RSyslog Not working

rohitsharma888 · September 2, 2022, 8:52pm

We are using rsyslog to get the logs for RHEL 6,7,8 servers.

RHEL 7 and 8 is working fine and I am getting all logs on UDP/1514
RHEL 6 does not seem to work, we tried everything, dowgrading rpm, changing rsyslog.conf but with no luck. Firewall flows everything seems to be fine. Below is rsyslog conf

# rsyslog configuration file

# For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html
# or latest version online at http://www.rsyslog.com/doc/rsyslog_conf.html
# If you experience problems, see http://www.rsyslog.com/doc/troubleshoot.html

#### MODULES ####

module(load="imuxsock"    # provides support for local system logging (e.g. via logger command)
       SysSock.Use="off") # Turn off message reception via local log socket;
                          # local messages are retrieved through imjournal now.
module(load="imjournal"             # provides access to the systemd journal
       StateFile="imjournal.state") # File to store the position in the journal
module(load="imklog") # reads kernel messages (the same are read from journald)
#module(load="immark") # provides --MARK-- message capability

# Provides UDP syslog reception
# for parameters see http://www.rsyslog.com/doc/imudp.html
#module(load="imudp") # needs to be done just once
#input(type="imudp" port="514")

# Provides TCP syslog reception
# for parameters see http://www.rsyslog.com/doc/imtcp.html
module(load="imtcp") # needs to be done just once
#input(type="imtcp" port="514")

#### GLOBAL DIRECTIVES ####

# Where to place auxiliary files
global(workDirectory="/var/lib/rsyslog")

# Use default timestamp format
module(load="builtin:omfile" Template="RSYSLOG_TraditionalFileFormat")

# Include all config files in /etc/rsyslog.d/
include(file="/etc/rsyslog.d/*.conf" mode="optional")

#### RULES ####

# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.*                                                 /dev/console

# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
# *.info;mail.none;authpriv.none;cron.none                /var/log/messages

# The authpriv file has restricted access.
# authpriv.*                                              /var/log/secure

# Log all the mail messages in one place.
# mail.*                                                  -/var/log/maillog


# Log cron stuff
# cron.*                                                  /var/log/cron

# Everybody gets emergency messages
# *.emerg                                                 :omusrmsg:*

# Save news errors of level crit and higher in a special file.
# uucp,news.crit                                          /var/log/spooler

# Save boot messages also to boot.log
# local7.*                                                /var/log/boot.log


# ### sample forwarding rule ###
#action(type="omfwd"
# An on-disk queue is created for this action. If the remote host is
# down, messages are spooled to disk and sent when it is up again.
#queue.filename="fwdRule1"       # unique name prefix for spool files
#queue.maxdiskspace="1g"         # 1gb space limit (use as much as possible)
#queue.saveonshutdown="on"       # save messages to disk on shutdown
#queue.type="LinkedList"         # run asynchronously
#action.resumeRetryCount="-1"    # infinite retries if host is down
# Remote Logging (we use TCP for reliable delivery)
# remote_host is: name/ip, e.g. 192.168.0.1, port optional e.g. 10514
#Target="remote_host" Port="XXX" Protocol="tcp")

##################
#### TEMPLATES ###
##################

$template DYNmessages,"/var/log/messages"
$template DYNsudo,"/var/log/sudo.log"
$template DYNsecure,"/var/log/secure.log"
$template DYNerror,"/var/log/error.log"
$template DYNmaillog,"/var/log/maillog"
$template DYNcron,"/var/log/cron"
$template DYNspooler,"/var/log/spooler"
$template DYNboot,"/var/log/boot.log"
#$template DYNoracle,"/var/log/oracle.log"
$template DYNaudit,"/var/log/audit/audit.log"
#$template DYNpacemaker,"/var/log/pacemaker.log"
#$template DYNmysql,"/var/log/mysql.log"
$template DYNsophos,"/var/log/sophos.log"
$template DYNvas,"/var/log/vas.log"
$template DYNdnf,"/var/log/dnf.log"
$template DYNchrony,"/var/log/chrony/chrony.log"

#$RuleSet dfwcentral
if $programname == 'sudo' then ?DYNsudo
if $programname == 'audispd' then ?DYNaudit
if $programname == 'savd' then ?DYNsophos
if $programname == 'vasd' then ?DYNvas
if $programname == 'dnf' then ?DYNdnf
if $programname == 'chronyd' then ?DYNchrony
# if $syslogfacility-text == 'local6' and $programname == 'httpd' and not ($msg contains 'stats') and not ($msg contains 'NewRelic') then ?DYNgwaf

& stop

#Exclude syslog message from Oracle, audispd, httpd
:syslogtag, contains, "audispd" stop
#:syslogtag, contains, "sudo" stop
:syslogtag, contains,"lrmd" stop
:syslogtag, contains,"crmd" stop
:syslogtag, contains,"cib" stop
:syslogtag, contains,"pengine" stop
:syslogtag, contains,"mysql" stop
:syslogtag, contains, "Had" stop
:syslogtag, contains, "CmdServer" stop
:syslogtag, contains, "savd" stop
:syslogtag, contains, "vasd" stop
:syslogtag, contains, "vxvm" stop
:syslogtag, contains, "httpd" stop
:syslogtag, contains, "dnf" stop
#:syslogtag, contains, "chronyd" stop

kern.*,*.debug;*.emerg;*.alert;*.crit;*.err;*.warning;*.notice;*.info;mail.none;authpriv.none;cron.none        ?DYNmessages
kern.*,*.debug;*.emerg;*.alert;*.crit;*.err;*.warning;*.notice;*.info;authpriv.*;mail.none;cron.none        @x.x.x.x:1514
*.err                                           ?DYNerror
authpriv.*                                      ?DYNsecure
mail.*                                          -?DYNmaillog
cron.*                                          ?DYNcron
uucp,news.crit                                  ?DYNspooler
local7.*

gsmith · September 2, 2022, 9:47pm

Hello

What I don’t see is this section by its self, I do see it at the end of your configuration. Perhaps try something different or start small.

# remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional
#*.* @@remote-host:514
*.*@192.168.1.100:5140

Have you used tcpdump on graylog to see if any log are being sent from this remote device and or check the logs for rsyslog?

rohitsharma888 · September 12, 2022, 12:47pm

Hello

So I realized there is a bigger issue, I am not getting quite a few systems logs and those are RHEL 6,7 or 8. All logs are appearing in tcpdump on Graylog server but not captured by the input I have setup (port 1514), which is getting a few Linux logs( 40out of 400 systems) … Is there a threshold somewhere for Stream (Linux stream is created), I am getting all snare logs for windows machines using same input on port 1514/UDP.

gsmith · September 15, 2022, 11:47pm

Try to use a different log shipper. See if that works

system · September 29, 2022, 11:47pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Rsyslog not pushing the logs Graylog Central (peer support)	7	1008	October 12, 2022
Send data with rsyslog Graylog Central (peer support)	7	3941	September 3, 2019
RSYSLOG UDP works but not SYSLOG TCP Graylog Central (peer support)	9	11545	October 6, 2017
TCP Syslog does not work Graylog Central (peer support)	3	1242	May 28, 2019
Configuring Rsyslog Graylog Central (peer support) sidecar , nxlog , nodatanx	21	25723	December 25, 2017

RSyslog Not working

Related Topics