Hi, thanks a lot for fast reply. Well what I understood is that local6 config for DB is working as I was able to catch DB logs via tcpdump. My question might be, is *.* forwarding all the logs from all the local* facilities ? Why is it working with local5 and not with local6 ? where exactly might be local5 etc config ? I don't need DB logs to be stored locally, just need to forward them to SIEM (there are too many - approx.. 80 EPS)
here's rsyslog.conf # cat /etc/rsyslog.conf ## ## Note, that when the MYSQL, PGSQL, GSSAPI, GnuTLS or SNMP modules ## (provided in separate rsyslog-module-* packages) are enabled, the ## configuration can't be used on a system with /usr on a remote ## filesystem. ## [The modules are linked against libraries installed bellow of /usr ## thus also installed in /usr/lib*/rsyslog because of this.] ## ## You can change it by adding network-remotefs to the Required-Start ## and Required-Stop LSB init tags in the /etc/init.d/syslog script. ## # # if you experience problems, check # http://www.rsyslog.com/troubleshoot for assistance # and report them at http://bugzilla.novell.com/ # # rsyslog v3: load input modules # If you do not load inputs, nothing happens! $ModLoad immark.so # provides --MARK-- message capability (every 1 hour) $MarkMessagePeriod 3600 $ModLoad imuxsock.so # provides support for local system logging (e.g. via logger command) # reduce dupplicate log messages (last message repeated n times) $RepeatedMsgReduction on $ModLoad imklog.so # kernel logging (may be also provided by /sbin/klogd), # see also http://www.rsyslog.com/doc-imklog.html. $klogConsoleLogLevel 1 # set log level 1 (same as in /etc/sysconfig/syslog). # # Use traditional log format by default. To change it for a single # file, append ";RSYSLOG_TraditionalFileFormat" to the filename. # $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat # # Include config generated by /etc/init.d/syslog script # using the SYSLOGD_ADDITIONAL_SOCKET* variables in the # /etc/sysconfig/syslog file. # $IncludeConfig /var/run/rsyslog/additional-log-sockets.conf # # Include config files, that the admin provided? : # $IncludeConfig /etc/rsyslog.d/*.conf ### # print most important on tty10 and on the xconsole pipe # if ( \ /* kernel up to warning except of firewall */ \ ($syslogfacility-text == 'kern') and \ ($syslogseverity <= 4 /* warning */ ) and not \ ($msg contains 'IN=' and $msg contains 'OUT=') \ ) or ( \ /* up to errors except of facility authpriv */ \ ($syslogseverity <= 3 /* errors */ ) and not \ ($syslogfacility-text == 'authpriv') \ ) \ then /dev/tty10 & |/dev/xconsole # Emergency messages to everyone logged on (wall) *.emerg :omusrmsg:* # enable this, if you want that root is informed # immediately, e.g. of logins #*.alert root # # firewall messages into separate file and stop their further processing # if ($syslogfacility-text == 'kern') and \ ($msg contains 'IN=' and $msg contains 'OUT=') \ then -/var/log/firewall & ~ # # acpid messages into separate file and stop their further processing # # => all acpid messages for debuging (uncomment if needed): #if ($programname == 'acpid' or $syslogtag == '[acpid]:') then \ # -/var/log/acpid # # => up to notice (skip info and debug) if ($programname == 'acpid' or $syslogtag == '[acpid]:') and \ ($syslogseverity <= 5 /* notice */) \ then -/var/log/acpid & ~ # # NetworkManager into separate file and stop their further processing # if ($programname == 'NetworkManager') or \ ($programname startswith 'nm-') \ then -/var/log/NetworkManager & ~ # # email-messages # mail.* -/var/log/mail mail.info -/var/log/mail.info mail.warning -/var/log/mail.warn mail.err /var/log/mail.err # # news-messages # news.crit -/var/log/news/news.crit news.err -/var/log/news/news.err news.notice -/var/log/news/news.notice # enable this, if you want to keep all news messages # in one file #news.* -/var/log/news.all # # Warnings in one file # *.=warning;*.=err -/var/log/warn *.crit /var/log/warn # # the rest in one file # *.*;mail.none;news.none -/var/log/messages # # enable this, if you want to keep all messages # in one file #*.* -/var/log/allmessages # # Some foreign boot scripts require local7 # local0,local1.* -/var/log/localmessages local2,local3.* -/var/log/localmessages local4,local5.* -/var/log/localmessages local6,local7.* -/var/log/localmessages ### 2017-01-19 11:47 GMT+01:00 Rainer Gerhards <[email protected]>: > 2017-01-19 11:44 GMT+01:00 Denis Dolinský via rsyslog > <[email protected]>: > > Hi guys, > > > > I have following config in place: > > > > Linux server + Oracle DB > > Oracle logging: > > > > AUDIT_TRAIL = OS > > AUDIT_SYSLOG_LEVEL=local6.warning > > AUDIT_SYS_OPERATIONS = TRUE > > > > OS - rsyslog is forwarding the logs: > > > > *.* @IP address of collector > > > > but in collector (SIEM) I can see only OS logs, no DB logs. > > > > Does anybody have any idea where I might did something wrong ? > > > > I am using default rsyslog.conf (means I did not change there anything) > > The default is depending on OS and version, so we do not really know > yet what you have. > > > When I will change DB logging to local5, it will be working, but > > unfortunately I cannot use local5 for both OS & DB logging, so I have to > > split/divert DB logging to local6. > > > > With *.* forwarding, I thought that everything is forwarded to SIEM, > > apparently I am wrong. > > Your expectation is right. I guess that the config either discards > messages before it reaches this point, oracle does not log or > something (journal?)might be in the way of getting this to work. > > In other words, we need a more precise description of what you actually > have. > > Rainer > > > > Thanks a lot in advance ! > > > > Denis > > _______________________________________________ > > rsyslog mailing list > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > http://www.rsyslog.com/professional-services/ > > What's up with rsyslog? Follow https://twitter.com/rgerhards > > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > DON'T LIKE THAT. > -- Ing. Denis Dolinský [email protected] private cell: *+421 907 530711 <+421%20907%20530%20711>* -- Ing. Denis Dolinský [email protected] private cell: *+421 907 530711* _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
