> > what version of rsyslog are you running? > On *"rsyslog client 172.20.54.211 the snort machine"*, version is * 5.8.10 * and
On* "rSyslog server 172.20.54.213"* it is *7.2.6* Is there anything in /etc/rsyslog.d/*.conf? > Yes. there is file related to snort which is snort.conf having content *auth.alert @172.20.54.213* are these log losses common, very rare? > I'm not seeing anything obvious here, but one thing that could be the case > if you are running an older version is that when you restart rsyslog to > rotate a file (send it a HUP), older versions did a full stop and start, > which would loose logs. Newer versions just close and reopen the output > files. For a while there was a HUPisRestart parameter to control this until > the default was changed. There are twotypes of logs for snort : 1. Daemon process info (when snort restarts) 2. Snort Alerts I am able to get daemon process information but not snort alert that is the problem. So what should be next troubleshot? Seeking for guidance, Thanks ! *--* *Cheers,* *Mayur.* * * On Wed, Oct 9, 2013 at 11:26 AM, David Lang <[email protected]> wrote: > what version of rsyslog are you running? Is there anything in > /etc/rsyslog.d/*.conf? > > are these log losses common, very rare? > > I'm not seeing anything obvious here, but one thing that could be the case > if you are running an older version is that when you restart rsyslog to > rotate a file (send it a HUP), older versions did a full stop and start, > which would loose logs. Newer versions just close and reopen the output > files. For a while there was a HUPisRestart parameter to control this until > the default was changed. > > David Lang > > On Wed, 9 Oct 2013, Mayur Patil wrote: > > Date: Wed, 9 Oct 2013 11:05:57 +0530 >> From: Mayur Patil <[email protected]> >> To: David Lang <[email protected]>, rsyslog-users <[email protected] >> >, >> Mahesh V >> <maheshvenkateshwaran@gmail.**com<[email protected]> >> > >> >> Subject: Re: [rsyslog-users] Wireshark is capturing but rSyslog not >> logging >> >> Thanks David sir for quick help and sorry for late reply because my setup >> is in college :) >> >> what does a log message that is lost (i.e. something that wireshark sees >> >>> but doesn't get written to the logs) look like? >>> >>> >> In wireshark it appears as http://fpaste.org/45338/ >> >> >> how's it formatted, >>> >>> >> The export format setup by snort application is LOG_AUTH LOG_ALERT >> >> what IP is it from, etc? >> >>> >>> >> it is from rsyslog client machine[on which snort is installed] i.e. * >> 172.20.54.211* >> > _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
