Mailing List Archive

Hello Glenn,

On Thu, Oct 22, 2020 at 11:26 PM Walton, Glenn via rsyslog <
rsyslog@lists.adiscon.com> wrote:

> Questions:
>
> 1. Its my understanding when configuring TLS with imtcp module that
> imptcp should be used to provide a plain unencrypted TCP listener; is there
> a better alternative, or any specific guidelines for this scenario ?

Yes - you are right. It was already discussed some time ago.
http://rsyslog-users.1305293.n2.nabble.com/Mix-of-GTLS-and-PTCP-listeners-running-same-instance-tc7591434.html

Following bugreport is related.
https://github.com/rsyslog/rsyslog/issues/3727


> 2. With imptcp in place, is there some extra configuration needed to
> cause these incoming events to be written to the log file
> (/var/log/messages) ?
>
No extra configuration options are required.

One of the reasons why you do not see the messages in /var/log/messages is
they are of debug syslog priority. Send the message examples you see on the
wire (running tcpdump).

--
Peter
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.

Hello, thank you for any suggestions as to why the data is not captured in /var/log/messages.

Data sent from a separate host on same subnet via:
logger -p daemon.warn "to cpsyslog01 testing-d1023-t1855 - on tcp 601" --tcp --port 601 --server 172.16.130.19

attachment shows data received on the syslog host port 601. Including here the raw pcap file and also as viewed in wireshark. Regards,

glenn



From: Peter Viskup <skupko.sk@gmail.com>
Sent: Friday, October 23, 2020 12:23 AM
To: rsyslog-users <rsyslog@lists.adiscon.com>
Cc: Walton, Glenn <e_gwalton@tpg.com>
Subject: Re: [rsyslog] Rsyslog issue - when imptcp & imtcp/TLS on same system - imptcp messages received in Rsyslogd not added to log file

Hello Glenn,

On Thu, Oct 22, 2020 at 11:26 PM Walton, Glenn via rsyslog <rsyslog@lists.adiscon.com<mailto:rsyslog@lists.adiscon.com>> wrote:
Questions:

1. Its my understanding when configuring TLS with imtcp module that imptcp should be used to provide a plain unencrypted TCP listener; is there a better alternative, or any specific guidelines for this scenario ?
Yes - you are right. It was already discussed some time ago.
http://rsyslog-users.1305293.n2.nabble.com/Mix-of-GTLS-and-PTCP-listeners-running-same-instance-tc7591434.html<https://urldefense.proofpoint.com/v2/url?u=http-3A__rsyslog-2Dusers.1305293.n2.nabble.com_Mix-2Dof-2DGTLS-2Dand-2DPTCP-2Dlisteners-2Drunning-2Dsame-2Dinstance-2Dtc7591434.html&d=DwMFaQ&c=QbuapHRvbn0JdC8vTVkPHg&r=_uOhLqF-K0CY12pGqtX0shhCC7pwRurkKACc23Dc7FU&m=8oA6PA7H-RQqi6jqdDvIgdJgBNNcgLl1ahMKpTj13SE&s=j7v-ReHh3ivf6fOr7rDCtN3fcgaiabuaTEx4e4he8oM&e=>
Following bugreport is related.
https://github.com/rsyslog/rsyslog/issues/3727<https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_rsyslog_rsyslog_issues_3727&d=DwMFaQ&c=QbuapHRvbn0JdC8vTVkPHg&r=_uOhLqF-K0CY12pGqtX0shhCC7pwRurkKACc23Dc7FU&m=8oA6PA7H-RQqi6jqdDvIgdJgBNNcgLl1ahMKpTj13SE&s=Yg_bOUeegZhPrfyjnjGA9GR4oTkKmbtQ0kjDE3b3alw&e=>

2. With imptcp in place, is there some extra configuration needed to cause these incoming events to be written to the log file (/var/log/messages) ?
No extra configuration options are required.

One of the reasons why you do not see the messages in /var/log/messages is they are of debug syslog priority. Send the message examples you see on the wire (running tcpdump).

--
Peter

----------------------------------------------------------------------
This message is intended only for the person(s) to which it is addressed
and may contain privileged, confidential and/or insider information.
If you have received this communication in error, please notify us
immediately by replying to the message and deleting it from your computer.
Any disclosure, copying, distribution, or the taking of any action concerning
the contents of this message and any attachment(s) by anyone other
than the named recipient(s) is strictly prohibited.

