Brendan
This isn't a production environment, but I did the changes:
if $fromhost-ip == '172.16.0.12' then
{
action(type="ommysql" server="localhost"
db="fortigate_logs" uid="rsyslog" pwd="xxxxxxxxxxxxx")
}
But no data is logged to database but is logged to /var/log/syslog. Don't know!
Tks,
João Carlos Garcia
-----Original Message-----
From: rsyslog <rsyslog-boun...@lists.adiscon.com> On Behalf Of Brendan Kearney
via rsyslog
Sent: Monday, October 7, 2024 9:18 AM
To: rsyslog@lists.adiscon.com
Cc: Brendan Kearney <bpk...@gmail.com>
Subject: Re: [rsyslog] rsyslog + MariaDB + Fortigate
On 10/6/24 7:28 PM, João Carlos Garcia via rsyslog wrote:
> Hi everyone .. No firewall installed
>
> root@usyslog:~# ufw status
> Status: inactive
>
> root@usyslog:~# iptables -L
> Chain INPUT (policy ACCEPT)
> target prot opt source destination
>
> Chain FORWARD (policy ACCEPT)
> target prot opt source destination
>
> Chain OUTPUT (policy ACCEPT)
> target prot opt source destination
>
> root@usyslog:~# sestatus
> Command 'sestatus' not found, but can be installed with:
> apt install policycoreutils
>
> root@usyslog:~# setenforce 0
> Command 'setenforce' not found, but can be installed with:
> apt install selinux-utils
>
> Any other clue?
>
> Tks
> João Garcia
>
>
> -----Original Message-----
> From: rsyslog <rsyslog-boun...@lists.adiscon.com> On Behalf Of
> Mauricio Tavares via rsyslog
> Sent: Saturday, October 5, 2024 1:47 PM
> To: rsyslog-users <rsyslog@lists.adiscon.com>
> Cc: Mauricio Tavares <raubvo...@gmail.com>
> Subject: Re: [rsyslog] rsyslog + MariaDB + Fortigate
>
> On Sat, Oct 5, 2024 at 8:47 AM João Carlos Garcia via rsyslog
> <rsyslog@lists.adiscon.com> wrote:
>> Brendan,
>>
>> Thanks for your help, I see the packets now have length > 0, but the data is
>> not written to the database.
>>
>> Is this correct?
>>
>> $AllowedSender TCP, 172.16.0.12/24
>>
>> if $fromhost-ip == '172.16.0.12' then {
>> action(type="ommysql" server="localhost" db="fortigate_logs"
>> uid="root" pwd="password") }
>>
>> Thanks,
>>
>> João Carlos Garcia
>>
> Do you have a firewall running in this host?
> _______________________________________________
> rsyslog mailing list
> https://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This
> is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our
> control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
> _______________________________________________
> rsyslog mailing list
> https://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE
> WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites
> beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
i would check you DB rights/permissions. it's bad practice to use root as an
identity for DB access. try to access the DB using the creds you provide to
the rsyslog daemon and validate that there are no issues. i create a specific
user for rsyslog to access the log DB that i have, and dont use system IDs like
root. you might need to create a user and provide that user the necessary
permissions to the appropriate DB. check out this article...
https://mariadb.com/kb/en/mariadb-authorization-and-permissions-for-sql-server-users/
HTH,
brendan
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is
a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our
control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
