Mailing List Archive

Did you have a look at imklog? That's the original module for kernel
messages. I admit I do not remember why exactly imkmsg was
contributed.

Rainer

El vie., 3 jul. 2020 a las 20:10, Eric Blomquist via rsyslog
(<rsyslog@lists.adiscon.com>) escribió:
>
> Does anyone have any idea how to get imuxsock to read kernel messages?
>
>
>
> We have been having trouble getting any rule in an imuxsock ruleset to read
> kernel messages, in particular those from iptables. Without this, ruleset
> functionality is not available.
>
>
>
> Possibly, the difficulty is that imkmsg is absent on our systems and from
> the latest rsyslog package available from the Adiscon repository (8.2006.0).
> No obvious means exists to obtain or install this module. Does anyone have
> this module installed?
>
>
>
> imklog permits a standalone rule (i.e., outside an imuxsock ruleset) to
> capture kernel messages, so at least they're not lost, but again, no ruleset
> functionality is available.
>
>
>
> We have attempted any number of configurations spanning rsyslog.conf,
> journald.conf, and sysctl.conf, including creating listeners specifically
> for /dev/kmsg, /proc/kmsg, /dev/log, and /run/systemd/journal/syslog, all
> without success.
>
>
>
> Many thanks for any suggestions.
>
> _______________________________________________
> rsyslog mailing list
> https://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.

Thanks for responding.

Yes, of course. imklog was the first thing I tried, and it has been configured to load throughout this process.

In fact, I experimented with a great number of alternative configurations before I thought to try substituting imkmsg for imklog, only to discover that imkmsg was/is missing.

No matter what we do, no rule in an imuxsock ruleset (even *.*) reads iptables log messages.

We know the messages exist, both from running dmesg and because standalone rules (outside an imuxsock ruleset) read the messages.

I experimented with all varieties of syntax, filter, filter text, operator, and property. None had any effect. I experimented with imuxsock listeners on all obvious sockets, and all failed.

I also experimented with both means of interfacing with systemd-journald (i.e., configuring journald.conf with the "ForwardToSyslog=yes" directive, and via imjournal), with no effect.

All that seems to be left (besides giving imkmsg a try) is something to do with the imuxsock module and how it handles kernel messages, and we can't figure it out.

Having ruleset capability for iptables messages would be a big help, and this seems to depend on imuxsock.

Thoughts?

-ERB


-----Original Message-----
From: Rainer Gerhards [mailto:rgerhards@hq.adiscon.com]
Sent: Sunday, July 05, 2020 2:01 AM
To: rsyslog-users
Cc: Eric Blomquist
Subject: Re: [rsyslog] imkmsg absent from 8.2006; How to get imuxsock to read kernel messages?

Did you have a look at imklog? That's the original module for kernel
messages. I admit I do not remember why exactly imkmsg was
contributed.

Rainer

El vie., 3 jul. 2020 a las 20:10, Eric Blomquist via rsyslog
(<rsyslog@lists.adiscon.com>) escribió:
>
> Does anyone have any idea how to get imuxsock to read kernel messages?
>
>
>
> We have been having trouble getting any rule in an imuxsock ruleset to read
> kernel messages, in particular those from iptables. Without this, ruleset
> functionality is not available.
>
>
>
> Possibly, the difficulty is that imkmsg is absent on our systems and from
> the latest rsyslog package available from the Adiscon repository (8.2006.0).
> No obvious means exists to obtain or install this module. Does anyone have
> this module installed?
>
>
>
> imklog permits a standalone rule (i.e., outside an imuxsock ruleset) to
> capture kernel messages, so at least they're not lost, but again, no ruleset
> functionality is available.
>
>
>
> We have attempted any number of configurations spanning rsyslog.conf,
> journald.conf, and sysctl.conf, including creating listeners specifically
> for /dev/kmsg, /proc/kmsg, /dev/log, and /run/systemd/journal/syslog, all
> without success.
>
>
>
> Many thanks for any suggestions.
>
> _______________________________________________
> rsyslog mailing list
> https://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.

_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.

Quick question:

Have you posted your config files (or a simplified test case that can reproduce the problem) somewhere? Others could take a look and compare against their own setup to see if the problem can be better spotted that way.

-----Original Message-----
From: rsyslog <rsyslog-bounces@lists.adiscon.com> On Behalf Of Eric Blomquist via rsyslog
Sent: Sunday, July 5, 2020 2:42 PM
To: 'Rainer Gerhards' <rgerhards@hq.adiscon.com>; 'rsyslog-users' <rsyslog@lists.adiscon.com>
Cc: Eric Blomquist <eb@bqco.com>
Subject: Re: [rsyslog] imkmsg absent from 8.2006; How to get imuxsock to read kernel messages?

Thanks for responding.

Yes, of course. imklog was the first thing I tried, and it has been configured to load throughout this process.

In fact, I experimented with a great number of alternative configurations before I thought to try substituting imkmsg for imklog, only to discover that imkmsg was/is missing.

No matter what we do, no rule in an imuxsock ruleset (even *.*) reads iptables log messages.

We know the messages exist, both from running dmesg and because standalone rules (outside an imuxsock ruleset) read the messages.

I experimented with all varieties of syntax, filter, filter text, operator, and property. None had any effect. I experimented with imuxsock listeners on all obvious sockets, and all failed.

I also experimented with both means of interfacing with systemd-journald (i.e., configuring journald.conf with the "ForwardToSyslog=yes" directive, and via imjournal), with no effect.

All that seems to be left (besides giving imkmsg a try) is something to do with the imuxsock module and how it handles kernel messages, and we can't figure it out.

Having ruleset capability for iptables messages would be a big help, and this seems to depend on imuxsock.

Thoughts?

-ERB


-----Original Message-----
From: Rainer Gerhards [mailto:rgerhards@hq.adiscon.com]
Sent: Sunday, July 05, 2020 2:01 AM
To: rsyslog-users
Cc: Eric Blomquist
Subject: Re: [rsyslog] imkmsg absent from 8.2006; How to get imuxsock to read kernel messages?

Did you have a look at imklog? That's the original module for kernel
messages. I admit I do not remember why exactly imkmsg was
contributed.

Rainer

El vie., 3 jul. 2020 a las 20:10, Eric Blomquist via rsyslog
(<rsyslog@lists.adiscon.com>) escribió:
>
> Does anyone have any idea how to get imuxsock to read kernel messages?
>
>
>
> We have been having trouble getting any rule in an imuxsock ruleset to read
> kernel messages, in particular those from iptables. Without this, ruleset
> functionality is not available.
>
>
>
> Possibly, the difficulty is that imkmsg is absent on our systems and from
> the latest rsyslog package available from the Adiscon repository (8.2006.0).
> No obvious means exists to obtain or install this module. Does anyone have
> this module installed?
>
>
>
> imklog permits a standalone rule (i.e., outside an imuxsock ruleset) to
> capture kernel messages, so at least they're not lost, but again, no ruleset
> functionality is available.
>
>
>
> We have attempted any number of configurations spanning rsyslog.conf,
> journald.conf, and sysctl.conf, including creating listeners specifically
> for /dev/kmsg, /proc/kmsg, /dev/log, and /run/systemd/journal/syslog, all
> without success.
>
>
>
> Many thanks for any suggestions.
>
> _______________________________________________
> rsyslog mailing list
> https://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.

