On 10/4/24 1:40 PM, João Carlos Garcia via rsyslog wrote:
Hi everyone,I’m new using rsyslog, but I spent 2 weeks trying to do this but no success. I have a fortigate (ip 172.16.0.12) configured to send its logs to a Linux Ubunto (hostname usyslog) using the UDP port 6514 In last trying, I just changed few lines on rsyslog.conf: module(load="imudp") input(type="imudp" port="6514") module(load="ommysql") $AllowedSender UDP, 172.16.0.12/24 if $fromhost-ip == '172.16.0.12' then { action(type="ommysql" server="localhost" db="fortigate_logs" uid="root" pwd="password") #action(type="omfile" file="/var/log/fortigate.log") } I created the database fortigate_logs and table SystemEvents Using tcpdump, there are package reaching the server: 11:29:01.683318 IP 172.16.0.12.18367 > usyslog.syslog-tls: Flags [S], seq 3001477916, win 11840, options [mss 2960,sackOK,TS val 360581190 ecr 0,nop,wscale 11], length 0 11:29:01.683357 IP usyslog.syslog-tls > 172.16.0.12.18367: Flags [R.], seq 0, ack 3001477917, win 0, length 0 11:29:12.023428 IP 172.16.0.12.18394 > usyslog.syslog-tls: Flags [S], seq 1897421554, win 11840, options [mss 2960,sackOK,TS val 360582224 ecr 0,nop,wscale 11], length 0 11:29:12.023463 IP usyslog.syslog-tls > 172.16.0.12.18394: Flags [R.], seq 0, ack 1897421555, win 0, length 0 11:29:21.693622 IP 172.16.0.12.7407 > usyslog.syslog-tls: Flags [S], seq 252807957, win 11840, options [mss 2960,sackOK,TS val 360583191 ecr 0,nop,wscale 11], length 0 11:29:21.693662 IP usyslog.syslog-tls > 172.16.0.12.7407: Flags [R.], seq 0, ack 252807958, win 0, length 0 11:29:32.023773 IP 172.16.0.12.16146 > usyslog.syslog-tls: Flags [S], seq 4274163439, win 11840, options [mss 2960,sackOK,TS val 360584224 ecr 0,nop,wscale 11], length 0 No log is written to the MariaDB: mysql> select count(*) from SystemEvents; +----------+ | count(*) | +----------+ | 0 | +----------+ 1 row in set (0,01 sec) What did I miss? What is wrong? Could you help me, please? Grato, João Carlos Garcia Cel.: (+55 11) 99363 9616 5Wi - Integração e Alta Disponibilidade Al. Rio negro, 585, Ed Jaçari, cj 13 Barueri, SP, 06454-000 Tel.: (+55 11) 2176 3650 www.5wi.com.br<http://www.5wi.com.br/> [ass 5]<http://www.5wi.com.br/> _______________________________________________ rsyslog mailing list https://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
the incoming syslog messages are using TCP, not UDP, and the SYN packets are being rejected with a RST. use the input type of TCP on the 6514 port. because you are not getting the syslog messages, there is nothing to insert into the database.
HTH, brendan _______________________________________________ rsyslog mailing list https://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
