Ok, going back and looking at the client, I see some very strange things.
you are sending every log to the server 5 times
lines 18 and 19 send it twice using UDP, once on port 514 and a second time on
port 10514
*.* @172.20.54.213:514
*.* @172.20.54.213:10514
lines 24 and 25 then send it twice more using TCP, once on port 514 and a second
time on port 10514
*.* @@172.20.54.213:514
*.* @@172.20.54.213:10514
and then on line 86 you send it a fifth time, using UDP on port 514
*.* @172.20.54.213:514
now, your server is only listening on UDP 514 and TCP 514, so you should be
receiving three copies of each log message on the server to start with.
But since nothing is listening on port 10514, the client will end up failing to
deliver the message via TCP, and the client queue will fill up.
Since it can't successfully deliver any message completely, it will keep trying
to re-send the same message until it gives up.
David Lang
On Wed, 9 Oct 2013, Mayur Patil wrote:
Date: Wed, 9 Oct 2013 12:22:01 +0530
From: Mayur Patil <[email protected]>
To: David Lang <[email protected]>, Mahesh V <[email protected]>,
rsyslog-users <[email protected]>
Subject: Re: [rsyslog-users] Wireshark is capturing but rSyslog not logging
what version of rsyslog are you running?
On *"rsyslog client 172.20.54.211 the snort machine"*, version is *
5.8.10
*
and
On* "rSyslog server 172.20.54.213"* it is *7.2.6*
Is there anything in /etc/rsyslog.d/*.conf?
Yes. there is file related to snort which is snort.conf having content
*auth.alert @172.20.54.213*
are these log losses common, very rare?
I'm not seeing anything obvious here, but one thing that could be the case
if you are running an older version is that when you restart rsyslog to
rotate a file (send it a HUP), older versions did a full stop and start,
which would loose logs. Newer versions just close and reopen the output
files. For a while there was a HUPisRestart parameter to control this until
the default was changed.
There are twotypes of logs for snort :
1. Daemon process info (when snort restarts)
2. Snort Alerts
I am able to get daemon process information but not snort alert that is
the problem.
So what should be next troubleshot?
Seeking for guidance,
Thanks !
*--*
*Cheers,*
*Mayur.*
*
*
On Wed, Oct 9, 2013 at 11:26 AM, David Lang <[email protected]> wrote:
what version of rsyslog are you running? Is there anything in
/etc/rsyslog.d/*.conf?
are these log losses common, very rare?
I'm not seeing anything obvious here, but one thing that could be the case
if you are running an older version is that when you restart rsyslog to
rotate a file (send it a HUP), older versions did a full stop and start,
which would loose logs. Newer versions just close and reopen the output
files. For a while there was a HUPisRestart parameter to control this until
the default was changed.
David Lang
On Wed, 9 Oct 2013, Mayur Patil wrote:
Date: Wed, 9 Oct 2013 11:05:57 +0530
From: Mayur Patil <[email protected]>
To: David Lang <[email protected]>, rsyslog-users <[email protected]
,
Mahesh V <maheshvenkateshwaran@gmail.**com<[email protected]>
Subject: Re: [rsyslog-users] Wireshark is capturing but rSyslog not
logging
Thanks David sir for quick help and sorry for late reply because my setup
is in college :)
what does a log message that is lost (i.e. something that wireshark sees
but doesn't get written to the logs) look like?
In wireshark it appears as http://fpaste.org/45338/
how's it formatted,
The export format setup by snort application is LOG_AUTH LOG_ALERT
what IP is it from, etc?
it is from rsyslog client machine[on which snort is installed] i.e. *
172.20.54.211*
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
