Mailing List Archive

Weird issue not able to log to file or remote
Hey all,

So I have AudioCodes Mediant VE SBC devices shipping logs to a Linux syslog
forwarder running rsyslog here is the config I'm using:

$ModLoad imudp
ruleset(name="rulesettt"){
action(type="omfwd" Target="REDACTED" Port="1516" Protocol="tcp"
Template="RSYSLOG_SyslogProtocol23Format")
action(type="omfile" File="/tmp/output.log")
}
input(type="imudp" port="5155" ruleset=" rulesettt ")


The remote host never receives anything from this and the /tmp/output.log
is never created. I've taken a packet capture from the syslog forwarder and
I can see all the traffic from the devices getting to the forwarder and see
all the syslog messages. I am completely lost as to what this could be.....
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: Weird issue not able to log to file or remote [ In reply to ]
the 'typical' cause of this is iptables rules blocking access

if you can't send logs to the target on port 1516, the queue will build

enable impstats and see what the queue looks like (it helps to add name='foo' to
the actions so the impstats output has the names rather than just action #)

David Lang


On Mon, 22 Feb 2021, ryan woods via rsyslog wrote:

> Date: Mon, 22 Feb 2021 19:14:31 +0000
> From: ryan woods via rsyslog <rsyslog@lists.adiscon.com>
> To: rsyslog@lists.adiscon.com
> Cc: ryan woods <rw170600@gmail.com>
> Subject: [rsyslog] Weird issue not able to log to file or remote
>
> Hey all,
>
> So I have AudioCodes Mediant VE SBC devices shipping logs to a Linux syslog
> forwarder running rsyslog here is the config I'm using:
>
> $ModLoad imudp
> ruleset(name="rulesettt"){
> action(type="omfwd" Target="REDACTED" Port="1516" Protocol="tcp"
> Template="RSYSLOG_SyslogProtocol23Format")
> action(type="omfile" File="/tmp/output.log")
> }
> input(type="imudp" port="5155" ruleset=" rulesettt ")
>
>
> The remote host never receives anything from this and the /tmp/output.log
> is never created. I've taken a packet capture from the syslog forwarder and
> I can see all the traffic from the devices getting to the forwarder and see
> all the syslog messages. I am completely lost as to what this could be.....
> _______________________________________________
> rsyslog mailing list
> https://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
>
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: Weird issue not able to log to file or remote [ In reply to ]
If the first action in the ruleset blocks, then the second action is never reached (the scenario David is describing). Reverse the order of the actions so that the file write is first, then see what you get.

But yes, enable impstats… it’s WELL worth the effort!

Regards,

> On Feb 22, 2021, at 13:25, David Lang via rsyslog <rsyslog@lists.adiscon.com> wrote:
>
> the 'typical' cause of this is iptables rules blocking access
>
> if you can't send logs to the target on port 1516, the queue will build
>
> enable impstats and see what the queue looks like (it helps to add name='foo' to the actions so the impstats output has the names rather than just action #)
>
> David Lang
>
>
> On Mon, 22 Feb 2021, ryan woods via rsyslog wrote:
>
>> Date: Mon, 22 Feb 2021 19:14:31 +0000
>> From: ryan woods via rsyslog <rsyslog@lists.adiscon.com>
>> To: rsyslog@lists.adiscon.com
>> Cc: ryan woods <rw170600@gmail.com>
>> Subject: [rsyslog] Weird issue not able to log to file or remote
>> Hey all,
>>
>> So I have AudioCodes Mediant VE SBC devices shipping logs to a Linux syslog
>> forwarder running rsyslog here is the config I'm using:
>>
>> $ModLoad imudp
>> ruleset(name="rulesettt"){
>> action(type="omfwd" Target="REDACTED" Port="1516" Protocol="tcp"
>> Template="RSYSLOG_SyslogProtocol23Format")
>> action(type="omfile" File="/tmp/output.log")
>> }
>> input(type="imudp" port="5155" ruleset=" rulesettt ")
>>
>>
>> The remote host never receives anything from this and the /tmp/output.log
>> is never created. I've taken a packet capture from the syslog forwarder and
>> I can see all the traffic from the devices getting to the forwarder and see
>> all the syslog messages. I am completely lost as to what this could be.....
>> _______________________________________________
>> rsyslog mailing list
>> https://lists.adiscon.net/mailman/listinfo/rsyslog
>> http://www.rsyslog.com/professional-services/
>> What's up with rsyslog? Follow https://twitter.com/rgerhards
>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
>>
> _______________________________________________
> rsyslog mailing list
> https://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.

_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: Weird issue not able to log to file or remote [ In reply to ]
if they are reversed and the remote send blocks, you will see 1 log in the file,
then everything will block.

