[syslog-ng] CentOS 7.5, rsyslog, port 601, TCP - nothing getting delivered
Lachlan Musicman
datakid at gmail.com
Mon Jun 25 01:21:33 UTC 2018
I don't understand why this isn't working? I'm not seeing any data in our
Balabit appliance.
I have a regular default installation of CentOS 7.5, and have followed the
RedHat 7 rsyslog directions with regard to setting up a new message filter:
I've added a singe file to /etc/rsyslog.d/
[root at host02 /etc/rsyslog.d]# cat tcp601.conf
*.* action(type="omfwd"
queue.type="LinkedList"
queue.filename="example_fwd_tcp_601"
action.resumeRetryCount="-1"
queue.saveonshutdown="on"
template="RSYSLOG_SyslogProtocol23Format"
target="10.126.19.45" Port="601" Protocol="tcp")
But I'm not getting anything at the appliance?
The Appliance Log Source seems to be set up correctly (no licensing issues,
port 601 is set, Syslog format (I was told that is RFC 5425) selected).
Ports are open, but on the server that's configured as per above, I'm
seeing this:
[root at host02 log]# netstat -tnp| grep 601
tcp 1 0 10.126.19.66:39768 10.126.19.45:601
CLOSE_WAIT 2400/rsyslogd
The data works fine if I send over UDP/port 514, with the template being
either RSYSLOG_SyslogProtocol23Format or RSYSLOG_TraditionalFileFormat
I'm also seeing - in host02's /var/log/messages a *large* number of errors
that state:
Jun 25 11:14:14 host02 rsyslogd: action 'action 2' resumed (module
'builtin:omfwd') [v8.24.0 try http://www.rsyslog.com/e/2359 ]
Can someone tell me where I've gone wrong and/or indicate what I might do
next to debug this issue?
Cheers
L.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20180625/656586a2/attachment.html>
More information about the syslog-ng
mailing list