0 : wti.c: wti > 0x55dc13e0df60, action 18, ptr (nil) 5033.190289919:main Q:Reg/w0 : wti.c: > wti 0x55dc13e0df60: exiting 5033.190292908:main Q:Reg/w0 : wtp.c: main > Q:Reg: Worker thread 55dc13e0df60, terminated, num workers now 0 > 5033.190364038:main thread : wti.c: sent SIGTTIN to worker thread > 0x7ffaa3fff700 > 5033.190368540:main thread : main Q: queue.c: regular queue workers shut > down. > 5033.190371158:main thread : main Q: queue.c: checking to see if we need > to cancel any worker threads of the primary queue > 5033.190374081:main thread : wti.c: main Q:Reg/w0: joining terminated > worker > 5033.190376375:main thread : wti.c: main Q:Reg/w0: worker fully terminated > 5033.190378718:main thread : main Q: queue.c: worker threads terminated, > remaining queue size log 0, phys 0. > 5033.190385043:main thread : main Q: queue.c: queue (type 0) will lose 0 > messages, destroying... > 5033.190400418:main thread : rsyslogd.c: Terminating outputs... > 5033.190404021:main thread : ruleset.c: rulesetDestructAllActions > 5033.190406235:main thread : ruleset.c: destructAllActions: queue shutdown > 5033.190408990:main thread : ruleset.c: shutting down queue workers for > ruleset 0x55dc13db9520, name RSYSLOG_DefaultRuleset, queue (nil) > 5033.190411048:main thread : ruleset.c: destructAllActions: action and > conf stmt shutdown > 5033.190422196:main thread : ruleset.c: shutting down actions and conf > stmts for ruleset 0x55dc13db9520, name RSYSLOG_DefaultRuleset > 5033.190426463:main thread : action-0-builtin:omfile queue: queue.c: > shutdown: begin to destruct queue > 5033.190431381:main thread : omfile.c: Removing entry 0 for file > '/var/log/server/syslog.log' from dynaCache. > 5033.190439324:main thread : strm 0x7ffa980059d0: stream.c: file > 13(/var/log/server/syslog.log) closing, bDeleteOnClose 0 > 5033.190442130:main thread : strm 0x7ffa980059d0: stream.c: > strmFlushinternal: file 13(/var/log/server/syslog.log) flush, buflen 0 (no > need to flush) > 5033.190444280:main thread : strm 0x7ffa980059d0: stream.c: file > 13(/var/log/server/syslog.log) closing > 5033.190451652:main thread : omfile.c: Removing entry 1 for file > '/var/log/client.domain.com/user.log<http://client.domain.com/user.log>' from > dynaCache. > 5033.190454065:main thread : strm 0x7ffa9800a950: stream.c: file > 16(/var/log/client.domain.com/user.log<http://client.domain.com/user.log>) > closing, bDeleteOnClose 0 > 5033.190456336:main thread : strm 0x7ffa9800a950: stream.c: > strmFlushinternal: file > 16(/var/log/client.domain.com/user.log<http://client.domain.com/user.log>) > flush, buflen 0 (no need to flush) > 5033.190458429:main thread : strm 0x7ffa9800a950: stream.c: file > 16(/var/log/client.domain.com/user.log<http://client.domain.com/user.log>) > closing > 5033.190463135:main thread : omfile.c: Removing entry 2 for file > '/var/log/server/auth.log' from dynaCache. > 5033.190465460:main thread : strm 0x7ffa9800cde0: stream.c: file > 17(/var/log/server/auth.log) closing, bDeleteOnClose 0 > 5033.190467628:main thread : strm 0x7ffa9800cde0: stream.c: > strmFlushinternal: file 17(/var/log/server/auth.log) flush, buflen 0 (no need > to flush) > 5033.190470101:main thread : strm 0x7ffa9800cde0: stream.c: file > 17(/var/log/server/auth.log) closing > 5033.190475382:main thread : omfile.c: Removing entry 3 for file > '/var/log/server/authpriv.log' from dynaCache. > 5033.190477683:main