Rsyslog not pushing the logs

Graylog Central (peer support)
1

I’m trying in any way to get this done :))

so, input is
image

rsyslog file


# /etc/rsyslog.conf configuration file for rsyslog
#
# For more information install rsyslog-doc and see
# /usr/share/doc/rsyslog-doc/html/configuration/index.html
#
# Default logging rules can be found in /etc/rsyslog.d/50-default.conf


#################
#### MODULES ####
#################

#module(load="imuxsock") # provides support for local system logging
#module(load="immark")  # provides --MARK-- message capability

# provides UDP syslog reception
module(load="imudp")
input(type="imudp" port="1514")

# provides TCP syslog reception
#module(load="imtcp")
#input(type="imtcp" port="514")

# provides kernel logging support and enable non-kernel klog messages
module(load="imklog" permitnonkernelfacility="on")

###########################
#### GLOBAL DIRECTIVES ####
###########################

#
# Use traditional timestamp format.
# To enable high precision timestamps, comment out the following line.
#
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat

# Filter duplicated messages
$RepeatedMsgReduction on

#
# Set the default permissions for all log files.
#
$FileOwner syslog
$FileGroup adm
$FileCreateMode 0640
$DirCreateMode 0755
$Umask 0022
$PrivDropToUser syslog
$PrivDropToGroup syslog

#
# Where to place spool and state files
#
$WorkDirectory /var/spool/rsyslog

#
# Include all config files in /etc/rsyslog.d/
#
$IncludeConfig /etc/rsyslog.d/*.conf
$template GRAYLOGRFC5424,"<%PRI%>%PROTOCOL-VERSION% %TIMESTAMP:::date-rfc3339% %HOSTNAME% %APP-NAME% %PROCID% %MSGID% %STRUCTURED-DATA% %msg%\n"
*.* @10......39:1514;RSYSLOG_SyslogProtocol23Format
2

Hello @adrianrus

Perhaps this may help

  • Here is my Rsyslog Default configuration On CentOS 7
[root@graylog server]# cat /etc/rsyslog.conf | egrep -v "^\s*(#|$)"
$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
$ModLoad imjournal # provides access to the systemd journal
$ModLoad imudp
$WorkDirectory /var/lib/rsyslog
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
$IncludeConfig /etc/rsyslog.d/*.conf
$OmitLocalLogging on
$IMJournalStateFile imjournal.state
kern.debug /var/log/firewall.log
*.info;mail.none;authpriv.none;cron.none                /var/log/messages
authpriv.*                                              /var/log/secure
mail.*                                                  -/var/log/maillog
cron.*                                                  /var/log/cron
*.emerg                                                 :omusrmsg:*
uucp,news.crit                                          /var/log/spooler
local7.*                                                /var/log/boot.log
*.*@8.8.8.8:5140
[root@graylog server]#
  • Here is my Rsyslog Default configuration Ubuntu 20
root@ansible:/usr/local/bin# cat /etc/rsyslog.conf | egrep -v "^\s*(#|$)"
module(load="imuxsock") # provides support for local system logging
*.* @10.10.10.10:8514
module(load="imklog" permitnonkernelfacility="on")
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
$RepeatedMsgReduction on
$FileOwner syslog
$FileGroup adm
$FileCreateMode 0640
$DirCreateMode 0755
$Umask 0022
$PrivDropToUser syslog
$PrivDropToGroup syslog
$WorkDirectory /var/spool/rsyslog
$IncludeConfig /etc/rsyslog.d/*.conf
root@ansible:/usr/local/bin#

Results:

image
image883×573 44 KB

3

UBUNTU here, yes.

Can you telnet from the ‘client server’ to Graylog Server on 1514 ?
i can telnet the elasticsearch port 9200
image

also the api
image

but on 1514 there is no one home :smiley:

image

As seen, firewall is also off.

So, does yours respond to telnet on 1514 please?

I also tried on Graylog server itself to telnet itself on 1514 and is not.

But, i also know that in some situations this is normal and things still work, anyway, i’m trying to compare how the things are on yours, which is working.

Thank you

4

No, unable to connect. On working Graylog server.
Try to change bind address to 0.0.0.0

5

tried 0.0.0.0, same issue.

so my iptables is like this:

# Generated by iptables-save v1.8.4 on Mon Sep 26 20:04:24 2022
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A PREROUTING -p tcp -m tcp --dport 514 -j REDIRECT --to-ports 1514
-A PREROUTING -p udp -m udp --dport 514 -j REDIRECT --to-ports 1514
COMMIT
# Completed on Mon Sep 26 20:04:24 2022
# Generated by iptables-save v1.8.4 on Mon Sep 26 20:04:24 2022
*filter
:INPUT ACCEPT [27282:7586167]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [24883:5772066]
COMMIT
# Completed on Mon Sep 26 20:04:24 2022

RSYSLOG


# /etc/rsyslog.conf configuration file for rsyslog
#
# For more information install rsyslog-doc and see
# /usr/share/doc/rsyslog-doc/html/configuration/index.html
#
# Default logging rules can be found in /etc/rsyslog.d/50-default.conf


#################
#### MODULES ####
#################

module(load="imuxsock") # provides support for local system logging
#module(load="immark")  # provides --MARK-- message capability

# provides UDP syslog reception
#module(load="imudp")
#input(type="imudp" port="514")

# provides TCP syslog reception
#module(load="imtcp")
#input(type="imtcp" port="514")

# provides kernel logging support and enable non-kernel klog messages
module(load="imklog" permitnonkernelfacility="on")

###########################
#### GLOBAL DIRECTIVES ####
###########################

#
# Use traditional timestamp format.
# To enable high precision timestamps, comment out the following line.
#
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat

# Filter duplicated messages
$RepeatedMsgReduction on

#
# Set the default permissions for all log files.
#
$FileOwner syslog
$FileGroup adm
$FileCreateMode 0640
$DirCreateMode 0755
$Umask 0022
$PrivDropToUser syslog
$PrivDropToGroup syslog

#
# Where to place spool and state files
#
$WorkDirectory /var/spool/rsyslog

#
# Include all config files in /etc/rsyslog.d/
#
$IncludeConfig /etc/rsyslog.d/*.conf
$template GRAYLOGRFC5424,"<%PRI%>%PROTOCOL-VERSION% %TIMESTAMP:::date-rfc3339% %HOSTNAME% %APP-NAME% %PROCID% %MSGID% %STRUCTURED-DATA% %msg%\n"
*.* @10.....39:1514;RSYSLOG_SyslogProtocol23Format

status


root@ipt-fr-log-01-v2:~# systemctl status rsyslog
● rsyslog.service - System Logging Service
     Loaded: loaded (/lib/systemd/system/rsyslog.service; enabled; vendor preset: enabled)
     Active: active (running) since Tue 2022-09-27 09:26:55 UTC; 11s ago
TriggeredBy: ● syslog.socket
       Docs: man:rsyslogd(8)
             https://www.rsyslog.com/doc/
   Main PID: 2105 (rsyslogd)
      Tasks: 5 (limit: 9508)
     Memory: 1.3M
     CGroup: /system.slice/rsyslog.service
             └─2105 /usr/sbin/rsyslogd -n -iNONE

Sep 27 09:26:55 ipt-fr-log-01-v2 systemd[1]: rsyslog.service: Succeeded.
Sep 27 09:26:55 ipt-fr-log-01-v2 systemd[1]: Stopped System Logging Service.
Sep 27 09:26:55 ipt-fr-log-01-v2 systemd[1]: Starting System Logging Service...
Sep 27 09:26:55 ipt-fr-log-01-v2 rsyslogd[2105]: imuxsock: Acquired UNIX socket '/run/systemd/journal/syslog' (fd 3) from >
Sep 27 09:26:55 ipt-fr-log-01-v2 systemd[1]: Started System Logging Service.
Sep 27 09:26:55 ipt-fr-log-01-v2 rsyslogd[2105]: rsyslogd's groupid changed to 110
Sep 27 09:26:55 ipt-fr-log-01-v2 rsyslogd[2105]: rsyslogd's userid changed to 104
Sep 27 09:26:55 ipt-fr-log-01-v2 rsyslogd[2105]: [origin software="rsyslogd" swVersion="8.2001.0" x-pid="2105" x-info="htt>
lines 1-20/20 (END)

