Re: [rsyslog] I want to use Linux Rsyslog server and Snare on windows to forward windows Log.

Tue, 19 Aug 2014 10:25:58 -0700 

On Tue, 19 Aug 2014, James Lay wrote:


On 2014-08-19 10:11, Jason Long wrote:

Yes.
I used :           netstat -lpn | grep 514

tcp        0      0 0.0.0.0:514                 0.0.0.0:*            
      LISTEN      3808/rsyslogd       
tcp        0      0 :::514                      :::*                
       LISTEN      3808/rsyslogd       
udp        0      0 0.0.0.0:514                 0.0.0.0:*            
                  3808/rsyslogd       
udp        0      0 :::514                      :::*                
                   3808/rsyslogd 
Excuse me my Snare agent on Windows is free version and just support UDP. 



On Tuesday, August 19, 2014 8:31 PM, James Lay
<[email protected]> wrote:



On 2014-08-19 09:39, Jason Long wrote:

I enabled both but not worked :(


On Tuesday, August 19, 2014 7:56 PM, James Lay
<[email protected]> wrote:



On 2014-08-19 08:36, Jason Long wrote:


Hello all.
I want to collect Windows log via Snare and forward them to my
Rsyslog linux server but i have some problem :
Windows generate log properly and I test it via Event log and Snare. I installed Snare on Windows and in "Network configuration" I set my 
linux syslog server IP and change port to 514.

on linux box, I turn of "iptables" service and add following rules
to
/etc/sysconfig/iptables :

-A INPUT -m state --state NEW -m udp -p udp --dport 514 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 514 -j ACCEPT

I also add this entry to "rsyslog.conf" :

local5.*     /var/log/winlog/win.log

SYSLOGD_OPTIONS = "-r -m 0"

$AllowedSender    UDP, <my client IP>

Can you tell me what is wrong?
_______________________________________________


You'll need to load the modules in rsyslog.conf:

# provides UDP syslog reception
$ModLoad imudp
$UDPServerRun 514

# provides TCP syslog reception
$ModLoad imtcp
$InputTCPServerRun 514


James


On the rsyslog linux box do:

sudo netstat -lpn

Look for 514..see it?


James


Hrmm....next step would be to sniff on the wire:
sudo tcpdump -n -s 0 -i <your_listening_interface> -X udp port 514 and host <your_windows_host_IP> 

What do you see?


don't forget iptables -L -n
a lot of systems block port 514 by default

David Lang
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Reply via email to