> -----Original Message----- > From: Rick Brown [mailto:[email protected]] > Sent: Thursday, December 13, 2012 7:06 PM > To: Rainer Gerhards > Subject: Re: [rsyslog] imfile and omudpspoof > > You're right, it's rather large. I gzipp'd the output and posted it > at xxxx
Mhhh... That log does not include anything from imfile. Did you accidently capture the wrong system? >From what I have seen, it may also happen that the debug log info is not >sufficient. Just treat this as advance warning ;) We can probably get around a limitation by creating an additional log file, so that I can see all message properties. Please add *.* /var/log/rsyslog-props.log;RSYSLOG_DebugFormat To your config (the file name is obviously irrelevant, but the template is important!). Make sure that the debug log and the property file are from the same run. Rainer > I see that some of the imfile generated messages are making it through > to the SIEM from time to time, but the vast majority are being dropped. > I have to wonder if I'm overflowing a buffer in the output modules. > > Thanks for taking a look! > > ----- Original Message ----- > > From: "Rainer Gerhards" <[email protected]> > > To: "rsyslog-users" <[email protected]> > > Sent: Thursday, December 13, 2012 10:05:02 AM > > Subject: Re: [rsyslog] imfile and omudpspoof > > > > Can you post a (sufficiently large or complete) debug log that > > exposes the problem? The list will probably reject it, so it is best > > to put it on something like pastbin. > > > > Rainer > > > > > -----Original Message----- > > > From: [email protected] [mailto:rsyslog- > > > [email protected]] On Behalf Of Rick Brown > > > Sent: Thursday, December 13, 2012 4:01 PM > > > To: rsyslog-users > > > Subject: Re: [rsyslog] imfile and omudpspoof > > > > > > > > On Tue, 11 Dec 2012, Rick Brown wrote: > > > > > > > > > > > I use imfile to gather application logs such as apache, > > > > > > tomcat, > > > > > > php, etc. and send those on to my syslog server along with > > > > > > the > > > > > > client machines normal syslog traffic. My syslog server > > > > > > then > > > > > > dutifully writes all the messages locally and additionally > > > > > > forwards the messages on to a SIEM product via omudpspoof. > > > > > > > > > > > > Watching packet captures, I can see some messages are being > > > > > > spoofed > > > > > > and sent on to the SIEM, but some are not. At first glance, > > > > > > it > > > > > > appears that all regular syslog messages that are generated > > > > > > on > > > > > > the > > > > > > client are being spoofed and sent on to the SIEM, but most, > > > > > > if > > > > > > not > > > > > > all messages generated via imfile on the client are not being > > > > > > spoofed and sent on to the SIEM at all. > > > > > > > > > > > > I've tried the standard > > > > > > *.* :omudspoof: > > > > > > > > > > > > as well as > > > > > > $template spooftemplate,"%fromhost-ip% %rawmsg%" > > > > > > *.* :omudpspoof:;spooftemplate > > > > > > > > > > > > and > > > > > > $template spooftemplate,"%rawmsg%" > > > > > > *.* :omudpspoof:;spooftemplate > > > > > > > > > > > > All with the same effect. Am I missing something here? Is > > > > > > anyone > > > > > > else doing similar, or seen similar behavior? > > > > > > > > > > > > For the record, I'm running a patched version of 5.8.11. The > > > > > > patch, > > > > > > now that I'm reading it again, was to protect against calling > > > > > > more > > > > > > than one instance of libnet code in the omudpspoof module. > > > > > > > > > > the udpspoof module grabs the first field from the template and > > > > > uses > > > > > that as the > > > > > IP address to spoof from. What is the fromhost-ip when you get > > > > > the > > > > > files from > > > > > imfile? > > > > > > > > > > > > Ahh, you may be onto something there.. the messages coming > > > > into my > > > > syslog server have just the hostname in it, not FQDN, and not IP > > > > address. The few that I see leaving for the SIEM have the IP > > > > address in that field of the message. Now to figure out why > > > > they're different. > > > > > > Hrm. Upon inspection, all logs are coming in with just the > > > hostname, > > > so that's a dead end. All normal syslogs (like cron.info, > > > kernel.notice, daemon.debug, etc.) I can see are being spoofed and > > > sent > > > on to the SIEM, but the logs generated by imfile (all configured as > > > news.info) from client machines get logged on the syslog server, > > > but > > > aren't being spoofed and sent on to the SIEM. > > > > > > -- > > > Rick Brown > > > Office of Information Technology > > > Georgia Institute of Technology > > > 258 4th Street N.W. Atlanta, GA 30332-0715 > > > > > > _______________________________________________ > > > rsyslog mailing list > > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > > http://www.rsyslog.com/professional-services/ > > > What's up with rsyslog? Follow https://twitter.com/rgerhards > > > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a > > > myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT > > > POST > > > if you DON'T LIKE THAT. > > _______________________________________________ > > rsyslog mailing list > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > http://www.rsyslog.com/professional-services/ > > What's up with rsyslog? Follow https://twitter.com/rgerhards > > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a > > myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT > > POST if you DON'T LIKE THAT. > > > > -- > Rick Brown > Office of Information Technology > Georgia Institute of Technology > 258 4th Street N.W. Atlanta, GA 30332-0715 > email: [email protected] ph: (404) 894-6175 > Calendar: > https://mail.gatech.edu/home/[email protected]?fmt=freebusy _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
