Here y'go. I killed the tcpdump I keep running there and restarted it.
root@localhost:/home/bcox# tcpdump -vv port 10514
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535
bytes
05:18:01.798173 IP (tos 0x0, ttl 64, id 13677, offset 0, flags [DF], proto TCP
(6), length 158)
192.168.48.137.55850 > 192.168.48.145.10514: Flags [P.], cksum 0xb679
(correct), seq 1354741200:1354741306, ack 3927941070, win 1024, options
[nop,nop,TS val 85045186 ecr 14255259], length 106
05:18:01.798199 IP (tos 0x0, ttl 64, id 1985, offset 0, flags [DF], proto TCP
(6), length 52)
192.168.48.145.10514 > 192.168.48.137.55850: Flags [.], cksum 0xe291
(incorrect -> 0x8c75), seq 1, ack 106, win 1452, options [nop,nop,TS val
14268510 ecr 85045186], length 0
05:18:01.798795 IP (tos 0x0, ttl 64, id 13678, offset 0, flags [DF], proto TCP
(6), length 175)
192.168.48.137.55850 > 192.168.48.145.10514: Flags [P.], cksum 0x9d13
(correct), seq 106:229, ack 1, win 1024, options [nop,nop,TS val 85045186 ecr
14268510], length 123
05:18:01.798811 IP (tos 0x0, ttl 64, id 1986, offset 0, flags [DF], proto TCP
(6), length 52)
192.168.48.145.10514 > 192.168.48.137.55850: Flags [.], cksum 0xe291
(incorrect -> 0x8bfa), seq 1, ack 229, win 1452, options [nop,nop,TS val
14268510 ecr 85045186], length 0
Dr. Brad J. Cox Cell: 703-594-1883 Skype: dr.brad.cox
> On Feb 1, 2016, at 8:16 AM, David Lang <[email protected]> wrote:
>
> Ok, not iptables rules, try a tcpdump on the rsyslog box to see if you are
> getting any traffic from the SO box.
>
> David Lang
>
> On Mon, 1 Feb 2016, Brad Cox wrote:
>
>> Date: Mon, 1 Feb 2016 08:09:33 -0500
>> From: Brad Cox <[email protected]>
>> Reply-To: rsyslog-users <[email protected]>
>> To: rsyslog-users <[email protected]>
>> Subject: Re: [rsyslog] Logs from remote server not making it to Elastic
>> Search
>> The proto-cluster (rsyslog) is Xubuntu latest (14.x.y). Security Onion
>> server and clients is Ubuntu latest (syslog-ng). Both are VMware VMs on a
>> Mac host.
>>
>> root@localhost:/var/log# iptables -L -n
>> Chain INPUT (policy ACCEPT)
>> target prot opt source destination
>>
>> Chain FORWARD (policy ACCEPT)
>> target prot opt source destination
>>
>> Chain OUTPUT (policy ACCEPT)
>> target prot opt source destination
>>
>> Dr. Brad J. Cox Cell: 703-594-1883 Skype: dr.brad.cox
>>
>>
>>
>>
>>> On Feb 1, 2016, at 8:06 AM, David Lang <[email protected]> wrote:
>>>
>>> what distro is this? have you checked iptables rules?
>>>
>>> iptables -L -n
>>>
>>> David Lang
>>>
>>> On Mon, 1 Feb 2016, Brad Cox wrote:
>>>
>>>> Re earlier, I think the difference was we were getting logs from the
>>>> rsyslog server then (local) traffic. When I removed that, it showed we
>>>> were not receiving remote logs, then or now. But still no idea why.
>>> _______________________________________________
>>> rsyslog mailing list
>>> http://lists.adiscon.net/mailman/listinfo/rsyslog
>>> http://www.rsyslog.com/professional-services/
>>> What's up with rsyslog? Follow https://twitter.com/rgerhards
>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
>>> sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T
>>> LIKE THAT.
>>
>> _______________________________________________
>> rsyslog mailing list
>> http://lists.adiscon.net/mailman/listinfo/rsyslog
>> http://www.rsyslog.com/professional-services/
>> What's up with rsyslog? Follow https://twitter.com/rgerhards
>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
>> sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T
>> LIKE THAT.
>>
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
> sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T
> LIKE THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