_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.

please post your config

David Lang

On Sun, 5 Jul 2020, Eric Blomquist via rsyslog wrote:

> Date: Sun, 5 Jul 2020 12:42:00 -0700
> From: Eric Blomquist via rsyslog <rsyslog@lists.adiscon.com>
> To: 'Rainer Gerhards' <rgerhards@hq.adiscon.com>,
> 'rsyslog-users' <rsyslog@lists.adiscon.com>
> Cc: Eric Blomquist <eb@bqco.com>
> Subject: Re: [rsyslog] imkmsg absent from 8.2006; How to get imuxsock to read
> kernel messages?
>
> Thanks for responding.
>
> Yes, of course. imklog was the first thing I tried, and it has been configured to load throughout this process.
>
> In fact, I experimented with a great number of alternative configurations before I thought to try substituting imkmsg for imklog, only to discover that imkmsg was/is missing.
>
> No matter what we do, no rule in an imuxsock ruleset (even *.*) reads iptables log messages.
>
> We know the messages exist, both from running dmesg and because standalone rules (outside an imuxsock ruleset) read the messages.
>
> I experimented with all varieties of syntax, filter, filter text, operator, and property. None had any effect. I experimented with imuxsock listeners on all obvious sockets, and all failed.
>
> I also experimented with both means of interfacing with systemd-journald (i.e., configuring journald.conf with the "ForwardToSyslog=yes" directive, and via imjournal), with no effect.
>
> All that seems to be left (besides giving imkmsg a try) is something to do with the imuxsock module and how it handles kernel messages, and we can't figure it out.
>
> Having ruleset capability for iptables messages would be a big help, and this seems to depend on imuxsock.
>
> Thoughts?
>
> -ERB
>
>
> -----Original Message-----
> From: Rainer Gerhards [mailto:rgerhards@hq.adiscon.com]
> Sent: Sunday, July 05, 2020 2:01 AM
> To: rsyslog-users
> Cc: Eric Blomquist
> Subject: Re: [rsyslog] imkmsg absent from 8.2006; How to get imuxsock to read kernel messages?
>
> Did you have a look at imklog? That's the original module for kernel
> messages. I admit I do not remember why exactly imkmsg was
> contributed.
>
> Rainer
>
> El vie., 3 jul. 2020 a las 20:10, Eric Blomquist via rsyslog
> (<rsyslog@lists.adiscon.com>) escribió:
>>
>> Does anyone have any idea how to get imuxsock to read kernel messages?
>>
>>
>>
>> We have been having trouble getting any rule in an imuxsock ruleset to read
>> kernel messages, in particular those from iptables. Without this, ruleset
>> functionality is not available.
>>
>>
>>
>> Possibly, the difficulty is that imkmsg is absent on our systems and from
>> the latest rsyslog package available from the Adiscon repository (8.2006.0).
>> No obvious means exists to obtain or install this module. Does anyone have
>> this module installed?
>>
>>
>>
>> imklog permits a standalone rule (i.e., outside an imuxsock ruleset) to
>> capture kernel messages, so at least they're not lost, but again, no ruleset
>> functionality is available.
>>
>>
>>
>> We have attempted any number of configurations spanning rsyslog.conf,
>> journald.conf, and sysctl.conf, including creating listeners specifically
>> for /dev/kmsg, /proc/kmsg, /dev/log, and /run/systemd/journal/syslog, all
>> without success.
>>
>>
>>
>> Many thanks for any suggestions.
>>
>> _______________________________________________
>> rsyslog mailing list
>> https://lists.adiscon.net/mailman/listinfo/rsyslog
>> http://www.rsyslog.com/professional-services/
>> What's up with rsyslog? Follow https://twitter.com/rgerhards
>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
>
> _______________________________________________
> rsyslog mailing list
> https://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.

The experimental config file is attached, which has all the A/B tests, with associated comments.

I didn't receive the intervening post wondering whether I had posted the config file somewhere, but I did post it at https://github.com/rsyslog/rsyslog/issues/4299, and it also can be accessed there.

