please post your config
David Lang
On Sun, 5 Jul 2020, Eric Blomquist via rsyslog wrote:
Date: Sun, 5 Jul 2020 12:42:00 -0700
From: Eric Blomquist via rsyslog <[email protected]>
To: 'Rainer Gerhards' <[email protected]>,
'rsyslog-users' <[email protected]>
Cc: Eric Blomquist <[email protected]>
Subject: Re: [rsyslog] imkmsg absent from 8.2006; How to get imuxsock to read
kernel messages?
Thanks for responding.
Yes, of course. imklog was the first thing I tried, and it has been configured
to load throughout this process.
In fact, I experimented with a great number of alternative configurations
before I thought to try substituting imkmsg for imklog, only to discover that
imkmsg was/is missing.
No matter what we do, no rule in an imuxsock ruleset (even *.*) reads iptables
log messages.
We know the messages exist, both from running dmesg and because standalone
rules (outside an imuxsock ruleset) read the messages.
I experimented with all varieties of syntax, filter, filter text, operator, and
property. None had any effect. I experimented with imuxsock listeners on all
obvious sockets, and all failed.
I also experimented with both means of interfacing with systemd-journald (i.e.,
configuring journald.conf with the "ForwardToSyslog=yes" directive, and via
imjournal), with no effect.
All that seems to be left (besides giving imkmsg a try) is something to do with
the imuxsock module and how it handles kernel messages, and we can't figure it
out.
Having ruleset capability for iptables messages would be a big help, and this
seems to depend on imuxsock.
Thoughts?
-ERB
-----Original Message-----
From: Rainer Gerhards [mailto:[email protected]]
Sent: Sunday, July 05, 2020 2:01 AM
To: rsyslog-users
Cc: Eric Blomquist
Subject: Re: [rsyslog] imkmsg absent from 8.2006; How to get imuxsock to read
kernel messages?
Did you have a look at imklog? That's the original module for kernel
messages. I admit I do not remember why exactly imkmsg was
contributed.
Rainer
El vie., 3 jul. 2020 a las 20:10, Eric Blomquist via rsyslog
(<[email protected]>) escribió:
Does anyone have any idea how to get imuxsock to read kernel messages?
We have been having trouble getting any rule in an imuxsock ruleset to read
kernel messages, in particular those from iptables. Without this, ruleset
functionality is not available.
Possibly, the difficulty is that imkmsg is absent on our systems and from
the latest rsyslog package available from the Adiscon repository (8.2006.0).
No obvious means exists to obtain or install this module. Does anyone have
this module installed?
imklog permits a standalone rule (i.e., outside an imuxsock ruleset) to
capture kernel messages, so at least they're not lost, but again, no ruleset
functionality is available.
We have attempted any number of configurations spanning rsyslog.conf,
journald.conf, and sysctl.conf, including creating listeners specifically
for /dev/kmsg, /proc/kmsg, /dev/log, and /run/systemd/journal/syslog, all
without success.
Many thanks for any suggestions.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
