Brendan,
Thanks for your help, I see the packets now have length > 0, but the data is
not written to the database.
Is this correct?
$AllowedSender TCP, 172.16.0.12/24
if $fromhost-ip == '172.16.0.12' then
{
action(type="ommysql" server="localhost" db="fortigate_logs"
uid="root" pwd="password")
}
Thanks,
João Carlos Garcia
-----Original Message-----
From: rsyslog <rsyslog-boun...@lists.adiscon.com> On Behalf Of Brendan Kearney
via rsyslog
Sent: Friday, October 4, 2024 3:13 PM
To: rsyslog@lists.adiscon.com
Cc: Brendan Kearney <bpk...@gmail.com>
Subject: Re: [rsyslog] rsyslog + MariaDB + Fortigate
On 10/4/24 1:40 PM, João Carlos Garcia via rsyslog wrote:
> Hi everyone,
>
> I’m new using rsyslog, but I spent 2 weeks trying to do this but no success.
>
> I have a fortigate (ip 172.16.0.12) configured to send its logs to a
> Linux Ubunto (hostname usyslog) using the UDP port 6514
>
> In last trying, I just changed few lines on rsyslog.conf:
>
> module(load="imudp")
> input(type="imudp" port="6514")
>
>
> module(load="ommysql")
>
> $AllowedSender UDP, 172.16.0.12/24
> if $fromhost-ip == '172.16.0.12' then
> {
> action(type="ommysql" server="localhost" db="fortigate_logs"
> uid="root" pwd="password")
> #action(type="omfile" file="/var/log/fortigate.log") } I
> created the database fortigate_logs and table SystemEvents
>
> Using tcpdump, there are package reaching the server:
>
> 11:29:01.683318 IP 172.16.0.12.18367 > usyslog.syslog-tls: Flags [S],
> seq 3001477916, win 11840, options [mss 2960,sackOK,TS val 360581190
> ecr 0,nop,wscale 11], length 0
> 11:29:01.683357 IP usyslog.syslog-tls > 172.16.0.12.18367: Flags [R.],
> seq 0, ack 3001477917, win 0, length 0
> 11:29:12.023428 IP 172.16.0.12.18394 > usyslog.syslog-tls: Flags [S],
> seq 1897421554, win 11840, options [mss 2960,sackOK,TS val 360582224
> ecr 0,nop,wscale 11], length 0
> 11:29:12.023463 IP usyslog.syslog-tls > 172.16.0.12.18394: Flags [R.],
> seq 0, ack 1897421555, win 0, length 0
> 11:29:21.693622 IP 172.16.0.12.7407 > usyslog.syslog-tls: Flags [S],
> seq 252807957, win 11840, options [mss 2960,sackOK,TS val 360583191
> ecr 0,nop,wscale 11], length 0
> 11:29:21.693662 IP usyslog.syslog-tls > 172.16.0.12.7407: Flags [R.],
> seq 0, ack 252807958, win 0, length 0
> 11:29:32.023773 IP 172.16.0.12.16146 > usyslog.syslog-tls: Flags [S],
> seq 4274163439, win 11840, options [mss 2960,sackOK,TS val 360584224
> ecr 0,nop,wscale 11], length 0
>
> No log is written to the MariaDB:
>
> mysql> select count(*) from SystemEvents;
> +----------+
> | count(*) |
> +----------+
> | 0 |
> +----------+
> 1 row in set (0,01 sec)
>
> What did I miss? What is wrong? Could you help me, please?
>
> Grato,
>
> João Carlos Garcia
> Cel.: (+55 11) 99363 9616
>
> 5Wi - Integração e Alta Disponibilidade Al. Rio negro, 585, Ed Jaçari,
> cj 13 Barueri, SP, 06454-000
> Tel.: (+55 11) 2176 3650
> www.5wi.com.br<http://www.5wi.com.br/>
> [ass 5]<http://www.5wi.com.br/>
>
>
> _______________________________________________
> rsyslog mailing list
> https://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE
> WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites
> beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
the incoming syslog messages are using TCP, not UDP, and the SYN packets are
being rejected with a RST. use the input type of TCP on the 6514 port.
because you are not getting the syslog messages, there is nothing to insert
into the database.
HTH,
brendan
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is
a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our
control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
