I'm also seeing - in host02's /var/log/messages a *large* number of errors that state:The data works fine if I send over UDP/port 514, with the template being either RSYSLOG_SyslogProtocol23Format or RSYSLOG_TraditionalFileFormatPorts are open, but on the server that's configured as per above, I'm seeing this:The Appliance Log Source seems to be set up correctly (no licensing issues, port 601 is set, Syslog format (I was told that is RFC 5425) selected).I've added a singe file to /etc/rsyslog.d/I don't understand why this isn't working? I'm not seeing any data in our Balabit appliance.I have a regular default installation of CentOS 7.5, and have followed the RedHat 7 rsyslog directions with regard to setting up a new message filter:[root@host02 /etc/rsyslog.d]# cat tcp601.confBut I'm not getting anything at the appliance?
*.* action(type="omfwd"
queue.type="LinkedList"
queue.filename="example_fwd_tcp_601"
action.resumeRetryCount="-1"
queue.saveonshutdown="on"
template="RSYSLOG_SyslogProtocol23Format"
target="10.126.19.45" Port="601" Protocol="tcp")
[root@host02 log]# netstat -tnp| grep 601
tcp 1 0 10.126.19.66:39768 10.126.19.45:601 CLOSE_WAIT 2400/rsyslogdJun 25 11:14:14 host02 rsyslogd: action 'action 2' resumed (module 'builtin:omfwd') [v8.24.0 try http://www.rsyslog.com/e/2359 ]Can someone tell me where I've gone wrong and/or indicate what I might do next to debug this issue?CheersL.
____________________________________________________________ __________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/? product=syslog-ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq