Although I never use the old syntax, for what you’re attempting I don’t think
the *.* in front of the action statement is needed.
ruleset (…) {
action1(…)
action2(…)
if (something) then stop
action3(…)
if (somethingElse) then {
call ruleset2
} else {
call ruleset3
action4(…)
}
}
> Apr 12, 2021, at 06:47, Erik.Moritz--- via rsyslog
> <[email protected]> wrote:
>
> Hello,
>
> any ideas from anyone?
> Last try with updated config:
>
> # Provides UDP syslog reception
> $ModLoad imudp
> ruleset(name="remote") {
> *.* action(type="omfile" file="/app/FW_log/fw_traffic.log ")
> }
> $InputUDPServerBindRuleset remote #Define a new input and bind it to the
> "remote1" rule set
> $RuleSet RSYSLOG_DefaultRuleset #End the rule set by switching back to the
> default rule set
> $UDPServerRun 514
>
> But didn't help to gather logs from FW
>
> Kind regards,
> Erik
>
> -----Ursprüngliche Nachricht-----
> Von: rsyslog <[email protected]> Im Auftrag von
> Erik.Moritz--- via rsyslog
> Gesendet: Freitag, 26. März 2021 16:30
> An: [email protected]
> Cc: Moritz, Erik <[email protected]>
> Betreff: [rsyslog] rsyslog fails to collect FW traffic logs
>
> Hello,
>
> maybe someone can give me the hint I need. I am trying to collect traffic
> logs from FW by rsyslogd on e rhel7 system
>
> rsyslog-8.24.0-57.el7_9.x86_64
>
> linux FW is disabled
> #firewall-cmd --state
> not running
>
> /etc/rsyslog.conf
>
> # Provides UDP syslog reception
> $ModLoad imudp
> $RuleSet remote
> *.* /app/FW_log/fw_traffic.log
> $InputUDPServerBindRuleset remote #Define a new input and bind it to the
> "remote1" rule set
> $RuleSet RSYSLOG_DefaultRuleset #End the rule set by switching back to the
> default rule set
> $UDPServerRun 514
>
> Rsyslog is listening 514
>
> netstat -tulpen | grep rsyslog
> udp 0 0 0.0.0.0:45073 0.0.0.0:*
> 0 204418 7730/rsyslogd
> udp 0 0 0.0.0.0:48919 0.0.0.0:*
> 0 204412 7730/rsyslogd
> udp 0 0 0.0.0.0:52741 0.0.0.0:*
> 0 204411 7730/rsyslogd
> udp 0 0 0.0.0.0:57513 0.0.0.0:*
> 0 204413 7730/rsyslogd
> udp 0 0 0.0.0.0:514 0.0.0.0:*
> 0 225843 7730/rsyslogd
> udp6 0 0 :::514 :::*
> 0 225844 7730/rsyslogd
>
>
> messages are being sent by the FW
> 160.xxx.xxx.xxx = dffmz01sysl01p
> 6.xxx.xxx.xxx = FW
> On the rsyslog server
> tcpdump -i any | more
> 13:24:36.640675 IP 6.xxx.xxx.xxx.9688 > 160.xxx.xxx.xxx.syslog: SYSLOG
> local7.notice, length: 647
> 13:24:36.640675 IP 6.xxx.xxx.xxx.9688 > 160.xxx.xxx.xxx.syslog: SYSLOG
> local7.notice, length: 647
>
> FW is sending logs via port 514:
> 14:52:37.140824 IP 6.xxx.xxx.xxx.3353 > 160.xxx.xxx.xxx.514: SYSLOG
> local7.notice, length: 606
> 14:52:37.140823 IP 6.xxx.xxx.xxx.15482 > 160.xxx.xxx.xxx.514: SYSLOG
> local7.notice, length: 647
>
> Ncat works for localhost and from the firewall
>
> [Expert@FW:0]# nc -u 160.xxx.xxx.xxx 514 test from admin firewall
>
> # tail -4 fw_traffic.log
> 2021-03-26T12:44:36.735062+01:00 testmessage by netcat udp
> 2021-03-26T13:21:50.162778+01:00 testmessage by netcat udp
> 2021-03-26T15:55:55.209019+01:00 test from admin firewall
> 2021-03-26T15:57:14.529362+01:00 test from admin firewall
>
> _______________________________________________
> rsyslog mailing list
> https://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This
> is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our
> control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
> _______________________________________________
> rsyslog mailing list
> https://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
> sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T
> LIKE THAT.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
