CentOS 7.5, rsyslog, port 601, TCP - nothing getting delivered
I don't understand why this isn't working? I'm not seeing any data in our Balabit appliance. I have a regular default installation of CentOS 7.5, and have followed the RedHat 7 rsyslog directions with regard to setting up a new message filter: I've added a singe file to /etc/rsyslog.d/ [root@host02 /etc/rsyslog.d]# cat tcp601.conf *.* action(type="omfwd" queue.type="LinkedList" queue.filename="example_fwd_tcp_601" action.resumeRetryCount="-1" queue.saveonshutdown="on" template="RSYSLOG_SyslogProtocol23Format" target="10.126.19.45" Port="601" Protocol="tcp") But I'm not getting anything at the appliance? The Appliance Log Source seems to be set up correctly (no licensing issues, port 601 is set, Syslog format (I was told that is RFC 5425) selected). Ports are open, but on the server that's configured as per above, I'm seeing this: [root@host02 log]# netstat -tnp| grep 601 tcp 1 0 10.126.19.66:39768 10.126.19.45:601 CLOSE_WAIT 2400/rsyslogd The data works fine if I send over UDP/port 514, with the template being either RSYSLOG_SyslogProtocol23Format or RSYSLOG_TraditionalFileFormat I'm also seeing - in host02's /var/log/messages a *large* number of errors that state: Jun 25 11:14:14 host02 rsyslogd: action 'action 2' resumed (module 'builtin:omfwd') [v8.24.0 try http://www.rsyslog.com/e/2359 ] Can someone tell me where I've gone wrong and/or indicate what I might do next to debug this issue? Cheers L.
On Mon, 25 Jun 2018 at 11:21, Lachlan Musicman <datakid@gmail.com> wrote:
I don't understand why this isn't working? I'm not seeing any data in our Balabit appliance.
I have a regular default installation of CentOS 7.5, and have followed the RedHat 7 rsyslog directions with regard to setting up a new message filter:
I've added a singe file to /etc/rsyslog.d/
[root@host02 /etc/rsyslog.d]# cat tcp601.conf *.* action(type="omfwd" queue.type="LinkedList" queue.filename="example_fwd_tcp_601" action.resumeRetryCount="-1" queue.saveonshutdown="on" template="RSYSLOG_SyslogProtocol23Format" target="10.126.19.45" Port="601" Protocol="tcp")
But I'm not getting anything at the appliance?
The Appliance Log Source seems to be set up correctly (no licensing issues, port 601 is set, Syslog format (I was told that is RFC 5425) selected).
Note that when we change the Appliance Source to legacy instead of Syslog, the above works - but doesn't parse well with that template in rsyslog -- program is listed as <digit> and all other data is in the msg field? Removing the template line does give us a normal "legacy" format. Cheers L.
This list is not official support for Balabit's products and I am not really an rsyslog expert, but let me try to help. I think the issue might be related to "framing", e.g. syslog-ng configured to expect framing whereas rsyslog not doing it. This page: https://www.rsyslog.com/doc/v8-stable/configuration/modules/omfwd.html contains a parameter which is TCP_framing that defaults to "no". In that case, syslog-ng will drop the connection if the framing is not there. See https://tools.ietf.org/html/rfc5425#section-4.3 for a description on what framing is and how it works. -- Bazsi On Mon, Jun 25, 2018 at 3:21 AM, Lachlan Musicman <datakid@gmail.com> wrote:
I don't understand why this isn't working? I'm not seeing any data in our Balabit appliance.
I have a regular default installation of CentOS 7.5, and have followed the RedHat 7 rsyslog directions with regard to setting up a new message filter:
I've added a singe file to /etc/rsyslog.d/
[root@host02 /etc/rsyslog.d]# cat tcp601.conf *.* action(type="omfwd" queue.type="LinkedList" queue.filename="example_fwd_tcp_601" action.resumeRetryCount="-1" queue.saveonshutdown="on" template="RSYSLOG_SyslogProtocol23Format" target="10.126.19.45" Port="601" Protocol="tcp")
But I'm not getting anything at the appliance?
The Appliance Log Source seems to be set up correctly (no licensing issues, port 601 is set, Syslog format (I was told that is RFC 5425) selected).
Ports are open, but on the server that's configured as per above, I'm seeing this:
[root@host02 log]# netstat -tnp| grep 601 tcp 1 0 10.126.19.66:39768 10.126.19.45:601 CLOSE_WAIT 2400/rsyslogd
The data works fine if I send over UDP/port 514, with the template being either RSYSLOG_SyslogProtocol23Format or RSYSLOG_TraditionalFileFormat
I'm also seeing - in host02's /var/log/messages a *large* number of errors that state:
Jun 25 11:14:14 host02 rsyslogd: action 'action 2' resumed (module 'builtin:omfwd') [v8.24.0 try http://www.rsyslog.com/e/2359 ]
Can someone tell me where I've gone wrong and/or indicate what I might do next to debug this issue?
Cheers L.
____________________________________________________________ __________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/? product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
On Tue, 26 Jun 2018 at 00:09, Scheidler, Balázs < balazs.scheidler@balabit.com> wrote:
This list is not official support for Balabit's products and I am not really an rsyslog expert, but let me try to help.
I think the issue might be related to "framing", e.g. syslog-ng configured to expect framing whereas rsyslog not doing it. This page:
https://www.rsyslog.com/doc/v8-stable/configuration/modules/omfwd.html
contains a parameter which is TCP_framing that defaults to "no".
In that case, syslog-ng will drop the connection if the framing is not there. See https://tools.ietf.org/html/rfc5425#section-4.3 for a description on what framing is and how it works.
Thanks Bazsi, appreciate the hint, you put me on the right track. For those that come behind me, the major issue I found was the allowed data in the conf file - there didn't seem to be any documentation at all about what values TCP_Framing could take. Case insensitively the following didn't work: yes, true, on Trial and error/guess work discovered that the correct syntax to get this working is "octet-counted" [root@host02 /etc/rsyslog.d]# cat tcp601.conf *.* action(type="omfwd" queue.type="LinkedList" queue.filename="example_fwd_tcp_601" action.resumeRetryCount="-1" queue.saveonshutdown="on" template="RSYSLOG_SyslogProtocol23Format" target="10.126.19.45" Port="601" Protocol="tcp" TCP_Framing="octet-counted") Cheers L.
participants (2)
-
Lachlan Musicman
-
Scheidler, Balázs