-ERB


-----Original Message-----
From: David Lang [mailto:david@lang.hm]
Sent: Sunday, July 05, 2020 5:48 PM
To: Eric Blomquist via rsyslog
Cc: 'Rainer Gerhards'; Eric Blomquist
Subject: Re: [rsyslog] imkmsg absent from 8.2006; How to get imuxsock to read kernel messages?

please post your config

David Lang

On Sun, 5 Jul 2020, Eric Blomquist via rsyslog wrote:

> Date: Sun, 5 Jul 2020 12:42:00 -0700
> From: Eric Blomquist via rsyslog <rsyslog@lists.adiscon.com>
> To: 'Rainer Gerhards' <rgerhards@hq.adiscon.com>,
> 'rsyslog-users' <rsyslog@lists.adiscon.com>
> Cc: Eric Blomquist <eb@bqco.com>
> Subject: Re: [rsyslog] imkmsg absent from 8.2006; How to get imuxsock to read
> kernel messages?
>
> Thanks for responding.
>
> Yes, of course. imklog was the first thing I tried, and it has been configured to load throughout this process.
>
> In fact, I experimented with a great number of alternative configurations before I thought to try substituting imkmsg for imklog, only to discover that imkmsg was/is missing.
>
> No matter what we do, no rule in an imuxsock ruleset (even *.*) reads iptables log messages.
>
> We know the messages exist, both from running dmesg and because standalone rules (outside an imuxsock ruleset) read the messages.
>
> I experimented with all varieties of syntax, filter, filter text, operator, and property. None had any effect. I experimented with imuxsock listeners on all obvious sockets, and all failed.
>
> I also experimented with both means of interfacing with systemd-journald (i.e., configuring journald.conf with the "ForwardToSyslog=yes" directive, and via imjournal), with no effect.
>
> All that seems to be left (besides giving imkmsg a try) is something to do with the imuxsock module and how it handles kernel messages, and we can't figure it out.
>
> Having ruleset capability for iptables messages would be a big help, and this seems to depend on imuxsock.
>
> Thoughts?
>
> -ERB
>
>
> -----Original Message-----
> From: Rainer Gerhards [mailto:rgerhards@hq.adiscon.com]
> Sent: Sunday, July 05, 2020 2:01 AM
> To: rsyslog-users
> Cc: Eric Blomquist
> Subject: Re: [rsyslog] imkmsg absent from 8.2006; How to get imuxsock to read kernel messages?
>
> Did you have a look at imklog? That's the original module for kernel
> messages. I admit I do not remember why exactly imkmsg was
> contributed.
>
> Rainer
>
> El vie., 3 jul. 2020 a las 20:10, Eric Blomquist via rsyslog
> (<rsyslog@lists.adiscon.com>) escribió:
>>
>> Does anyone have any idea how to get imuxsock to read kernel messages?
>>
>>
>>
>> We have been having trouble getting any rule in an imuxsock ruleset to read
>> kernel messages, in particular those from iptables. Without this, ruleset
>> functionality is not available.
>>
>>
>>
>> Possibly, the difficulty is that imkmsg is absent on our systems and from
>> the latest rsyslog package available from the Adiscon repository (8.2006.0).
>> No obvious means exists to obtain or install this module. Does anyone have
>> this module installed?
>>
>>
>>
>> imklog permits a standalone rule (i.e., outside an imuxsock ruleset) to
>> capture kernel messages, so at least they're not lost, but again, no ruleset
>> functionality is available.
>>
>>
>>
>> We have attempted any number of configurations spanning rsyslog.conf,
>> journald.conf, and sysctl.conf, including creating listeners specifically
>> for /dev/kmsg, /proc/kmsg, /dev/log, and /run/systemd/journal/syslog, all
>> without success.
>>
>>
>>
>> Many thanks for any suggestions.
>>
>> _______________________________________________
>> rsyslog mailing list
>> https://lists.adiscon.net/mailman/listinfo/rsyslog
>> http://www.rsyslog.com/professional-services/
>> What's up with rsyslog? Follow https://twitter.com/rgerhards
>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
>
> _______________________________________________
> rsyslog mailing list
> https://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.