I'm not seeing anything obviously wrong, but you left out part of the config
(the module loading if nothing else)
do
rsyslogd -N2
to have rsyslog do a syntax check of the config and see if it's happy.
David Lang
On Fri, 2 Oct 2015, Randy Baca wrote:
Date: Fri, 2 Oct 2015 00:26:11 +0000
From: Randy Baca <[email protected]>
Reply-To: rsyslog-users <[email protected]>
To: rsyslog-users <[email protected]>
Subject: Re: [rsyslog] Complex forwarding and spoofing question
This is what I am using but nothing in a tcpdump going to local on port 515 or
remote on port 514.
# In: 514/TCP (uses the same queue as UDP)
input(type="imtcp"
address="10.1.2.3"
port="514"
ruleset="ruleset_eth0_514")
# In: 514/UDP (uses the same queue as TCP)
input(type="imudp"
address="10.1.2.3"
port="514"
ruleset="ruleset_eth0_514")
# Queue: UDP-spoof to the local and also forward to remote rsyslog
ruleset(name="ruleset_eth0_514"
queue.highwatermark 50000
queue.fulldelaymark 20000
queue.lowwatermark 2000
queue.type="LinkedList") {
call action.local.udp515
call action.fwd.remotebox
stop
}
# Fwd to localhost:udp/515
ruleset(name="action.local.udp515") {
action(type="omudpspoof"
name="omudpspoof.local515"
target="127.0.0.1"
port="515")
}
# Fwd to remotebox w/ compression and local disk queueing
ruleset(name="action.fwd.remotebox") {
action(type="omfwd"
name="omfwd.remotebox"
queue.type="LinkedList"
queue.filename="omfwd_remotebox"
queue.size="10000"
queue.maxdiskspace="2G"
queue.saveonshutdown="on"
action.resumeretrycount="-1"
target="172.22.22.22"
port="514"
protocol="tcp"
compression.mode="stream:always")
}
________________________________________
From: [email protected] [[email protected]] on
behalf of Dave Caplinger [[email protected]]
Sent: Thursday, October 01, 2015 2:09 PM
To: rsyslog-users
Subject: Re: [rsyslog] Complex forwarding and spoofing question
Looks like it's "queue.fulldelaymark" (and I presume "queue.lightdelaymark" may
be related, but there's no description at
http://www.rsyslog.com/doc/master/rainerscript/queue_parameters.html so I'm not sure yet what it
does...)
Thanks!
--
Dave Caplinger, Director, Technical Product Management | 402.361.3063 |
Solutionary — An NTT Group Security Company
On Oct 1, 2015, at 4:03 PM, David Lang <[email protected]> wrote:
There is a queue parameter that tells rsyslog that if the queue is larger than
X, stop accepting inputs that can be delayed (like TCP) so that there is space
left for a burst of traffic from inputs that can't be delayed (like UDP)
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
