Strange problem with rsyslog

Discussion in 'Linux Networking' started by Jarosław Rafa, Feb 14, 2014.

  1. I have a strange problem with rsyslog. I have experienced it on three
    different machines with different OSes (Fedora, CentOS, Ubuntu) and
    different rsyslog versions, have googled for solution to no avail. I
    have no idea what might be going on, maybe someone can help?

    The problem is, rsyslogd does not show in logs the messages coming in
    from remote machines. Of course, I have the required directives $ModLoad
    imudp and $UDPServerRun 514 in the config file, I have also put a
    catch-all rule *.* /var/log/alllog on top of all the rules to not miss
    any message. However, both in the alllog file and in the
    other /var/log/* files there are only messages generated by the local
    host.

    Netstat shows that rsyslogd is listening on UDP port 514. Tcpdump shows
    that messages from other machines are coming in at UDP port 514. But
    rsyslogd even started in debug mode ("-d" switch) does not show any
    trace of these messages (however, it informs precisely about any of the
    local host generated messages).

    What's more interesting, when I tried to send a test message from
    another computer to rsyslog using a method I found on some forum:

    echo "test message" | nc -w0 -u 192.168.2.5 514

    (where 192.168.2.5 is the address of the problematic rsyslogd machine),
    this message *is* logged by rsyslogd in the alllog file.

    How to solve this???
     
    Jarosław Rafa, Feb 14, 2014
    #1
    1. Advertisements

  2. Jarosław Rafa

    Jorgen Grahn Guest

    Yes. I /do/ know that a real message looks rather different from
    "test message", but it's weird that a broken message would get through
    and a normal one would not.

    (A real message would encode things as facility, and I think also the
    timestamp.)

    Other than that, I agree with both of you. I would also tcpdump and
    so on. strace(1) on rsyslogd too, except you have confirmed already
    that it's actually listening.

    /Jorgen
     
    Jorgen Grahn, Feb 15, 2014
    #2
    1. Advertisements

  3. *SKIP*
    That strongly suggests configuration problem. Read carefully manpages
    and example configuration files of rsyslogd. Watch for words:
    "accept", "deny", "filter", and "remote". Check rsyslogd's manpage if
    it can show its idea about what finaly configuration it works with (may
    be in vein).
    Personally, my choice is do-one-thing-and-do-it-good
    'inetutils-syslogd'.
     
    Eric Pozharski, Feb 15, 2014
    #3
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.