On Wed, 6 Apr 2016, David Meiser wrote:
As I continue to try to troubleshoot this, I tried using a direct ncat
connection. If I send "1.1.1.1 hello world" (simulating an IP address and
message), the output to the log file is:
output to what logfile with what config? Is this the config shown below?
note, workerthreads=4 is almost certinly wrong, you need a very complex config
to need even two threads. Having a queue on a write to a file is also almost
always the wrong thing to do.
Apr 6 16:25:41 1
Apr 6 16:25:41 .1.1 hello world
not a valid syslog message
If I send "1\.1\.1\.1 hello world" the output is this:
Apr 6 16:26:16 .
Apr 6 16:26:16 .
Apr 6 16:26:16 .
Apr 6 16:26:16 h
Apr 6 16:26:16 ello world
also not a valid syslog message
If I send "myserver.domain.com hello world" the output is this:
Apr 6 16:28:28 myserver.domain.com hello world
also not a valid syslog message
If I send a raw syslog message "<13>Apr 6 14:37:38 1.1.1.1 Test Syslog." I
get:
Apr 6 14:37:38 1.1.1.1 Test Syslog.
This is a valid syslog message, and is the output I would expect if you are
doing a simple write with the traditional format.
So, I go back to the original device that sent the TCP syslog message (an
APC UPS) and send another test directly to the server and I see this in the
logs:
5015.675372226:7f6ce2981700: imptcp: data(131072) on socket 19: <13>Apr 6
16:36:54 1.1.1.1 APC: Test Syslog.rom o world
how are you seeing this.
And in the log I get nothing.
so if it works from some places and not others, the first thing to do is to look
at the network and see if there are any network things that would block the
communication from the place that doesn't work, but don't block it from the
place that does work.
David Lang
On Wed, Apr 6, 2016 at 4:03 PM David Meiser <[email protected]> wrote:
I am trying to setup a generic syslog forwarder that accepts messages on
tcp & udp. Using imptcp, I see messages come in, but no rulesets are
processed. My ruleset, right now, is set to take tcp messages and just
output them to file (for troubleshooting). UDP works fine.
Here is what I see in debug mode:
2594.333580185:7fd29ab2b700: imptcp: epoll returned 1 events
2594.333594886:7fd29ab2b700: imptcp: new connection on listen socket 9
2594.334657804:7fd29ab2b700: imptcp: added socket 15 to epoll[8] set
2594.334670004:7fd29ab2b700: imptcp going on epoll_wait
2594.334673904:7fd29ab2b700: imptcp: epoll returned 1 events
2594.334686204:7fd29ab2b700: imptcp: new activity on session socket 15
2594.334692604:7fd29ab2b700: imptcp: data(131072) on socket 15: <5>Apr 6
15:56:34 user.name: hello world 2594.334701804:7fd29ab2b700: imptcp:
removing socket 15 from epoll[8] set 2594.335235814:7fd29ab2b700: imptcp:
session on socket 15 closed with iRet 0. 2594.335240814:7fd29ab2b700:
imptcp going on epoll_wait
Here is my config:
module(load="imptcp")
input(
type="imptcp"
port="514"
ruleset="remote"
)
ruleset(
name="remote" queue.workerthreads="4"
queue.filename="srvrfwd"
queue.type="LinkedList"
queue.syncqueuefiles="on"
queue.maxdiskspace="10g"
queue.saveonshutdown="on"
queue.size="10000000"
) {
action(
type="omfile"
file="/var/log/debug"
)
}
I've also tried the sample config from the website:
input(type="imptcp" port="10514" ruleset="writeRemoteData")
ruleset(name="writeRemoteData" queue.type="fixedArray" queue.size="250000"
queue.dequeueBatchSize="4096" queue.workerThreads="4"
queue.workerThreadMinimumMessages="60000" ) { action(type="omfile"
file="/var/log/remote.log" ioBufferSize="64k" flushOnTXEnd="off"
asyncWriting="on") }
Same issue.
Any thoughts?
Thank you,
Dave
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