thread : strm 0x7ffa9800f130: stream.c: file > 18(/var/log/server/authpriv.log) closing, bDeleteOnClose 0 > 5033.190479851:main thread : strm 0x7ffa9800f130: stream.c: > strmFlushinternal: file 18(/var/log/server/authpriv.log) flush, buflen 0 (no > need to flush) > 5033.190481986:main thread : strm 0x7ffa9800f130: stream.c: file > 18(/var/log/server/authpriv.log) closing > 5033.190488121:main thread : action-1-builtin:omfwd queue: queue.c: > shutdown: begin to destruct queue > 5033.190493412:main thread : rainerscript.c: cnfexprDestruct expr > 0x55dc13dcb540, type 'OR' > 5033.190495967:main thread : rainerscript.c: cnfexprDestruct expr > 0x55dc13dcb3a0, type 'AND' > 5033.190498210:main thread : rainerscript.c: cnfexprDestruct expr > 0x55dc13dc5ea0, type 'F' > 5033.190502327:main thread : rainerscript.c: cnfexprDestruct expr > 0x55dc13dcb380, type 'NOT' > 5033.190504529:main thread : rainerscript.c: cnfexprDestruct expr > 0x55dc13dcb360, type 'AND' > 5033.190506649:main thread : rainerscript.c: cnfexprDestruct expr > 0x55dc13dcb290, type 'CMP_CONTAINS' > 5033.190508856:main thread : rainerscript.c: cnfexprDestruct expr > 0x55dc13dd0940, type 'V' > 5033.190511123:main thread : rainerscript.c: cnfexprDestruct expr > 0x55dc13dcb270, type 'S' > 5033.190513881:main thread : rainerscript.c: cnfexprDestruct expr > 0x55dc13dcb340, type 'CMP_CONTAINS' > 5033.190515927:main thread : rainerscript.c: cnfexprDestruct expr > 0x55dc13dcb2d0, type 'V' > 5033.190518042:main thread : rainerscript.c: cnfexprDestruct expr > 0x55dc13dcb320, type 'S' > 5033.190520192:main thread : rainerscript.c: cnfexprDestruct expr > 0x55dc13dc5f10, type 'F' > 5033.190522701:main thread : action-2-builtin:omfile queue: queue.c: > shutdown: begin to destruct queue > 5033.190526715:main thread : action-3-builtin:ompipe queue: queue.c: > shutdown: begin to destruct queue > 5033.190530576:main thread : action-4-builtin:omusrmsg queue: queue.c: > shutdown: begin to destruct queue > 5033.190534325:main thread : rainerscript.c: cnfexprDestruct expr > 0x55dc13dd5af0, type 'OR' > 5033.190536429:main thread : rainerscript.c: cnfexprDestruct expr > 0x55dc13dd1d50, type 'CMP_EQ' > 5033.190541657:main thread : rainerscript.c: cnfexprDestruct expr > 0x55dc13dda810, type 'V' > 5033.190543823:main thread : rainerscript.c: cnfexprDestruct expr > 0x55dc13dd1d30, type 'S' > 5033.190546016:main thread : rainerscript.c: cnfexprDestruct expr > 0x55dc13dd5ad0, type 'CMP_STARTSWITH' > 5033.190548232:main thread : rainerscript.c: cnfexprDestruct expr > 0x55dc13dd2830, type 'V' > 5033.190550335:main thread : rainerscript.c: cnfexprDestruct expr > 0x55dc13dd5ab0, type 'S' > 5033.190552537:main thread : action-5-builtin:omfile queue: queue.c: > shutdown: begin to destruct queue > 5033.190555932:main thread : rainerscript.c: cnfexprDestruct expr > 0x55dc13dd4ae0, type 'AND' > 5033.190558030:main thread : rainerscript.c: cnfexprDestruct expr > 0x55dc13dd4a30, type 'OR' > 5033.190560214:main thread : rainerscript.c: cnfexprDestruct expr > 0x55dc13dd5e20, type 'CMP_EQ' > 5033.190562327:main thread : rainerscript.c: cnfexprDestruct expr > 0x55dc13dd5950, type 'V' > 5033.190564412:main thread : rainerscript.c: cnfexprDestruct expr > 0x55dc13dd5de0, type 'S' > 5033.190566470:main thread : rainerscript.c: cnfexprDestruct expr > 0x55dc13dd4a10, type 'CMP_EQ' > 5033.190568509:main thread : rainerscript.c: cnfexprDestruct