Thanks for the conf validation switch. Looks like we have a compatibility
issue. Most of our existing syslog servers are running on CentOS 6. Will an
upgrade of rsyslog resolve this, or do we need to convert the conf to legacy?
module(load="imklog")
module(load="imuxsock")
module(load="imudp")
module(load="imtcp")
# In: 514/TCP (uses the same queue as UDP)
input(type="imtcp"
address="10.1.2.3"
port="514"
ruleset="ruleset_eth0_514")
# In: 514/UDP (uses the same queue as TCP)
input(type="imudp"
address="10.1.2.3"
port="514"
ruleset="ruleset_eth0_514")
# Out: UDP-spoof to the local and also forward to remote rsyslog
ruleset(name="ruleset_eth0_514"
queue.highwatermark 50000
queue.fulldelaymark 20000
queue.lowwatermark 2000
queue.type="LinkedList") {
call action.local.udp515
call action.fwd.remotebox
stop
}
# Fwd to localhost:udp/515
ruleset(name="action.local.udp515") {
action(type="omudpspoof"
name="omudpspoof.local515"
target="127.0.0.1"
port="515")
}
# Fwd to remotebox w/ compression and local disk queueing
ruleset(name="action.fwd.remotebox") {
action(type="omfwd"
name="omfwd.remotebox"
queue.type="LinkedList"
queue.filename="omfwd_remotebox"
queue.size="10000"
queue.maxdiskspace="2G"
queue.saveonshutdown="on"
action.resumeretrycount="-1"
target="172.22.22.22"
port="514"
protocol="tcp"
compression.mode="stream:always")
}
Regards,
Randy Baca
________________________________________
From: [email protected] [[email protected]] on
behalf of David Lang [[email protected]]
Sent: Thursday, October 01, 2015 7:53 PM
To: rsyslog-users
Subject: Re: [rsyslog] Complex forwarding and spoofing question
I'm not seeing anything obviously wrong, but you left out part of the config
(the module loading if nothing else)
do
rsyslogd -N2
to have rsyslog do a syntax check of the config and see if it's happy.
David Lang
On Fri, 2 Oct 2015, Randy Baca wrote:
> Date: Fri, 2 Oct 2015 00:26:11 +0000
> From: Randy Baca <[email protected]>
> Reply-To: rsyslog-users <[email protected]>
> To: rsyslog-users <[email protected]>
> Subject: Re: [rsyslog] Complex forwarding and spoofing question
>
> This is what I am using but nothing in a tcpdump going to local on port 515
> or remote on port 514.
>
> # In: 514/TCP (uses the same queue as UDP)
> input(type="imtcp"
> address="10.1.2.3"
> port="514"
> ruleset="ruleset_eth0_514")
>
> # In: 514/UDP (uses the same queue as TCP)
> input(type="imudp"
> address="10.1.2.3"
> port="514"
> ruleset="ruleset_eth0_514")
>
> # Queue: UDP-spoof to the local and also forward to remote rsyslog
> ruleset(name="ruleset_eth0_514"
> queue.highwatermark 50000
> queue.fulldelaymark 20000
> queue.lowwatermark 2000
> queue.type="LinkedList") {
> call action.local.udp515
> call action.fwd.remotebox
> stop
> }
>
> # Fwd to localhost:udp/515
> ruleset(name="action.local.udp515") {
> action(type="omudpspoof"
> name="omudpspoof.local515"
> target="127.0.0.1"
> port="515")
> }
>
> # Fwd to remotebox w/ compression and local disk queueing
> ruleset(name="action.fwd.remotebox") {
> action(type="omfwd"
> name="omfwd.remotebox"
> queue.type="LinkedList"
> queue.filename="omfwd_remotebox"
> queue.size="10000"
> queue.maxdiskspace="2G"
> queue.saveonshutdown="on"
> action.resumeretrycount="-1"
> target="172.22.22.22"
> port="514"
> protocol="tcp"
> compression.mode="stream:always")
> }
>
>
>
>
> ________________________________________
> From: [email protected] [[email protected]]
> on behalf of Dave Caplinger [[email protected]]
> Sent: Thursday, October 01, 2015 2:09 PM
> To: rsyslog-users
> Subject: Re: [rsyslog] Complex forwarding and spoofing question
>
> Looks like it's "queue.fulldelaymark" (and I presume "queue.lightdelaymark"
> may be related, but there's no description at
> http://www.rsyslog.com/doc/master/rainerscript/queue_parameters.html so I'm
> not sure yet what it does...)
>
> Thanks!
>
> --
> Dave Caplinger, Director, Technical Product Management | 402.361.3063 |
> Solutionary — An NTT Group Security Company
>
>> On Oct 1, 2015, at 4:03 PM, David Lang <[email protected]> wrote:
>>
>> There is a queue parameter that tells rsyslog that if the queue is larger
>> than X, stop accepting inputs that can be delayed (like TCP) so that there
>> is space left for a burst of traffic from inputs that can't be delayed (like
>> UDP)
>>
>
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
> sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T
> LIKE THAT.
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
> sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T
> LIKE THAT.
>
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
