Can you post a (sufficiently large or complete) debug log that exposes the problem? The list will probably reject it, so it is best to put it on something like pastbin.
Rainer > -----Original Message----- > From: [email protected] [mailto:rsyslog- > [email protected]] On Behalf Of Rick Brown > Sent: Thursday, December 13, 2012 4:01 PM > To: rsyslog-users > Subject: Re: [rsyslog] imfile and omudpspoof > > > > On Tue, 11 Dec 2012, Rick Brown wrote: > > > > > > > I use imfile to gather application logs such as apache, tomcat, > > > > php, etc. and send those on to my syslog server along with the > > > > client machines normal syslog traffic. My syslog server then > > > > dutifully writes all the messages locally and additionally > > > > forwards the messages on to a SIEM product via omudpspoof. > > > > > > > > Watching packet captures, I can see some messages are being > > > > spoofed > > > > and sent on to the SIEM, but some are not. At first glance, it > > > > appears that all regular syslog messages that are generated on > > > > the > > > > client are being spoofed and sent on to the SIEM, but most, if > > > > not > > > > all messages generated via imfile on the client are not being > > > > spoofed and sent on to the SIEM at all. > > > > > > > > I've tried the standard > > > > *.* :omudspoof: > > > > > > > > as well as > > > > $template spooftemplate,"%fromhost-ip% %rawmsg%" > > > > *.* :omudpspoof:;spooftemplate > > > > > > > > and > > > > $template spooftemplate,"%rawmsg%" > > > > *.* :omudpspoof:;spooftemplate > > > > > > > > All with the same effect. Am I missing something here? Is > > > > anyone > > > > else doing similar, or seen similar behavior? > > > > > > > > For the record, I'm running a patched version of 5.8.11. The > > > > patch, > > > > now that I'm reading it again, was to protect against calling > > > > more > > > > than one instance of libnet code in the omudpspoof module. > > > > > > the udpspoof module grabs the first field from the template and > > > uses > > > that as the > > > IP address to spoof from. What is the fromhost-ip when you get the > > > files from > > > imfile? > > > > > > Ahh, you may be onto something there.. the messages coming into my > > syslog server have just the hostname in it, not FQDN, and not IP > > address. The few that I see leaving for the SIEM have the IP > > address in that field of the message. Now to figure out why > > they're different. > > Hrm. Upon inspection, all logs are coming in with just the hostname, > so that's a dead end. All normal syslogs (like cron.info, > kernel.notice, daemon.debug, etc.) I can see are being spoofed and sent > on to the SIEM, but the logs generated by imfile (all configured as > news.info) from client machines get logged on the syslog server, but > aren't being spoofed and sent on to the SIEM. > > -- > Rick Brown > Office of Information Technology > Georgia Institute of Technology > 258 4th Street N.W. Atlanta, GA 30332-0715 > > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a > myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST > if you DON'T LIKE THAT. _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