expr > 0x55dc13dd5980, type 'V' > 5033.190570599:main thread : rainerscript.c: cnfexprDestruct expr > 0x55dc13dd49f0, type 'S' > 5033.190572679:main thread : rainerscript.c: cnfexprDestruct expr > 0x55dc13dc5fb0, type 'F' > 5033.190575390:main thread : action-6-builtin:omfile queue: queue.c: > shutdown: begin to destruct queue > 5033.190578760:main thread : rainerscript.c: cnfexprDestruct expr > 0x55dc13dd58b0, type 'AND' > 5033.190580822:main thread : rainerscript.c: cnfexprDestruct expr > 0x55dc13dc6050, type 'F' > 5033.190583017:main thread : rainerscript.c: cnfexprDestruct expr > 0x55dc13dd5890, type 'AND' > 5033.190585065:main thread : rainerscript.c: cnfexprDestruct expr > 0x55dc13dd57c0, type 'CMP_CONTAINS' > 5033.190587099:main thread : rainerscript.c: cnfexprDestruct expr > 0x55dc13dd4910, type 'V' > 5033.190589145:main thread : rainerscript.c: cnfexprDestruct expr > 0x55dc13dd57a0, type 'S' > 5033.190591231:main thread : rainerscript.c: cnfexprDestruct expr > 0x55dc13dd5870, type 'CMP_CONTAINS' > 5033.190593259:main thread : rainerscript.c: cnfexprDestruct expr > 0x55dc13dd5800, type 'V' > 5033.190595284:main thread : rainerscript.c: cnfexprDestruct expr > 0x55dc13dd5850, type 'S' > 5033.190618132:main thread : action-7-builtin:omfile queue: queue.c: > shutdown: begin to destruct queue > 5033.190622497:main thread : action-8-builtin:omfile queue: queue.c: > shutdown: begin to destruct queue > 5033.190626890:main thread : action-9-builtin:omfile queue: queue.c: > shutdown: begin to destruct queue > 5033.190640887:main thread : action-10-builtin:omfile queue: queue.c: > shutdown: begin to destruct queue > 5033.190654111:main thread : action-11-builtin:omfile queue: queue.c: > shutdown: begin to destruct queue > 5033.190657873:main thread : action-12-builtin:omfile queue: queue.c: > shutdown: begin to destruct queue > 5033.190661614:main thread : action-13-builtin:omfile queue: queue.c: > shutdown: begin to destruct queue > 5033.190664900:main thread : action-14-builtin:omfile queue: queue.c: > shutdown: begin to destruct queue > 5033.190668788:main thread : strm 0x7ffa98007dd0: stream.c: file > 14(/var/log/messages) closing, bDeleteOnClose 0 > 5033.190671084:main thread : strm 0x7ffa98007dd0: stream.c: > strmFlushinternal: file 14(/var/log/messages) flush, buflen 0 (no need to > flush) > 5033.190673278:main thread : strm 0x7ffa98007dd0: stream.c: file > 14(/var/log/messages) closing > 5033.190678652:main thread : action-15-builtin:omfile queue: queue.c: > shutdown: begin to destruct queue > 5033.190682221:main thread : action-16-builtin:omfile queue: queue.c: > shutdown: begin to destruct queue > 5033.190686134:main thread : action-17-builtin:omfile queue: queue.c: > shutdown: begin to destruct queue > 5033.190689802:main thread : action-18-builtin:omfile queue: queue.c: > shutdown: begin to destruct queue > 5033.190697344:main thread : ruleset.c: destructing ruleset > 0x55dc13db9520, name 0x55dc13db9560 > 5033.190700295:main thread : rsyslogd.c: all primary multi-thread sources > have been terminated - now doing aux cleanup... > 5033.190702315:main thread : rsyslogd.c: destructing current config... > 5033.190704909:main thread : rsconf.c: calling freeCnf(0x55dc13db75a0) for > module 'builtin:omfile' > 5033.190707318:main thread : rsconf.c: calling freeCnf(0x55dc13db7770) for > module 'builtin:ompipe' > 5033.190709986:main thread : rsconf.c: calling freeCnf(0x55dc13db8770) for > module 'builtin:omfwd' > 5033.190713355:main thread : rsconf.c: calling freeCnf(0x55dc13dc7750) for > module 'immark.so' > 5033.190716019:main thread : rsconf.c: calling freeCnf(0x55dc13dc9610) for > module 'imuxsock.so' > 5033.190718553:main thread : rsconf.c: calling freeCnf(0x55dc13dca860) for > module 'imklog.so' > 5033.190721080:main thread : rsconf.c: calling freeCnf(0x55dc13dce700) for > module 'imtcp' > 5033.190770096:main thread : parser.c: destructing parser 'rsyslog.rfc5424' > 5033.190772594:main thread : parser.c: destructing parser 'rsyslog.rfc3164' > 5033.190775196:main thread : pmrfc3164.c: pmrfc3164: free parser instance > 0x55dc13db8c50 > 5033.190782063:main thread : modules.c: file rsyslogd.c released module > 'lmnet', reference count now 4 > 5033.190784438:main thread : modules.c: module lmnet NOT unloaded because > it still has a refcount of 4 > 5033.190786550:main thread : modules.c: Unloading module builtin:omfile > 5033.190789213:main thread : modules.c: module lmnet NOT unloaded because > it still has a refcount of 4 > 5033.190791251:main thread : modules.c: Unloading module builtin:ompipe > 5033.190793495:main thread : modules.c: module lmnet NOT unloaded because > it still has a refcount of 4 > 5033.190795495:main thread : modules.c: Unloading module builtin-shell > 5033.190797779:main thread : modules.c: module lmnet NOT unloaded because > it still has a refcount of 4 > 5033.190799779:main thread : modules.c: Unloading module builtin:omdiscard > 5033.190801963:main thread : modules.c: module lmnet NOT unloaded because > it still has a refcount of 4 > 5033.190803931:main thread : modules.c: Unloading module builtin:omfwd > 5033.190806440:main thread : modules.c: file omfwd.c released module > 'lmnet', reference count now 3 > 5033.190808989:main thread : modules.c: file omfwd.c released module > 'lmnetstrms', reference count now 4 > 5033.190811446:main thread : modules.c: file omfwd.c released module > 'lmnetstrms', reference count now 3 > 5033.190813714:main thread : modules.c: file omfwd.c released module > 'lmtcpclt', reference count now 0 > 5033.190815745:main thread : modules.c: module 'lmtcpclt' has zero > reference count, unloading... > 5033.190817745:main thread : modules.c: Unloading module lmtcpclt > 5033.190839888:main thread : modules.c: module lmnet NOT unloaded because > it still has a refcount of 3 > 5033.190843191:main thread : modules.c: Unloading module builtin:omusrmsg > 5033.190845438:main thread : modules.c: module lmnet NOT unloaded because > it still has a refcount of 3 > 5033.190847453:main thread : modules.c: Unloading module builtin:pmrfc5424 > 5033.190850027:main thread : modules.c: module lmnet NOT unloaded because > it still has a refcount of 3 > 5033.190852192:main thread : modules.c: Unloading module builtin:pmrfc3164 > 5033.190854646:main thread : modules.c: module lmnet NOT unloaded because > it still has a refcount of 3 > 5033.190856622:main thread : modules.c: Unloading module builtin:smfile > 5033.190859169:main thread : modules.c: module lmnet NOT unloaded because > it still has a refcount of 3 > 5033.190861201:main thread : modules.c: Unloading module builtin:smtradfile > 5033.190863571:main thread : modules.c: module lmnet NOT unloaded because > it still has a refcount of 3 > 5033.190865540:main thread : modules.c: Unloading module