David Lang

On Mon, 22 Feb 2021, John Chivian wrote:

> If the first action in the ruleset blocks, then the second action is never reached (the scenario David is describing). Reverse the order of the actions so that the file write is first, then see what you get.
>
> But yes, enable impstats… it’s WELL worth the effort!
>
> Regards,
>
>> On Feb 22, 2021, at 13:25, David Lang via rsyslog <rsyslog@lists.adiscon.com> wrote:
>>
>> the 'typical' cause of this is iptables rules blocking access
>>
>> if you can't send logs to the target on port 1516, the queue will build
>>
>> enable impstats and see what the queue looks like (it helps to add name='foo' to the actions so the impstats output has the names rather than just action #)
>>
>> David Lang
>>
>>
>> On Mon, 22 Feb 2021, ryan woods via rsyslog wrote:
>>
>>> Date: Mon, 22 Feb 2021 19:14:31 +0000
>>> From: ryan woods via rsyslog <rsyslog@lists.adiscon.com>
>>> To: rsyslog@lists.adiscon.com
>>> Cc: ryan woods <rw170600@gmail.com>
>>> Subject: [rsyslog] Weird issue not able to log to file or remote
>>> Hey all,
>>>
>>> So I have AudioCodes Mediant VE SBC devices shipping logs to a Linux syslog
>>> forwarder running rsyslog here is the config I'm using:
>>>
>>> $ModLoad imudp
>>> ruleset(name="rulesettt"){
>>> action(type="omfwd" Target="REDACTED" Port="1516" Protocol="tcp"
>>> Template="RSYSLOG_SyslogProtocol23Format")
>>> action(type="omfile" File="/tmp/output.log")
>>> }
>>> input(type="imudp" port="5155" ruleset=" rulesettt ")
>>>
>>>
>>> The remote host never receives anything from this and the /tmp/output.log
>>> is never created. I've taken a packet capture from the syslog forwarder and
>>> I can see all the traffic from the devices getting to the forwarder and see
>>> all the syslog messages. I am completely lost as to what this could be.....
>>> _______________________________________________
>>> rsyslog mailing list
>>> https://lists.adiscon.net/mailman/listinfo/rsyslog
>>> http://www.rsyslog.com/professional-services/
>>> What's up with rsyslog? Follow https://twitter.com/rgerhards
>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
>>>
>> _______________________________________________
>> rsyslog mailing list
>> https://lists.adiscon.net/mailman/listinfo/rsyslog
>> http://www.rsyslog.com/professional-services/
>> What's up with rsyslog? Follow https://twitter.com/rgerhards
>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
>
>
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: Weird issue not able to log to file or remote [ In reply to ]
Interesting, I didn’t realize that probably because I never experience it. Something I now realize is attributed to having explicitly defined queues on all TCP omfwd destinations.

Thanks David, learn something new every day!



> On Feb 22, 2021, at 13:40, David Lang <david@lang.hm> wrote:
>
> if they are reversed and the remote send blocks, you will see 1 log in the file, then everything will block.
>
> David Lang
>
> On Mon, 22 Feb 2021, John Chivian wrote:
>
>> If the first action in the ruleset blocks, then the second action is never reached (the scenario David is describing). Reverse the order of the actions so that the file write is first, then see what you get.
>>
>> But yes, enable impstats… it’s WELL worth the effort!
>>
>> Regards,
>>
>>> On Feb 22, 2021, at 13:25, David Lang via rsyslog <rsyslog@lists.adiscon.com> wrote:
>>>
>>> the 'typical' cause of this is iptables rules blocking access
>>>
>>> if you can't send logs to the target on port 1516, the queue will build
>>>
>>> enable impstats and see what the queue looks like (it helps to add name='foo' to the actions so the impstats output has the names rather than just action #)
>>>
>>> David Lang
>>>
>>>
>>> On Mon, 22 Feb 2021, ryan woods via rsyslog wrote:
>>>
>>>> Date: Mon, 22 Feb 2021 19:14:31 +0000
>>>> From: ryan woods via rsyslog <rsyslog@lists.adiscon.com>
>>>> To: rsyslog@lists.adiscon.com
>>>> Cc: ryan woods <rw170600@gmail.com>
>>>> Subject: [rsyslog] Weird issue not able to log to file or remote
>>>> Hey all,
>>>>
>>>> So I have AudioCodes Mediant VE SBC devices shipping logs to a Linux syslog
>>>> forwarder running rsyslog here is the config I'm using:
>>>>
>>>> $ModLoad imudp
>>>> ruleset(name="rulesettt"){
>>>> action(type="omfwd" Target="REDACTED" Port="1516" Protocol="tcp"
>>>> Template="RSYSLOG_SyslogProtocol23Format")
>>>> action(type="omfile" File="/tmp/output.log")
>>>> }
>>>> input(type="imudp" port="5155" ruleset=" rulesettt ")
>>>>
>>>>
>>>> The remote host never receives anything from this and the /tmp/output.log
>>>> is never created. I've taken a packet capture from the syslog forwarder and
>>>> I can see all the traffic from the devices getting to the forwarder and see
>>>> all the syslog messages. I am completely lost as to what this could be.....
>>>> _______________________________________________
>>>> rsyslog mailing list
>>>> https://lists.adiscon.net/mailman/listinfo/rsyslog
>>>> http://www.rsyslog.com/professional-services/
>>>> What's up with rsyslog? Follow https://twitter.com/rgerhards
>>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
>>>>
>>> _______________________________________________
>>> rsyslog mailing list
>>> https://lists.adiscon.net/mailman/listinfo/rsyslog
>>> http://www.rsyslog.com/professional-services/
>>> What's up with rsyslog? Follow https://twitter.com/rgerhards
>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
>>

