On 2014-09-03 12:51, David Lang wrote:
I suspect that you need to define a working directory, but the best
thing to do is to start rsyslog manually with the -dn flags to see if
there are any errors reported (there will be a lot of output, but if
you search for bro_conn you should find things)
David Lang
On Wed, 3 Sep 2014, James Lay wrote:
So...I'm kind of at my wits end here. All I'm trying to do is get
rsyslog to read an additional file and it is just not working. I've
upgraded from 5 to 8 in the hopes that the version was too old, but
still not working. Current version:
rsyslogd 8.4.0, compiled with:
FEATURE_REGEXP: Yes
GSSAPI Kerberos 5 support: No
FEATURE_DEBUG (debug build, slow code): No
32bit Atomic operations supported: Yes
64bit Atomic operations supported: Yes
memory allocator: system default
Runtime Instrumentation (slow code): No
uuid support: Yes
Number of Bits in RainerScript integers: 32 (due to too-old
json-c lib)
/etc/rsyslog.conf:
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
$RepeatedMsgReduction on
$SystemLogRateLimitInterval 0
$SystemLogRateLimitBurst 0
$FileOwner syslog
$FileGroup adm
$FileCreateMode 0640
$DirCreateMode 0755
$Umask 0022
$PrivDropToUser syslog
$PrivDropToGroup syslog
$WorkDirectory /var/spool/rsyslog
$IncludeConfig /etc/rsyslog.d/*.conf
/etc/rsyslog.d/50-default.conf:
auth,authpriv.* /var/log/auth.log
*.*;auth,authpriv.none -/var/log/syslog
kern.* -/var/log/kern.log
mail.* -/var/log/mail.log
*.*;local7.none @10.x.x.y
mail.err /var/log/mail.err
news.crit /var/log/news/news.crit
news.err /var/log/news/news.err
news.notice -/var/log/news/news.notice
*.emerg :omusrmsg:*
daemon.*;mail.*;\
news.err;\
*.=debug;*.=info;\
*.=notice;*.=warn |/dev/xconsole
/etc/rsyslog.d/10-bro.conf:
module(load="imfile" PollingInterval="1")
input(type="imfile"
File="/media/backup/bro/current/conn.log"
Tag="bro_conn"
StateFile="stat-bro_conn"
Severity="info"
Facility="local7")
local7.* @10.x.x.x:6514
The format of the above file is:
1409764958.802124 CI0hHTD52XaYNxUd8
fe80::792c:71a0:7d6a:a4d9 546 ff02::1:2 547 udp -
59.997854 515 0 S0 F 0 D 5
755 0 0 (empty)
I see the below in packet capturing when I restart rsyslog:
.<190>Sep 3 17:23:57 goidsdev bro_conn bawer 11:27:31.603706 IP
10.x.x.x.38320 > 10.x.x.x.6514: UDP, length 49
But that's it...I don't see anything like the file format above. My
last hope is that rsyslog.conf needs updating, but I'm not sure what
exactly to update. Please help..thanks.
James
Thanks for looking at this David. Did do the run with -dn...and this
was weird:
2775.846093282:main Q:Reg/w0 : omfile: write to stream, pData->pStrm
0x7fb2f0006a70, lenBuf 40, strt data Sep 3 19:32:55 idsdev bro_conn
bawer
2775.846108479:main Q:Reg/w0 : omfile: write to stream, pData->pStrm
0x7fb2f0006a70, lenBuf 45, strt data Sep 3 19:32:55 idsdev bro_conn
bawsdfsder
2775.846123676:main Q:Reg/w0 : omfile: write to stream, pData->pStrm
0x7fb2f0006a70, lenBuf 45, strt data Sep 3 19:32:55 idsdev bro_conn
bawsdfsder
2775.846138861:main Q:Reg/w0 : omfile: write to stream, pData->pStrm
0x7fb2f0006a70, lenBuf 45, strt data Sep 3 19:32:55 idsdev bro_conn
bawsdfsder
2775.846153625:main Q:Reg/w0 : omfile: write to stream, pData->pStrm
0x7fb2f0006a70, lenBuf 49, strt data Sep 3 19:32:55 idsdev bro_conn
bawsdfdsdfsder
looks like the old state file was still there:
2803.048667081:main thread : statefile: 'stat-bro_conn'
sudo cat stat-bro_conn
<Obj:1:strm:1:
+iCurrFNum:2:1:1:
+pszFName:1:15:/home/me/list:
+iMaxFiles:2:1:0:
+bDeleteOnClose:2:1:0:
+sType:2:1:2:
+tOperationsMode:2:1:1:
+tOpenMode:2:3:384:
+iCurrOffs:2:3:532:
+inode:2:7:3366928:
End
cat /home/me/list
ick
bawer
bawsdfsder
bawsdfsder
bawsdfsder
bawsdfdsdfsder
Thanks for the quick fix...live and learn I guess :) That being said,
is there anything else I should do to move to the version 8
rsyslog.conf? Wish there was a converter online.
James
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
