On Fri, 2 Oct 2015, GeertLiesveld wrote:
We are running a legacy version of rsyslog v4.2.0 on a central ubuntu server
that is also used for monitoring purposes. This syslog server is only
connected to our management lan. IP range 192.0.2.0/24.
All machines on this lan can deliver their syslog messages correctly to this
server.
We use the option: $template
DynamicFilename,"/tunix-data/log/%FROMHOST%/messages" in an included config
file to automatically create separate log files for every machine.
We recently added a set of cisco routers to this network and we want these
to log their syslog messages to the same server. One router is a central
router with multiple connections to remote locations. Each location has also
a Cisco router of which we want it's syslog messages collected at the syslog
server.
The central router has an interface on the management lan. This one can
deliver it's own syslog messages correctly to the syslog server.
We configured natting for UDP port 514 so that the messages from the remote
routers are delivered, using the management lan, to the central syslog
server.
We see these messages being delivered to the syslog server, but it seems the
messages are not being processed.
We tested the delivery of syslog messages and found that when the source IP
in the message is not on our management lan, the message is discarded.
We tried to find documentation how to configure rsyslog on the syslog server
to also accept messages from the remote Cisco routers, but so far this was
unsuccessful.
Can anyone help us with this?
first thing, did you check iptables rules on the logging server to make sure
that it allows traffic in on that port?
second question, is there a route on the logging server to the network that the
packet is being sourced from?
Both of these things can cause the situation where you see the packet with
tcpdump, but the OS never passes it to an application
there are a number of things that could be wrong in your configuration (you
don't accept messages via UDP, you limit the IP addresses that you accept
messgaes from as two examples)
can you post your full config? (and check the first two items I listed above)
David Lang
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
