Re: [rsyslog] Logs from remote server not making it to Elastic Search

David Lang Mon, 01 Feb 2016 11:04:30 -0800

hmm, if I'm reading this correctlyh, there is some data getting through tosomething, but the pstats data you were showing says that it's not rsyslog thatit's talking to.


David Lang


 On Mon, 1 Feb 2016, Brad Cox wrote:

Date: Mon, 1 Feb 2016 08:19:35 -0500
From: Brad Cox <[email protected]>
Reply-To: rsyslog-users <[email protected]>
To: rsyslog-users <[email protected]>
Subject: Re: [rsyslog] Logs from remote server not making it to Elastic Search

Here y'go. I killed the tcpdump I keep running there and restarted it.

root@localhost:/home/bcox# tcpdump -vv port 10514
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 
bytes
05:18:01.798173 IP (tos 0x0, ttl 64, id 13677, offset 0, flags [DF], proto TCP 
(6), length 158)
   192.168.48.137.55850 > 192.168.48.145.10514: Flags [P.], cksum 0xb679 
(correct), seq 1354741200:1354741306, ack 3927941070, win 1024, options 
[nop,nop,TS val 85045186 ecr 14255259], length 106
05:18:01.798199 IP (tos 0x0, ttl 64, id 1985, offset 0, flags [DF], proto TCP 
(6), length 52)
   192.168.48.145.10514 > 192.168.48.137.55850: Flags [.], cksum 0xe291 (incorrect 
-> 0x8c75), seq 1, ack 106, win 1452, options [nop,nop,TS val 14268510 ecr 
85045186], length 0
05:18:01.798795 IP (tos 0x0, ttl 64, id 13678, offset 0, flags [DF], proto TCP 
(6), length 175)
   192.168.48.137.55850 > 192.168.48.145.10514: Flags [P.], cksum 0x9d13 
(correct), seq 106:229, ack 1, win 1024, options [nop,nop,TS val 85045186 ecr 
14268510], length 123
05:18:01.798811 IP (tos 0x0, ttl 64, id 1986, offset 0, flags [DF], proto TCP 
(6), length 52)
   192.168.48.145.10514 > 192.168.48.137.55850: Flags [.], cksum 0xe291 (incorrect 
-> 0x8bfa), seq 1, ack 229, win 1452, options [nop,nop,TS val 14268510 ecr 
85045186], length 0

Dr. Brad J. Cox    Cell: 703-594-1883 Skype: dr.brad.cox

On Feb 1, 2016, at 8:16 AM, David Lang <[email protected]> wrote:

Ok, not iptables rules, try a tcpdump on the rsyslog box to see if you are 
getting any traffic from the SO box.

David Lang

On Mon, 1 Feb 2016, Brad Cox wrote:

Date: Mon, 1 Feb 2016 08:09:33 -0500
From: Brad Cox <[email protected]>
Reply-To: rsyslog-users <[email protected]>
To: rsyslog-users <[email protected]>
Subject: Re: [rsyslog] Logs from remote server not making it to Elastic Search
The proto-cluster (rsyslog) is Xubuntu latest (14.x.y). Security Onion server 
and clients is Ubuntu latest (syslog-ng). Both are VMware VMs on a Mac host.

root@localhost:/var/log# iptables -L -n
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Dr. Brad J. Cox    Cell: 703-594-1883 Skype: dr.brad.cox

On Feb 1, 2016, at 8:06 AM, David Lang <[email protected]> wrote:

what distro is this? have you checked iptables rules?

iptables -L -n

David Lang

On Mon, 1 Feb 2016, Brad Cox wrote:

Re earlier, I think the difference was we were getting logs from the rsyslog 
server then (local) traffic. When I removed that, it showed we were not 
receiving remote logs, then or now. But still no idea why.

_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.


_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.


_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Re: [rsyslog] Logs from remote server not making it to Elastic Search

Reply via email to