^^^all these on the GRAYLOG SERVER ^^^^^

on the CLIENT Server iptables is the same and

RSYSLOG is like this:


module(load="imuxsock") # provides support for local system logging
*.* @10.204.68.39:1514
module(load="imklog" permitnonkernelfacility="on")
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
$RepeatedMsgReduction on
$FileOwner syslog
$FileGroup adm
$FileCreateMode 0640
$DirCreateMode 0755
$Umask 0022
$PrivDropToUser syslog
$PrivDropToGroup syslog
$WorkDirectory /var/spool/rsyslog
$IncludeConfig /etc/rsyslog.d/*.conf
6

On client this should be in last position. On server rsyslog config is irrevelant, unless you want to collect logs from Graylog server itself.

So, your iptables looks like this? Or you have any rules?

$ sudo iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
7

Solved.
on Graylod Server side:

root@i:~# cat /etc/rsyslog.conf


# /etc/rsyslog.conf configuration file for rsyslog
#
# For more information install rsyslog-doc and see
# /usr/share/doc/rsyslog-doc/html/configuration/index.html
#
# Default logging rules can be found in /etc/rsyslog.d/50-default.conf


#################
#### MODULES ####
#################

module(load="imuxsock") # provides support for local system logging
#module(load="immark")  # provides --MARK-- message capability

# provides UDP syslog reception
module(load="imudp")
input(type="imudp" port="514")

# provides TCP syslog reception
module(load="imtcp")
input(type="imtcp" port="514")

# provides kernel logging support and enable non-kernel klog messages
module(load="imklog" permitnonkernelfacility="on")

###########################
#### GLOBAL DIRECTIVES ####
###########################
#
# Use traditional timestamp format.
# To enable high precision timestamps, comment out the following line.
#
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat

# Filter duplicated messages
$RepeatedMsgReduction on

#
# Set the default permissions for all log files.
#
$FileOwner syslog
$FileGroup adm
$FileCreateMode 0640
$DirCreateMode 0755
$Umask 0022
$PrivDropToUser syslog
$PrivDropToGroup syslog

#
# Where to place spool and state files
#
$WorkDirectory /var/spool/rsyslog

#
# Include all config files in /etc/rsyslog.d/
#
$IncludeConfig /etc/rsyslog.d/*.conf
~

the issue was this: input(type=“imudp” port=“514”)
I was rerouting all to the 1514 by iptables, but, is it late that i understood that is for the incoming from the clients… damn thing.


# Generated by iptables-save v1.8.4 on Mon Sep 26 20:04:24 2022
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A PREROUTING -p tcp -m tcp --dport 514 -j REDIRECT --to-ports 1514
-A PREROUTING -p udp -m udp --dport 514 -j REDIRECT --to-ports 1514
COMMIT
# Completed on Mon Sep 26 20:04:24 2022
# Generated by iptables-save v1.8.4 on Mon Sep 26 20:04:24 2022
*filter
:INPUT ACCEPT [27282:7586167]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [24883:5772066]
COMMIT
# Completed on Mon Sep 26 20:04:24 2022

on the client side i have it like this:


module(load="imuxsock") # provides support for local system logging
*.* @10.......9:1514
module(load="imklog" permitnonkernelfacility="on")
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
$RepeatedMsgReduction on
$FileOwner syslog
$FileGroup adm
$FileCreateMode 0640
$DirCreateMode 0755
$Umask 0022
$PrivDropToUser syslog
$PrivDropToGroup syslog
$WorkDirectory /var/spool/rsyslog
$IncludeConfig /etc/rsyslog.d/*.conf
1 Like
8

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.