[syslog-ng] CentOS 7.5, rsyslog, port 601, TCP - nothing getting delivered

Scheidler, Bal√°zs balazs.scheidler at balabit.com
Mon Jun 25 14:08:59 UTC 2018


This list is not official support for Balabit's products and I am not
really an rsyslog expert, but let me try to help.

I think the issue might be related to "framing", e.g. syslog-ng configured
to expect framing whereas rsyslog not doing it. This page:

https://www.rsyslog.com/doc/v8-stable/configuration/modules/omfwd.html

contains a parameter which is TCP_framing that defaults to "no".

In that case, syslog-ng will drop the connection if the framing is not
there. See https://tools.ietf.org/html/rfc5425#section-4.3 for a
description on what framing is and how it works.

-- 
Bazsi

On Mon, Jun 25, 2018 at 3:21 AM, Lachlan Musicman <datakid at gmail.com> wrote:

> I don't understand why this isn't working? I'm not seeing any data in our
> Balabit appliance.
>
> I have a regular default installation of CentOS 7.5, and have followed the
> RedHat 7 rsyslog directions with regard to setting up a new message filter:
>
> I've added a singe file to /etc/rsyslog.d/
>
> [root at host02 /etc/rsyslog.d]#  cat tcp601.conf
> *.* action(type="omfwd"
> queue.type="LinkedList"
> queue.filename="example_fwd_tcp_601"
> action.resumeRetryCount="-1"
> queue.saveonshutdown="on"
> template="RSYSLOG_SyslogProtocol23Format"
> target="10.126.19.45" Port="601" Protocol="tcp")
>
> But I'm not getting anything at the appliance?
>
> The Appliance Log Source seems to be set up correctly (no licensing
> issues, port 601 is set, Syslog format (I was told that is RFC 5425)
> selected).
>
> Ports are open, but on the server that's configured as per above, I'm
> seeing this:
>
> [root at host02 log]# netstat -tnp| grep 601
> tcp        1      0 10.126.19.66:39768      10.126.19.45:601
> CLOSE_WAIT  2400/rsyslogd
>
> The data works fine if I send over UDP/port 514, with the template being
> either RSYSLOG_SyslogProtocol23Format or RSYSLOG_TraditionalFileFormat
>
> I'm also seeing - in host02's /var/log/messages a *large* number of errors
> that state:
>
> Jun 25 11:14:14 host02 rsyslogd: action 'action 2' resumed (module
> 'builtin:omfwd') [v8.24.0 try http://www.rsyslog.com/e/2359 ]
>
> Can someone tell me where I've gone wrong and/or indicate what I might do
> next to debug this issue?
>
> Cheers
> L.
>
>
> ____________________________________________________________
> __________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?
> product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20180625/f6524903/attachment-0001.html>


More information about the syslog-ng mailing list