At first you may have a look into /etc/rsyslog.d/*.conf whether the
messages are not processed and filtered somewhere in those configuration
snippets.

You can try to log all messages flowing through the rsyslog to one file
with debug format:
*.* /var/log/debug;RSYSLOG_DebugFormat
Put the line on top of the $IncludeConfig statement.

More on different formatting templates available in documentation.
https://www.rsyslog.com/doc/v8-stable/configuration/templates.html
and rsyslog configuration in general
https://www.rsyslog.com/doc/v8-stable/configuration/index.html

Peter

On Sat, Oct 24, 2020 at 2:06 AM Walton, Glenn <e_gwalton@tpg.com> wrote:

> Hello, thank you for any suggestions as to why the data is not captured in
> /var/log/messages.
>
>
>
> Data sent from a separate host on same subnet via:
>
> logger -p daemon.warn "to cpsyslog01 testing-d1023-t1855
> - on tcp 601" --tcp --port 601 --server 172.16.130.19
>
>
>
> attachment shows data received on the syslog host port 601. Including here
> the raw pcap file and also as viewed in wireshark. Regards,
>
>
>
> glenn
>
>
>
>
>
>
>
> *From:* Peter Viskup <skupko.sk@gmail.com>
> *Sent:* Friday, October 23, 2020 12:23 AM
> *To:* rsyslog-users <rsyslog@lists.adiscon.com>
> *Cc:* Walton, Glenn <e_gwalton@tpg.com>
> *Subject:* Re: [rsyslog] Rsyslog issue - when imptcp & imtcp/TLS on same
> system - imptcp messages received in Rsyslogd not added to log file
>
>
>
> Hello Glenn,
>
>
>
> On Thu, Oct 22, 2020 at 11:26 PM Walton, Glenn via rsyslog <
> rsyslog@lists.adiscon.com> wrote:
>
> Questions:
>
> 1. Its my understanding when configuring TLS with imtcp module that
> imptcp should be used to provide a plain unencrypted TCP listener; is there
> a better alternative, or any specific guidelines for this scenario ?
>
> Yes - you are right. It was already discussed some time ago.
>
>
> http://rsyslog-users.1305293.n2.nabble.com/Mix-of-GTLS-and-PTCP-listeners-running-same-instance-tc7591434.html
> <https://urldefense.proofpoint.com/v2/url?u=http-3A__rsyslog-2Dusers.1305293.n2.nabble.com_Mix-2Dof-2DGTLS-2Dand-2DPTCP-2Dlisteners-2Drunning-2Dsame-2Dinstance-2Dtc7591434.html&d=DwMFaQ&c=QbuapHRvbn0JdC8vTVkPHg&r=_uOhLqF-K0CY12pGqtX0shhCC7pwRurkKACc23Dc7FU&m=8oA6PA7H-RQqi6jqdDvIgdJgBNNcgLl1ahMKpTj13SE&s=j7v-ReHh3ivf6fOr7rDCtN3fcgaiabuaTEx4e4he8oM&e=>
>
>
> Following bugreport is related.
>
> https://github.com/rsyslog/rsyslog/issues/3727
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_rsyslog_rsyslog_issues_3727&d=DwMFaQ&c=QbuapHRvbn0JdC8vTVkPHg&r=_uOhLqF-K0CY12pGqtX0shhCC7pwRurkKACc23Dc7FU&m=8oA6PA7H-RQqi6jqdDvIgdJgBNNcgLl1ahMKpTj13SE&s=Yg_bOUeegZhPrfyjnjGA9GR4oTkKmbtQ0kjDE3b3alw&e=>
>
>
>
>
> 2. With imptcp in place, is there some extra configuration needed to
> cause these incoming events to be written to the log file
> (/var/log/messages) ?
>
> No extra configuration options are required.
>
>
>
> One of the reasons why you do not see the messages in /var/log/messages is
> they are of debug syslog priority. Send the message examples you see on the
> wire (running tcpdump).
>
>
>
> --
>
> Peter
> ------------------------------
> This message is intended only for the person(s) to which it is addressed
> and may contain privileged, confidential and/or insider information.
> If you have received this communication in error, please notify us
> immediately by replying to the message and deleting it from your computer.
> Any disclosure, copying, distribution, or the taking of any action
> concerning
> the contents of this message and any attachment(s) by anyone other
> than the named recipient(s) is strictly prohibited.
>
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.