_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: Weird issue not able to log to file or remote [ In reply to ]
You can also use previous_action_suspended() to detect the situation
when the output blocks and take appropriate fallback actions.

https://www.rsyslog.com/doc/v8-stable/rainerscript/functions/rs-previous_action_suspended.html

On 22.02.2021 20:50, John Chivian via rsyslog wrote:
> Interesting, I didn’t realize that probably because I never experience it. Something I now realize is attributed to having explicitly defined queues on all TCP omfwd destinations.
>
> Thanks David, learn something new every day!
>
>
>
>> On Feb 22, 2021, at 13:40, David Lang <david@lang.hm> wrote:
>>
>> if they are reversed and the remote send blocks, you will see 1 log in the file, then everything will block.
>>
>> David Lang
>>
>> On Mon, 22 Feb 2021, John Chivian wrote:
>>
>>> If the first action in the ruleset blocks, then the second action is never reached (the scenario David is describing). Reverse the order of the actions so that the file write is first, then see what you get.
>>>
>>> But yes, enable impstats… it’s WELL worth the effort!
>>>
>>> Regards,
>>>
>>>> On Feb 22, 2021, at 13:25, David Lang via rsyslog <rsyslog@lists.adiscon.com> wrote:
>>>>
>>>> the 'typical' cause of this is iptables rules blocking access
>>>>
>>>> if you can't send logs to the target on port 1516, the queue will build
>>>>
>>>> enable impstats and see what the queue looks like (it helps to add name='foo' to the actions so the impstats output has the names rather than just action #)
>>>>
>>>> David Lang
>>>>
>>>>
>>>> On Mon, 22 Feb 2021, ryan woods via rsyslog wrote:
>>>>
>>>>> Date: Mon, 22 Feb 2021 19:14:31 +0000
>>>>> From: ryan woods via rsyslog <rsyslog@lists.adiscon.com>
>>>>> To: rsyslog@lists.adiscon.com
>>>>> Cc: ryan woods <rw170600@gmail.com>
>>>>> Subject: [rsyslog] Weird issue not able to log to file or remote
>>>>> Hey all,
>>>>>
>>>>> So I have AudioCodes Mediant VE SBC devices shipping logs to a Linux syslog
>>>>> forwarder running rsyslog here is the config I'm using:
>>>>>
>>>>> $ModLoad imudp
>>>>> ruleset(name="rulesettt"){
>>>>> action(type="omfwd" Target="REDACTED" Port="1516" Protocol="tcp"
>>>>> Template="RSYSLOG_SyslogProtocol23Format")
>>>>> action(type="omfile" File="/tmp/output.log")
>>>>> }
>>>>> input(type="imudp" port="5155" ruleset=" rulesettt ")
>>>>>
>>>>>
>>>>> The remote host never receives anything from this and the /tmp/output.log
>>>>> is never created. I've taken a packet capture from the syslog forwarder and
>>>>> I can see all the traffic from the devices getting to the forwarder and see
>>>>> all the syslog messages. I am completely lost as to what this could be.....
>>>>> _______________________________________________
>>>>> rsyslog mailing list
>>>>> https://lists.adiscon.net/mailman/listinfo/rsyslog
>>>>> http://www.rsyslog.com/professional-services/
>>>>> What's up with rsyslog? Follow https://twitter.com/rgerhards
>>>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
>>>>>
>>>> _______________________________________________
>>>> rsyslog mailing list
>>>> https://lists.adiscon.net/mailman/listinfo/rsyslog
>>>> http://www.rsyslog.com/professional-services/
>>>> What's up with rsyslog? Follow https://twitter.com/rgerhards
>>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
> _______________________________________________
> rsyslog mailing list
> https://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.