At first you may have a look into /etc/rsyslog.d/*.conf whether the messages are not processed and filtered somewhere in those configuration snippets.
You can try to log all messages flowing through the rsyslog to one file with debug format: *.* /var/log/debug;RSYSLOG_DebugFormat Put the line on top of the $IncludeConfig statement. More on different formatting templates available in documentation. https://www.rsyslog.com/doc/v8-stable/configuration/templates.html and rsyslog configuration in general https://www.rsyslog.com/doc/v8-stable/configuration/index.html Peter On Sat, Oct 24, 2020 at 2:06 AM Walton, Glenn <[email protected]> wrote: > Hello, thank you for any suggestions as to why the data is not captured in > /var/log/messages. > > > > Data sent from a separate host on same subnet via: > > logger -p daemon.warn "to cpsyslog01 testing-d1023-t1855 > - on tcp 601" --tcp --port 601 --server 172.16.130.19 > > > > attachment shows data received on the syslog host port 601. Including here > the raw pcap file and also as viewed in wireshark. Regards, > > > > glenn > > > > > > > > *From:* Peter Viskup <[email protected]> > *Sent:* Friday, October 23, 2020 12:23 AM > *To:* rsyslog-users <[email protected]> > *Cc:* Walton, Glenn <[email protected]> > *Subject:* Re: [rsyslog] Rsyslog issue - when imptcp & imtcp/TLS on same > system - imptcp messages received in Rsyslogd not added to log file > > > > Hello Glenn, > > > > On Thu, Oct 22, 2020 at 11:26 PM Walton, Glenn via rsyslog < > [email protected]> wrote: > > Questions: > > 1. Its my understanding when configuring TLS with imtcp module that > imptcp should be used to provide a plain unencrypted TCP listener; is there > a better alternative, or any specific guidelines for this scenario ? > > Yes - you are right. It was already discussed some time ago. > > > http://rsyslog-users.1305293.n2.nabble.com/Mix-of-GTLS-and-PTCP-listeners-running-same-instance-tc7591434.html > <https://urldefense.proofpoint.com/v2/url?u=http-3A__rsyslog-2Dusers.1305293.n2.nabble.com_Mix-2Dof-2DGTLS-2Dand-2DPTCP-2Dlisteners-2Drunning-2Dsame-2Dinstance-2Dtc7591434.html&d=DwMFaQ&c=QbuapHRvbn0JdC8vTVkPHg&r=_uOhLqF-K0CY12pGqtX0shhCC7pwRurkKACc23Dc7FU&m=8oA6PA7H-RQqi6jqdDvIgdJgBNNcgLl1ahMKpTj13SE&s=j7v-ReHh3ivf6fOr7rDCtN3fcgaiabuaTEx4e4he8oM&e=> > > > Following bugreport is related. > > https://github.com/rsyslog/rsyslog/issues/3727 > <https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_rsyslog_rsyslog_issues_3727&d=DwMFaQ&c=QbuapHRvbn0JdC8vTVkPHg&r=_uOhLqF-K0CY12pGqtX0shhCC7pwRurkKACc23Dc7FU&m=8oA6PA7H-RQqi6jqdDvIgdJgBNNcgLl1ahMKpTj13SE&s=Yg_bOUeegZhPrfyjnjGA9GR4oTkKmbtQ0kjDE3b3alw&e=> > > > > > 2. With imptcp in place, is there some extra configuration needed to > cause these incoming events to be written to the log file > (/var/log/messages) ? > > No extra configuration options are required. > > > > One of the reasons why you do not see the messages in /var/log/messages is > they are of debug syslog priority. Send the message examples you see on the > wire (running tcpdump). > > > > -- > > Peter > ------------------------------ > This message is intended only for the person(s) to which it is addressed > and may contain privileged, confidential and/or insider information. > If you have received this communication in error, please notify us > immediately by replying to the message and deleting it from your computer. > Any disclosure, copying, distribution, or the taking of any action > concerning > the contents of this message and any attachment(s) by anyone other > than the named recipient(s) is strictly prohibited. > _______________________________________________ rsyslog mailing list https://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
