Hi, I have two systems running rsyslog 4.2.0 and snort 2.8.5.3. On one of those systems, it's forwarding snort's alert logs to our central log server correctly. On the second box (that has the same snort and rsyslog configs), it has only forwarded one alert but the alert file is seeing a lot of data so I don't know what's going on. I put rsyslog in debug mode and every 10 secs, it logs the following message:
4478.108169000:41851940: strm 0x1e8b5dd0: file 6 read -1 bytes 4478.108225000:41851940: strm 0x1e8b6fc0: file 7 read 0 bytes What does that mean? It appears that the only time it deviated was when it sent the one alert to the syslog server: 4148.075280000:41851940: strm 0x1e8b6fc0: file 7 read 225 bytes But the file that it's referring to as "file 6" is seeing much more data than "file 7" and it shouldn't have any problem reading it as it's 644 and owned by snort.snort (rsyslog is running as root). Does anyone know what might be going on or have anything I can try? Thanks! Bryan _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com
