on the receiving system, log the messages with the template RSYSLOG_DebugFormat
and give us a sample message.
note that there are other reasons why you may see a log message with tcpdump but
rsyslog will not process it, including if there is not a route back to the
sender, or if there are firewall rules blocking that port. It's possible that
SELinux or systemd are also preventing rsyslog from accessing that port.
David Lang
On Mon, 25 Mar 2024, Kees de Jong via rsyslog wrote:
Date: Mon, 25 Mar 2024 10:25:23 +0000
From: Kees de Jong via rsyslog <[email protected]>
To: "[email protected]" <[email protected]>
Cc: Kees de Jong <[email protected]>
Subject: Re: [rsyslog] Bash history --> rsyslog relay --> Elastic
Hi,
I've reset the rsyslog configuration on the rsyslog server to the Red
Hat default and confirmed it with `rpmverify`, I'm running version
rsyslog-8.2102.0-7.el8_6.1.x86_64.
Then I only added the config to receive and process the Bash history
logs:
cat /etc/rsyslog.d/00-a.conf
if $programname == '-bash' or $programname == 'bash' and $msg contains
'HISTORY:' then {
@127.0.0.1:10514
/var/log/bash-history.log
& stop
}
The default /etc/rsyslog.conf (without comments) is shown below:
# rg -v '^#' /etc/rsyslog.conf
2:
6:
8:
9:module(load="imuxsock" # provides support for local system
logging (e.g. via logger command)
10: SysSock.Use="off") # Turn off message reception via local log
socket;
11: # local messages are retrieved through
imjournal now.
12:module(load="imjournal" # provides access to the systemd
journal
13: StateFile="imjournal.state") # File to store the position in
the journal
16:
21:
26:
28:
30:global(workDirectory="/var/lib/rsyslog")
31:
33:module(load="builtin:omfile"
Template="RSYSLOG_TraditionalFileFormat")
34:
36:include(file="/etc/rsyslog.d/*.conf" mode="optional")
37:
39:
43:
46:*.info;mail.none;authpriv.none;cron.none
/var/log/messages
47:
49:authpriv.*
/var/log/secure
50:
52:mail.* -
/var/log/maillog
53:
54:
56:cron.*
/var/log/cron
57:
59:*.emerg :omusrmsg:*
60:
62:uucp,news.crit
/var/log/spooler
63:
65:local7.*
/var/log/boot.log
66:
67:
As you can see, I both forward the logs to a local UDP socket and a
local file. I also commented out one of them each time, to make sure
there is no issue with either the socket or file setup.
When I run a `tcpdump` on the rsyslog server, I do see that the
messages are coming in from the client:
10:49:00.007063 IP (tos 0x0, ttl 64, id 30789, offset 0, flags [DF],
proto UDP (17), length 98)
x.x.x.x.50145 > y.y.y.y.syslog: SYSLOG, length: 70
Facility user (1), Severity info (6)
Msg: Mar 25 10:48:59 rsyslogclient -bash[398711]: HISTORY:
PID=398711 UID=0 ls
However, the rsyslog server does not process these logs. The receiving
server forwards the logs to a local socket which is setup with
`netcat`, it does not show any output of messages. The local log file
remains empty as well. It's writable by anyone (-rw-rw-rw- 1 root root
0 Mar 25 10:52 /var/log/bash-history.log)
I've ran the same setup also on a VM with Fedora with version rsyslog-
8.2310.0-1.fc39.x86_64, with that version and setup it works fine.
Could it be that there is a syntax change somewhere? Or maybe something
else is wrong here? If it could be a syntax issue, what change could I
test?
Just to summarize:
* The client is able to forward the Bash history messages through
syslog.
* The server receives these messages as well.
* However, for some reason it does not match with the filter and thus
no action is taken by rsyslog to forward it to either a local socket or
a local file.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
