That works - thanks! The only thing it does not do is forward the logs we have configured in /etc/rsyslog.d. Is that correct or is there potentially a different issue? We put the stops in there because the audit logs were appearing in /var/log/syslog.
On Fri, Aug 18, 2023 at 3:18 AM Rainer Gerhards <rgerha...@hq.adiscon.com> wrote: > Move the forwarding rule to the top, that should solve your issue. > > Rainer > > Sent from phone, thus brief. > > David Lang via rsyslog <rsyslog@lists.adiscon.com> schrieb am Do., 17. > Aug. 2023, 19:16: > >> all of those &stop lines are telling rsyslog that if it matches the >> filter and >> writes it to the file that it should stop processing that message. >> >> As a result, anything that gets written to a local file will stop >> processing >> before it gets down to your udp sending action >> >> David Lang >> >> On Thu, 17 Aug 2023, kathy lyons wrote: >> >> > Date: Thu, 17 Aug 2023 13:12:03 -0400 >> > From: kathy lyons <kathy.ly...@zayo.com> >> > To: David Lang <da...@lang.hm> >> > Cc: kathy lyons via rsyslog <rsyslog@lists.adiscon.com> >> > Subject: Re: [rsyslog] rsyslog - problem sending udp traffic >> > >> > Here it is: >> > >> > module(load="imfile") >> > module(load="imuxsock") >> > module(load="imklog") >> > module(load="imjournal") >> > >> > timezone(id="UTC") >> > $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat >> > >> > $RepeatedMsgReduction on >> > >> > $FileOwner syslog >> > $FileGroup adm >> > >> > global(net.enableDNS="off" workDirectory="/var/spool/rsyslog" >> > maxMessageSize="128K") >> > >> > $IncludeConfig /etc/rsyslog.d/*.conf >> > >> > audit.* action(type="omfile" file="/var/log/audit/audit.log") >> > & stop >> > auth.warning;authpriv.info.* action(type="omfile" >> > file="/var/log/auth.log") >> > & stop >> > auth,authpriv.none action(type="omfile" >> > file="/var/log/syslog") >> > & stop >> > cron.info action(type="omfile" >> > file="/var/log/cron.log") >> > & stop >> > daemon.info action(type="omfile" file="/var/log/daemon.log") >> > & stop >> > kern.info action(type="omfile" file="/var/log/kern.log") >> > & stop >> > user.info action(type="omfile" file="/var/log/user.log") >> > & stop >> > >> > local7.* action(type="omfile" file="/var/log/boot.log") >> > & stop >> > >> > *.* @x.x.x.x >> > >> > rsyslogd -N1 shows no errors. strace shows no errors. >> > >> > On Wed, Aug 16, 2023 at 12:15 PM David Lang <da...@lang.hm> wrote: >> > >> >> please post your full config. >> >> >> >> I would also check your firewall config (iptables/nftables) on the >> system >> >> to see >> >> if it's blocking the connection. >> >> >> >> Also make sure you have a route to the destination IP (you probably >> have a >> >> default route that does this, but it is something we've run across) >> >> >> >> are you seeing any startup errors? or config errors (start rsyslog >> >> manually with >> >> rsyslogd -N1 >> >> >> >> if none of that helps, we may need to get debug info, but start with >> the >> >> simpler >> >> stuff. Normally this 'just works' so I'd guess that it's a syntax error >> >> somewhere in the config. >> >> >> >> David Lang >> >> >> >> On Wed, 16 Aug 2023, kathy lyons via rsyslog wrote: >> >> >> >>> I hope this is the right place to ask this question. I have a basic >> >>> rsyslog setup sending udp data from a Debian 11 host to a remote >> server. >> >>> At the bottom of my rsyslog.conf file I have: >> >>> >> >>> *.* @x.x.x.x >> >>> >> >>> Logs are being sent to /var/log/daemon.log, /var/log/syslog, etc. so >> I am >> >>> not worried about that. The problem is that on the device itself I do >> not >> >>> see any logs leaving the device. Nor do I see them at the firewall >> >>> (x.x.x.x). I have used netcat to see if the remote port is open and >> >>> reachable and it is. I have re-install rsyslog and restarted it. >> >> Nothing >> >>> seems to work. >> >>> >> >>> However, when I issue the logger command: >> >>> >> >>> logger -n x.x.x.x -P 514 -d "This is a test" >> >>> >> >>> I see that data. What else can I check with my rsyslog setup? Thank >> >> you. >> >>> _______________________________________________ >> >>> rsyslog mailing list >> >>> https://lists.adiscon.net/mailman/listinfo/rsyslog >> >>> http://www.rsyslog.com/professional-services/ >> >>> What's up with rsyslog? Follow https://twitter.com/rgerhards >> >>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a >> myriad >> >> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you >> >> DON'T LIKE THAT. >> >>> >> >> >> > >> _______________________________________________ >> rsyslog mailing list >> https://lists.adiscon.net/mailman/listinfo/rsyslog >> http://www.rsyslog.com/professional-services/ >> What's up with rsyslog? Follow https://twitter.com/rgerhards >> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad >> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you >> DON'T LIKE THAT. > > _______________________________________________ rsyslog mailing list https://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
