I suspect that you need to define a working directory, but the best thing to do
is to start rsyslog manually with the -dn flags to see if there are any errors
reported (there will be a lot of output, but if you search for bro_conn you
should find things)
David Lang
On Wed, 3 Sep 2014, James Lay wrote:
So...I'm kind of at my wits end here. All I'm trying to do is get rsyslog to
read an additional file and it is just not working. I've upgraded from 5 to
8 in the hopes that the version was too old, but still not working. Current
version:
rsyslogd 8.4.0, compiled with:
FEATURE_REGEXP: Yes
GSSAPI Kerberos 5 support: No
FEATURE_DEBUG (debug build, slow code): No
32bit Atomic operations supported: Yes
64bit Atomic operations supported: Yes
memory allocator: system default
Runtime Instrumentation (slow code): No
uuid support: Yes
Number of Bits in RainerScript integers: 32 (due to too-old json-c
lib)
/etc/rsyslog.conf:
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
$RepeatedMsgReduction on
$SystemLogRateLimitInterval 0
$SystemLogRateLimitBurst 0
$FileOwner syslog
$FileGroup adm
$FileCreateMode 0640
$DirCreateMode 0755
$Umask 0022
$PrivDropToUser syslog
$PrivDropToGroup syslog
$WorkDirectory /var/spool/rsyslog
$IncludeConfig /etc/rsyslog.d/*.conf
/etc/rsyslog.d/50-default.conf:
auth,authpriv.* /var/log/auth.log
*.*;auth,authpriv.none -/var/log/syslog
kern.* -/var/log/kern.log
mail.* -/var/log/mail.log
*.*;local7.none @10.x.x.y
mail.err /var/log/mail.err
news.crit /var/log/news/news.crit
news.err /var/log/news/news.err
news.notice -/var/log/news/news.notice
*.emerg :omusrmsg:*
daemon.*;mail.*;\
news.err;\
*.=debug;*.=info;\
*.=notice;*.=warn |/dev/xconsole
/etc/rsyslog.d/10-bro.conf:
module(load="imfile" PollingInterval="1")
input(type="imfile"
File="/media/backup/bro/current/conn.log"
Tag="bro_conn"
StateFile="stat-bro_conn"
Severity="info"
Facility="local7")
local7.* @10.x.x.x:6514
The format of the above file is:
1409764958.802124 CI0hHTD52XaYNxUd8 fe80::792c:71a0:7d6a:a4d9
546 ff02::1:2 547 udp - 59.997854 515 0
S0 F 0 D 5 755 0 0 (empty)
I see the below in packet capturing when I restart rsyslog:
.<190>Sep 3 17:23:57 goidsdev bro_conn bawer 11:27:31.603706 IP
10.x.x.x.38320 > 10.x.x.x.6514: UDP, length 49
But that's it...I don't see anything like the file format above. My last
hope is that rsyslog.conf needs updating, but I'm not sure what exactly to
update. Please help..thanks.
James
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T
LIKE THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
