<div dir="ltr"><div><div><div><div><div><div><div>I don't understand why this isn't working? I'm not seeing any data in our Balabit appliance.<br><br></div>I
have a regular default installation of CentOS 7.5, and have followed
the RedHat 7 rsyslog directions with regard to setting up a new message
filter:<br><br></div>I've added a singe file to /etc/rsyslog.d/<br><br></div><div>[root@host02 /etc/rsyslog.d]# cat tcp601.conf<br>*.* action(type="omfwd"<br>queue.type="LinkedList"<br>queue.filename="example_fwd_tcp_601"<br>action.resumeRetryCount="-1"<br>queue.saveonshutdown="on"<br>template="RSYSLOG_SyslogProtocol23Format"<br>target="10.126.19.45" Port="601" Protocol="tcp")<br><br></div>But I'm not getting anything at the appliance? <br><br></div>The
Appliance Log Source seems to be set up correctly (no licensing issues,
port 601 is set, Syslog format (I was told that is RFC 5425) selected).<br><br></div>Ports are open, but on the server that's configured as per above, I'm seeing this:<br><br>[root@host02 log]# netstat -tnp| grep 601<br>tcp 1 0 <a href="http://10.126.19.66:39768" target="_blank">10.126.19.66:39768</a> <a href="http://10.126.19.45:601" target="_blank">10.126.19.45:601</a> CLOSE_WAIT 2400/rsyslogd<br><br></div>The
data works fine if I send over UDP/port 514, with the template being
either RSYSLOG_SyslogProtocol23Format or RSYSLOG_TraditionalFileFormat<br><br></div>I'm also seeing - in host02's /var/log/messages a *large* number of errors that state:<br><br><div>Jun 25 11:14:14 host02 rsyslogd: action 'action 2' resumed (module 'builtin:omfwd') [v8.24.0 try <a href="http://www.rsyslog.com/e/2359" target="_blank">http://www.rsyslog.com/e/2359</a> ]<br><br></div><div>Can someone tell me where I've gone wrong and/or indicate what I might do next to debug this issue?<br><br></div><div>Cheers<br></div>L.<div><div dir="ltr" class="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><br></div></div></div></div></div></div></div></div></div></div></div></div></div>