Mariusz Kruk wrote:
1. Do those log end up _somewhere_? (some default destination)
If you can find them anywhere, log them with the template RSYSLOG_DebugFormat so
you can see how they are parsed, usually the problem is that they aren't being
parsed as you expect them to be.
2. Are you sure that rsyslog actually gets those events? (tcpdump can still
show UDP packets on the wire even if they are filtered out by local firewall
(or rp_filter assuming you're running linux)).
one thing that can happen if you don't have a default route is that the IP stack
can throw away UDP packets where you don't have a route to the source IP
David Lang
3. I'm not familiar with the question mark syntax, but you have
"firepower_systemevents" there. Even assuming it should be a name of the
template, you have your template defined as "systemevents".
On 6.08.2024 10:53, Gundlapally, Navanitha via rsyslog wrote:
Hi Team,
I've been using rsyslog extensively for our daily operations, but today I
ran into an issue where the rsyslog template is not getting applied to logs
from specific devices. I verified that logs are received from these devices
using tcpdump, and I created a basic template to store logs coming from the
specified IP addresses. However, it still isn't working.
I enabled debug logging to check for any errors, but there was nothing
relevant in the debug file, likely because rsyslog isn't able to read those
logs. Can you help me understand what's going wrong?
My template -
$template
systemevents,"/var/syslog/rsyslog/Systemevents/%fromhost-ip%/messages_%$YEAR%-%$MONTH%-%$DAY%-%$HOUR%.log"
if ($fromhost-ip startswith '1.10.5.2' or $fromhost startswith 'Cxxxxxx1'
or $msg contains Cxxxxxxx1') then ?firepower_systemevents
Regards
Navanitha Gundlapally | Team Manager | BISG Security Monitoring |
Broadridge Financial Solutions (India) Private Limited
Adjacent to Cyber Towers, Hi-Tec City, Madhapur | Hyderabad 500081
Telangana | India | m +91 +918790032574
This message and any attachments are intended only for the use of the
addressee and may contain information that is privileged and confidential.
If the reader of the message is not the intended recipient or an authorized
representative of the intended recipient, you are hereby notified that any
dissemination of this communication is strictly prohibited. If you have
received this communication in error, please notify us immediately by
e-mail and delete the message and any attachments from your system.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T
LIKE THAT.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T
LIKE THAT.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