builtin:smfwd > 5033.190867983:main thread : modules.c: module lmnet NOT unloaded because > it still has a refcount of 3 > 5033.190870023:main thread : modules.c: Unloading module builtin:smtradfwd > 5033.190876126:main thread : modules.c: module lmnet NOT unloaded because > it still has a refcount of 3 > 5033.190878217:main thread : modules.c: Unloading module immark.so > 5033.190900578:main thread : modules.c: module lmnet NOT unloaded because > it still has a refcount of 3 > 5033.190903458:main thread : modules.c: Unloading module imuxsock.so > 5033.190929023:main thread : modules.c: module lmnet NOT unloaded because > it still has a refcount of 3 > 5033.190931871:main thread : modules.c: Unloading module imklog.so > 5033.190944049:main thread : modules.c: module lmnet NOT unloaded because > it still has a refcount of 3 > 5033.190946751:main thread : modules.c: module lmnetstrms NOT unloaded > because it still has a refcount of 3 > 5033.190948843:main thread : modules.c: module lmtcpsrv NOT unloaded > because it still has a refcount of 2 > 5033.190950930:main thread : modules.c: Unloading module imtcp > 5033.190954270:main thread : modules.c: file imtcp.c released module > 'lmnet', reference count now 2 > 5033.190956666:main thread : modules.c: file imtcp.c released module > 'lmnetstrms', reference count now 2 > 5033.190959070:main thread : modules.c: file imtcp.c released module > 'lmtcpsrv', reference count now 1 > 5033.190961401:main thread : modules.c: file imtcp.c released module > 'lmtcpsrv', reference count now 0 > 5033.190963424:main thread : modules.c: module 'lmtcpsrv' has zero > reference count, unloading... > 5033.190965470:main thread : modules.c: Unloading module lmtcpsrv > 5033.191000080:main thread : tcpsrv.c: tcpsrv: info: worker 0 was called 0 > times > 5033.191022031:main thread : tcpsrv.c: tcpsrv: info: worker 1 was called 0 > times > 5033.191042824:main thread : tcpsrv.c: tcpsrv: info: worker 2 was called 0 > times > 5033.191077377:main thread : tcpsrv.c: tcpsrv: info: worker 3 was called 0 > times > 5033.191082074:main thread : modules.c: file tcpsrv.c released module > 'lmnetstrms', reference count now 1 > 5033.191084651:main thread : modules.c: file tcpsrv.c released module > 'lmnet', reference count now 1 > 5033.191087761:main thread : modules.c: file tcps_sess.c released module > 'lmnetstrms', reference count now 0 > 5033.191089779:main thread : modules.c: module 'lmnetstrms' has zero > reference count, unloading... > 5033.191091922:main thread : modules.c: Unloading module lmnetstrms > 5033.191128059:main thread : modules.c: module lmnet NOT unloaded because > it still has a refcount of 1 > 5033.191131700:main thread : modules.c: file conf.c released module > 'lmnet', reference count now 0 > 5033.191133723:main thread : modules.c: module 'lmnet' has zero reference > count, unloading... > 5033.191135781:main thread : modules.c: Unloading module lmnet > 5033.191152212:main thread : strgen.c: destructing strgen > 'RSYSLOG_FileFormat' > 5033.191155173:main thread : strgen.c: destructing strgen > 'RSYSLOG_TraditionalFileFormat' > 5033.191157204:main thread : strgen.c: destructing strgen > 'RSYSLOG_ForwardFormat' > 5033.191159298:main thread : strgen.c: destructing strgen > 'RSYSLOG_TraditionalForwardFormat' > 5033.191164325:main thread : rsyslog.c: rsyslog runtime de-initialized, > current users 0 > 5033.191166536:main thread : rsyslogd.c: Clean shutdown completed, bye > > -----Original Message----- > From: Rainer Gerhards > <rgerha...