Thanks David for the quick response. 1). Yes, the server accepts traffic to that port. There is no firewall product installed. We used nedcat on a machine attached to the management lan to send messages to the syslog server on port UDP 514. With netcat on that machine, we can pretend the message to come from another IP. We get new message logs created as long as the source IP is in the management lan range. If the source IP is not in this range, the message is discarded by rsyslog.
2) There is no route back. Is this needed? There is not a session if you use UDP packets. The full config is as follows: # /etc/rsyslog.conf Configuration file for rsyslog. # # For more information see # /usr/share/doc/rsyslog-doc/html/rsyslog_conf.html # # Default logging rules can be found in /etc/rsyslog.d/50-default.conf ################# #### MODULES #### ################# $ModLoad imuxsock # provides support for local system logging $ModLoad imklog # provides kernel logging support (previously done by rklogd) $ModLoad immark # provides --MARK-- message capability $KLogPath /proc/kmsg # provides UDP syslog reception $ModLoad imudp $UDPServerRun 514 # provides TCP syslog reception #$ModLoad imtcp #$InputTCPServerRun 514 ########################### #### GLOBAL DIRECTIVES #### ########################### # Use traditional timestamp format. # To enable high precision timestamps, comment out the following line. # $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat # # Filter duplicated messages OFF # #$RepeatedMsgReduction off # # Set the default permissions for all log files. # $FileOwner syslog $FileGroup adm $FileCreateMode 0644 $DirCreateMode 0755 $Umask 0022 $PrivDropToUser syslog $PrivDropToGroup adm # # Include all config files in /tunix/rsyslog/etc and /klant/rsyslog/etc # $includeConfig /klant/rsyslog/etc/*.conf $IncludeConfig /tunix/rsyslog/etc/*.conf # # Filter duplicated messages # Moved to last posiltion in this file, i(after the tunix.conf) because # otherwise it would create a "last.log" file in the remote directory # $RepeatedMsgReduction off In /tunix/rsyslog/etc/remote_servers.conf : # # template that segregates the all logs into # one directory for each individual source # $template DynamicFilename,"/tunix-data/log/%FROMHOST%/messages" # # Write all local syslog messages to the /var/log/messages file. # The "& ~" means: discard all the messages that the previous fiter found. # :source , isequal , "localhost" /var/log/messages & ~ # # The isequal localhost is known to filter a lot, but not all # locally generated syslog messages. # A second filter is made here to be sure. # Again, the "& ~" means: discard all the messages that this fiter finds. # :fromhost-ip , isequal , "127.0.0.1" /var/log/messages & ~ # # What is not filtered yet must be the syslog messages from remote # equipment, these are seggregated here: the syslog of each host # ends up in separate files. # *.* ?DynamicFilename There are no other configurations. Geert Liesveld -- View this message in context: http://rsyslog-users.1305293.n2.nabble.com/Remote-syslog-setup-unsuccesful-tp7589216p7589218.html Sent from the rsyslog-users mailing list archive at Nabble.com. _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
