rsyslog server does not process messages from other hosts

Issues related to applications and software problems
Post Reply
joernius
Posts: 4
Joined: 2021/07/16 12:32:57

rsyslog server does not process messages from other hosts

Post by joernius » 2021/08/12 08:48:01

Hello all,

I want to build a rsyslog server that works as a relay. But it only logs itself
Os version 7.9, rsyslogversion 8.24

This setup should be so:

Code: Select all

host-a1  -|->  host-a20 via udp-601 ->  host-b via upd 514
host-a2  -|
host-a.. -|
host-a9  -|

It has the following state:

host-a1

Code: Select all

host-a1 ~]#/etc/rsyslog.conf
*.* @@host-a20:601
check open firewall

Code: Select all

host-a1# telnet host-a20 601
Trying 192.168.1.20...
^C
check SELinux rules

Code: Select all

semanage port -l|grep syslog
host-a1 ~]# semanage port -l|grep syslog
syslog_tls_port_t              tcp      6514, 10514
syslog_tls_port_t              udp      6514, 10514
syslogd_port_t                 tcp      601, 20514
syslogd_port_t                 udp      514, 601, 20514
tcpdump: check udp output

Code: Select all

host-a1 ~]# tcpdump -i ens192  -v port 601
tcpdump: listening on ens192, link-type EN10MB (Ethernet), capture size 262144 bytes
09:33:11.468909 IP (tos 0x0, ttl 64, id 56056, offset 0, flags [DF], proto UDP (17), length 105)
    host-a1.my-domain.dd.59762 > 192.168.1.20.syslog-conn: UDP, length 77
host-a20
configuration file /etc/rsyslog.conf

Code: Select all

host-a20 ~]#/etc/rsyslog.conf
# The imjournal module bellow is now used as a message source instead of imuxsock.
$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
$ModLoad imjournal # provides access to the systemd journal

*.* @@host-b:514
configuration file /etc/rsyslog.d/syslogerserver.conf

Code: Select all

host-a20 ~]#/etc/rsyslog.d/syslogserver.conf
# Provides UDP syslog reception
$ModLoad imudp
$UDPServerRun 601

# Logfile for each host
$template TemplLogFile,"/var/log/rsyslogserver/%HOSTNAME%/%PROGRAMNAME%.log"
*.* -?TemplLogFile
check listening port

Code: Select all

host-a20 ~]2 ~]# netstat -tunlp|grep syslog
udp        0      0 0.0.0.0:53803           0.0.0.0:*                           39865/rsyslogd
udp        0      0 0.0.0.0:601             0.0.0.0:*                           39865/rsyslogd
tcpdump: check input
host-a20 ~]# tcpdump -i ens192 -e -v port 601

Code: Select all

tcpdump: listening on ens192, link-type EN10MB (Ethernet), capture size 262144 bytes

09:58:59.980921 00:50:56:89:9e:34 (oui Unknown) > 00:50:56:89:5f:a2 (oui Unknown), 
    ethertype IPv4 (0x0800), length 134: (tos 0x0, ttl 64, id 35644, offset 0, flags [DF], proto UDP (17), length 120)
    192.168.1.1.59762 > host-a20.my-domain.dd.syslog-conn: UDP, length 92
this is all was loged :?

Code: Select all

host-a20 ~]# tree /var/log/rsyslogserver/
/var/log/rsyslogserver/
└── host-a20
    ├── CROND.log
    ├── kernel.log
    ├── polkitd.log
    ├── postfix.log
    ├── sssd.log
    ├── systemd.log
    └── systemd-logind.log

1 directory, 7 files
only host-a20! I really don't know what to do.

Again the complete configuration files from the logserver:

/etc/rsyslog.conf

Code: Select all

host-a20 ~]# cat /etc/rsyslog.conf |grep -v '^#'|grep -v '^$'

$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
$ModLoad imjournal # provides access to the systemd journal
$WorkDirectory /var/lib/rsyslog
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
$IncludeConfig /etc/rsyslog.d/*.conf
$OmitLocalLogging on
$IMJournalStateFile imjournal.state
*.info;mail.none;authpriv.none;cron.none                /var/log/messages
authpriv.*                                              /var/log/secure
mail.*                                                  -/var/log/maillog
cron.*                                                  /var/log/cron
*.emerg                                                 :omusrmsg:*
uucp,news.crit                                          /var/log/spooler
local7.*                                                /var/log/boot.log
$ActionQueueFileName fwdRule1 # unique name prefix for spool files
$ActionQueueMaxDiskSpace 1g   # 1gb space limit (use as much as possible)
$ActionQueueSaveOnShutdown on # save messages to disk on shutdown
$ActionQueueType LinkedList   # run asynchronously
$ActionResumeRetryCount -1    # infinite retries if host is down
*.info @host-b:514
/etc/rsyslog.d/syslogserver.conf

Code: Select all

host-a20 ~]# cat /etc/rsyslog.d/syslogserver.conf |grep -v '^#'|grep -v '^$'

$ModLoad imudp
$UDPServerRun 601
$template TemplLogFile,"/var/log/rsyslogserver/%HOSTNAME%/%PROGRAMNAME%.log"
*.* -?TemplLogFile
Please tell me what did I do wrong. Thanks for looking.

Best regards
Joern


Update
I changes the configuration file /etc/rsyslog.d/syslogserver.conf die directive from

Code: Select all

$template TemplLogFile,"/var/log/rsyslogserver/%HOSTNAME%/%PROGRAMNAME%.log"
to

Code: Select all

$template TemplLogFile,"/var/log/rsyslogserver/%FROMHOST-IP%.log"
and if see in the /var/log/message the rsyslog server the rsyslog server is only processing the localhost adress. The /etc/hosts is ok.
But I think is a other problem...

Code: Select all

host-a20 ~]# tree /var/log/rsyslogserver/
/var/log/rsyslogserver/
├── 127.0.0.1.log

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: rsyslog server does not process messages from other hosts

Post by TrevorH » 2021/08/12 10:04:15

You can't check a UDP port's availability using telnet - it uses TCP not UDP.

You don't post anything about firewall configuration and you will need to open the right ports there - all are closed by default except tcp 22 for ssh.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

joernius
Posts: 4
Joined: 2021/07/16 12:32:57

Re: rsyslog server does not process messages from other hosts

Post by joernius » 2021/08/12 12:02:00

Thank you. I was a bit blind.I had mistakenly thought the unrefused telnet connection was open.

After opening it, I now receive the log files of the other host.

Whoever
Posts: 1357
Joined: 2013/09/06 03:12:10

Re: rsyslog server does not process messages from other hosts

Post by Whoever » 2021/08/18 04:10:49

.* @@host-b:514
It is my experience that using the "@@" syntax which makes the connection use TCP can be problematic. If the syslog server has problems (for example, out of disk space), this problem can result in problems on the machine that is sending the log information.

Use UDP via "@".

larwood
Posts: 66
Joined: 2011/07/27 12:07:30
Location: Perth WA, Australia

Re: rsyslog server does not process messages from other hosts

Post by larwood » 2021/08/20 05:29:05

I find logger useful for testing syslog over UDP. Here are two examples sent from the source server to the syslog server.

Code: Select all

# logger --udp --server syslog.domain.internal --tag 'production' --priority local0.info 'Just testing'
# logger --udp --port 514 --server syslog.domain.internal "Just testing $(hostname)"

Post Reply