@hq.adiscon.com<mailto:rgerha...@hq.adiscon.com>> > Sent: Thursday, May 26, 2022 12:54 PM > To: rsyslog-users > <rsyslog@lists.adiscon.com<mailto:rsyslog@lists.adiscon.com>> > Cc: Grzegorz Zalewski > <grzegorz.zalew...@inteco.pl<mailto:grzegorz.zalew...@inteco.pl>> > Subject: Re: [rsyslog] Rsyslog bad external log encoding ?????? > > [EXTERNAL EMAIL] Please report any suspicious attachments, links, or requests > for sensitive information. > > can you do a debug log on the server side, make sure TLS is enabled and run > rsyslog through the startup phase? I would assume that we see useful > information. > > quick doc: > https://www.rsyslog.com/doc/master/troubleshooting/howtodebug.html > > Rainer > > El jue, 26 may 2022 a las 8:18, Grzegorz Zalewski via rsyslog > (<rsyslog@lists.adiscon.com<mailto:rsyslog@lists.adiscon.com>>) escribió: > > > > Hi > > > > When I turn off TLS work fine :/ > > > > I does`t see any errors on server logs > > > > -----Original Message----- > > From: Rainer Gerhards > > <rgerha...@hq.adiscon.com<mailto:rgerha...@hq.adiscon.com>> > > Sent: Wednesday, May 25, 2022 6:39 PM > > To: rsyslog-users > > <rsyslog@lists.adiscon.com<mailto:rsyslog@lists.adiscon.com>> > > Cc: Grzegorz Zalewski > > <grzegorz.zalew...@inteco.pl<mailto:grzegorz.zalew...@inteco.pl>> > > Subject: Re: [rsyslog] Rsyslog bad external log encoding ?????? > > > > [EXTERNAL EMAIL] Please report any suspicious attachments, links, or > > requests for sensitive information. > > > > This looks like the server is not using TLS. Any rsyslog error messages in > > the server log? > > > > Rainer > > > > El mié, 25 may 2022 a las 15:02, Grzegorz Zalewski via rsyslog > > (<rsyslog@lists.adiscon.com<mailto:rsyslog@lists.adiscon.com>>) escribió: > > > > > > Hi > > > My version of rsyslogd on log sever: > > > rsyslogd 8.2106.0 (aka 2021.06) compiled with: > > > PLATFORM: x86_64-suse-linux-gnu > > > PLATFORM (lsb_release -d): > > > FEATURE_REGEXP: Yes > > > GSSAPI Kerberos 5 support: Yes > > > FEATURE_DEBUG (debug build, slow code): No > > > 32bit Atomic operations supported: Yes > > > 64bit Atomic operations supported: Yes > > > memory allocator: system default > > > Runtime Instrumentation (slow code): No > > > uuid support: Yes > > > systemd support: Yes > > > Config file: /etc/rsyslog.conf > > > PID file: /var/run/rsyslogd.pid > > > Number of Bits in RainerScript integers: 64 > > > > > > # ######### Receiving Messages from Remote Hosts ##########. > > > ########### Encrypting Syslog Traffic with TLS ########## # -- TLS > > > Syslog Server:. > > > ## make gtls driver the default > > > $DefaultNetstreamDriver gtls > > > # > > > ## certificate files > > > $DefaultNetstreamDriverCAFile /etc/rsyslog-keys/CA_server.pem > > > $DefaultNetstreamDriverCertFile /etc/rsyslog-keys/server.pem > > > $DefaultNetstreamDriverKeyFile /etc/rsyslog-keys/server.pem > > > > > > $ModLoad imtcp # load TCP listener # > > > $InputTCPServerStreamDriverMode 1 # run driver in TLS-only mode > > > #$InputTCPServerStreamDriverAuthMode anon # client is NOT > > > authenticated $InputTCPServerStreamDriverAuthMode x509/name > > > $InputTCPServerStreamDriverPermittedPeer *.domain.com<http://domain.com> > > > $InputTCPServerRun 514 # start up listener at port 10514 # > > > #$EscapeControlCharactersOnReceive off > > > #$Escape8BitCharactersOnReceive off > > > > > > $template RemoteServer, "/var/log/%HOSTNAME%/%SYSLOGFACILITY-TEXT%.log" > > > *.