Ok, as I see it, any log message that comes from an allowed source is written
unconditionally to your two output files.
what does a log message that is lost (i.e. something that wireshark sees but
doesn't get written to the logs) look like?
how's it formatted, what IP is it from, etc?
David Lang
On Tue, 8 Oct 2013, Mayur Patil wrote:
Date: Tue, 8 Oct 2013 16:21:51 +0530
From: Mayur Patil <[email protected]>
To: David Lang <[email protected]>
Cc: rsyslog-users <[email protected]>, [email protected]
Subject: Re: [rsyslog-users] Wireshark is capturing but rSyslog not logging
Hi,
Thanks for the reply David sir.
My rSyslog server is running ....
I am attaching your said configurations
rSyslog client: http://fpaste.org/45036/
rSyslog server: http://fpaste.org/45039/
Seeking for guidance,
Thank you !
*--
*
*Cheers,
*
*Mayur
*
On Tue, Oct 8, 2013 at 3:33 PM, David Lang <[email protected]> wrote:
what is your rsyslog configuration? there are lots of ways that the
messages could be getting into rsyslog, but not written out anywhere. you
have to have configurations saying to output the logs.
your netstat shows that something is listening on 514 tcp and udp, it's a
reasonable assumption that this is rsyslog. If you can establish a tcp
connection, that shows that routing and firewalling allow tcp.
but without seeing your config, we can't say what's wrong.
David Lang
On Tue, 8 Oct 2013, Mayur Patil wrote:
Date: Tue, 8 Oct 2013 14:57:05 +0530
From: Mayur Patil <[email protected]>
To: rsyslog-users <[email protected]>, David Lang <[email protected]>
Subject: [rsyslog-users] Wireshark is capturing but rSyslog not logging
Hi,
I am in a strange problem.
I am able to send an application name *"snort"* logs to rSyslog server.
In this case, I am getting error that
*wireshark is perfectly catching the logs of snort but rSyslog is not
logging the same.*
Here is output of my commands please have a look
I am using *CentOS for snort machine* and *Ubuntu for rsyslog server.*
[1] For nc and telnet,
This is the successful output of telnet and nc http://fpaste.org/45010/
the resulting messages are appearing in syslog of log server.
[2] For netstat command,
This are the results of netstat particularly on 514 port
http://fpaste.org/45016/
where *[root@clc]* is *snort machine* and *[root@logserver]* is the *log
server machine*.
I have also disabled firewalls on both machines; so *port blocking* is
also
not
possible.
Where is actual problem I am unable to get?
Seeking for guidance,
Thanks !
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
