I'm trying to centralize logs that originate from syslog-ng on a Security Onion server (Ubuntu 14.04.3-11) at an central server running rsyslog latest. I've configured SO to copy all logs to the central server on TCP port 10514 and confirmed that Tcpdump shows log traffic (on TCP port 10514) is leaving SO and arriving at the central server.
My goal is to ingest the remote logs into Elastic Search so I've been following the instructions at https://linux-help.org/wiki/logging/rsyslog/advanced-rsyslog. I had to tweak some settings to get past parsing errors from rsyslog but that seems OK now (according to rsyslogd -f rsyslog.conf -N1 with and without $DebugLevel=1). At least rsyslogd now launches and runs correctly. Problem is, only local logs are appearing in the Elastic Search index (according to kibana). There's no sign of remote logs from Security Onion in the ES indices. The only trace of remote logs is in /srv/log/SecurityOnionVM/...) which seems to contain the right contents, although I can find no signs of how they wound up there in the debug logs. I'm new at rsyslog and have ridden the documentation about as far as it will take me. Can someone help me get this bus on its wheels? Dr. Brad J. Cox Cell: 703-594-1883 Blog: http://bradjcox.blogspot.com _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