* ?RemoteServer > > > > > > Client conf: > > > # certificate files - just CA for a client > > > $DefaultNetstreamDriverCAFile /etc/rsyslog-keys/CA_client.pem > > > > > > # set up the action > > > $DefaultNetstreamDriver gtls # use gtls netstream driver > > > $ActionSendStreamDriverMode 1 # require TLS for the connection > > > $ActionSendStreamDriverAuthMode x509/name > > > > > > #$ActionSendStreamDriverAuthMode anon # server is NOT > > > authenticated > > > > > > # Only send log to SERVER.EXAMPLE.COM<http://SERVER.EXAMPLE.COM> host > > > $ActionSendStreamDriverPermittedPeer > > > server.domain.com<http://server.domain.com> > > > *.* @@(o) server.domain.com:514<http://server.domain.com:514> # send > > > (all) messages > > > > > > What have in log on server: > > > 2022-05-25T14:44:32.782021+02:00 > > > client.domain.com<http://client.domain.com> > > > #010#005#005#003#010#010#006#001#010#013#010#006#006#003#002#001#002#003#000#026#000#000#000#027#000#000#000##000#000.#001#000#001#000#000#000#000#034#000#032#000#000#027server. > > > domain.coml#000#034#000#002@<mailto:domain.coml#000#034#000#002@> > > > 2022-05-25T14:44:32.887714+02:00 > > > client.domain.com<http://client.domain.com> > > > #026#003#001#000.#001#000#000.#003#003·...愜#030J#026#004..#037)#021n.#030..#021..rw..F..#000#0002.,̩... > > > 2022-05-25T14:44:32.887714+02:00 > > > client.domain.com<http://client.domain.com> > > > .+...#011.0̨.#024./.#023#000...#0005#000...#000/#000...#0009#000.. > > > .# > > > 00 > > > 03#001#000#000.#000#005#000#005#001#000#000#000#000 > > > 2022-05-25T14:44:32.887714+02:00 > > > client.domain.com<http://client.domain.com> > > > #000#026#000#024#000#027#000#030#000#031#000#035#000#036#001#000#0 > > > 01 > > > #0 > > > 01#001#002#001#003#001#004#000#013#000#002#001#000#000#015#000"#00 > > > 0 > > > #004#001#010#011#010#004#004#003#010#007#00 > > > 5#001#010 > > > > > > Before 15 may working fine. > > > I don’t have any idea what is wrong > > > > > > _______________________________________________ > > > rsyslog mailing list > > > https://lists.adiscon.net/mailman/listinfo/rsyslog > > > http://www.rsyslog.com/professional-services/ > > > What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE > > > WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of > > > sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T > > > LIKE THAT. > > _______________________________________________ > > rsyslog mailing list > > https://lists.adiscon.net/mailman/listinfo/rsyslog > > http://www.rsyslog.com/professional-services/ > > What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE > > WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of > > sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T > > LIKE THAT. > _______________________________________________ > rsyslog mailing list > https://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE > WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites > beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT. _______________________________________________ rsyslog mailing list https://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
_______________________________________________ rsyslog mailing list https://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
