I am running a central log server with rsyslog-8.2006 and the latest release of RHEL7.
A few weeks ago logging stopped working for one type of client, our security group's (ISO) Palo Alto Network (PAN) devices. These log to a dedicated port (9022) using SSL and imtcp. I've tried both the ossl and gtls drivers and get the same result: tcpdump shows network traffic from the clients and lsof shows established connections, but no logging is taking place. Logging via the same port/config works fine for Linux rsyslog clients I've tested. It sure seems like a client or a network issue to me:
imtcp.c : nsd_ossl.c: osslRecordRecv: Errno 104, connection resetted by peer
But our ISO group is at a loss and I have no more ideas. I'm hoping that someone can look at my config and error logs and confirm this is a client issue and/or give me any suggestions for further debugging.
To minimize the configuration debugging and noise, today I had the ISO folk point a single PAN device to a standby rsyslog server identical to the production server. I then removed all client logging configuration on the standby except for the PAN client configuration.
Attached (rsyslog_debug_fail.log.gz) is a debug log after starting rsyslog, waiting a few minutes, and stopping rsyslog.
Attached also are my config files.
Thanks for any advice.
Tod A. Sandman
Office of Information Technology
Rice University
A few weeks ago logging stopped working for one type of client, our security group's (ISO) Palo Alto Network (PAN) devices. These log to a dedicated port (9022) using SSL and imtcp. I've tried both the ossl and gtls drivers and get the same result: tcpdump shows network traffic from the clients and lsof shows established connections, but no logging is taking place. Logging via the same port/config works fine for Linux rsyslog clients I've tested. It sure seems like a client or a network issue to me:
imtcp.c : nsd_ossl.c: osslRecordRecv: Errno 104, connection resetted by peer
But our ISO group is at a loss and I have no more ideas. I'm hoping that someone can look at my config and error logs and confirm this is a client issue and/or give me any suggestions for further debugging.
To minimize the configuration debugging and noise, today I had the ISO folk point a single PAN device to a standby rsyslog server identical to the production server. I then removed all client logging configuration on the standby except for the PAN client configuration.
Attached (rsyslog_debug_fail.log.gz) is a debug log after starting rsyslog, waiting a few minutes, and stopping rsyslog.
Attached also are my config files.
Thanks for any advice.
Tod A. Sandman
Office of Information Technology
Rice University