On Fri, 2 Oct 2015, GeertLiesveld wrote:
Thanks David for the quick response. 1). Yes, the server accepts traffic to that port. There is no firewall product installed. We used nedcat on a machine attached to the management lan to send messages to the syslog server on port UDP 514. With netcat on that machine, we can pretend the message to come from another IP. We get new message logs created as long as the source IP is in the management lan range. If the source IP is not in this range, the message is discarded by rsyslog.
iptables is built in to the kernel, no product install needed do iptables -L -n to get the list of rules.
2) There is no route back. Is this needed? There is not a session if you use UDP packets.
it's a feature of the IP stack on Linux that if you don't have a route back the stack doesn't pass the packet on to userspace, there is a /proc/sys/net flag somewhere that lets you disable this feature (I dug it up years and a couple jobs ago when I tripped over this 'feature') The route doesn't have to actually _work_, you just have to have a route to that source. a default route with a gateway that doesn't exist (even on a localhost IP) is enough.
The full config is as follows: # /etc/rsyslog.conf Configuration file for rsyslog. # # For more information see # /usr/share/doc/rsyslog-doc/html/rsyslog_conf.html # # Default logging rules can be found in /etc/rsyslog.d/50-default.conf ################# #### MODULES #### ################# $ModLoad imuxsock # provides support for local system logging $ModLoad imklog # provides kernel logging support (previously done by rklogd) $ModLoad immark # provides --MARK-- message capability $KLogPath /proc/kmsg # provides UDP syslog reception $ModLoad imudp $UDPServerRun 514 # provides TCP syslog reception #$ModLoad imtcp #$InputTCPServerRun 514 ########################### #### GLOBAL DIRECTIVES #### ########################### # Use traditional timestamp format. # To enable high precision timestamps, comment out the following line. # $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat # # Filter duplicated messages OFF # #$RepeatedMsgReduction off # # Set the default permissions for all log files. # $FileOwner syslog $FileGroup adm $FileCreateMode 0644 $DirCreateMode 0755 $Umask 0022 $PrivDropToUser syslog $PrivDropToGroup adm # # Include all config files in /tunix/rsyslog/etc and /klant/rsyslog/etc # $includeConfig /klant/rsyslog/etc/*.conf $IncludeConfig /tunix/rsyslog/etc/*.conf
nothing in these include directories? David Lang
# # Filter duplicated messages # Moved to last posiltion in this file, i(after the tunix.conf) because # otherwise it would create a "last.log" file in the remote directory # $RepeatedMsgReduction off In /tunix/rsyslog/etc/remote_servers.conf : # # template that segregates the all logs into # one directory for each individual source # $template DynamicFilename,"/tunix-data/log/%FROMHOST%/messages" # # Write all local syslog messages to the /var/log/messages file. # The "& ~" means: discard all the messages that the previous fiter found. # :source , isequal , "localhost" /var/log/messages & ~ # # The isequal localhost is known to filter a lot, but not all # locally generated syslog messages. # A second filter is made here to be sure. # Again, the "& ~" means: discard all the messages that this fiter finds. # :fromhost-ip , isequal , "127.0.0.1" /var/log/messages & ~ # # What is not filtered yet must be the syslog messages from remote # equipment, these are seggregated here: the syslog of each host # ends up in separate files. # *.* ?DynamicFilename There are no other configurations. Geert Liesveld -- View this message in context: http://rsyslog-users.1305293.n2.nabble.com/Remote-syslog-setup-unsuccesful-tp7589216p7589218.html Sent from the rsyslog-users mailing list archive at Nabble.com. _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
_______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
