Mailing List Archive

rsyslog fails to collect FW traffic logs
Hello,

maybe someone can give me the hint I need. I am trying to collect traffic logs from FW by rsyslogd on e rhel7 system

rsyslog-8.24.0-57.el7_9.x86_64

linux FW is disabled
#firewall-cmd --state
not running

/etc/rsyslog.conf

# Provides UDP syslog reception
$ModLoad imudp
$RuleSet remote1
*.* /app/FW_log/fw_traffic.log
$RuleSet RSYSLOG_DefaultRuleset #End the rule set by switching back to the default rule set
$InputUDPServerBindRuleset remote1 #Define a new input and bind it to the "remote1" rule set
$UDPServerRun 514

Rsyslog is listening 514

netstat -tulpen | grep rsyslog
udp 0 0 0.0.0.0:45073 0.0.0.0:* 0 204418 7730/rsyslogd
udp 0 0 0.0.0.0:48919 0.0.0.0:* 0 204412 7730/rsyslogd
udp 0 0 0.0.0.0:52741 0.0.0.0:* 0 204411 7730/rsyslogd
udp 0 0 0.0.0.0:57513 0.0.0.0:* 0 204413 7730/rsyslogd
udp 0 0 0.0.0.0:514 0.0.0.0:* 0 225843 7730/rsyslogd
udp6 0 0 :::514 :::* 0 225844 7730/rsyslogd


messages are being sent by the FW
160.xxx.xxx.xxx = dffmz01sysl01p
6.xxx.xxx.xxx = FW
On the rsyslog server
tcpdump -i any | more
13:24:36.640675 IP 6.xxx.xxx.xxx.9688 > 160.xxx.xxx.xxx.syslog: SYSLOG local7.notice, length: 647
13:24:36.640675 IP 6.xxx.xxx.xxx.9688 > 160.xxx.xxx.xxx.syslog: SYSLOG local7.notice, length: 647

FW is sending logs via port 514:
14:52:37.140824 IP 6.xxx.xxx.xxx.3353 > 160.xxx.xxx.xxx.514: SYSLOG local7.notice, length: 606
14:52:37.140823 IP 6.xxx.xxx.xxx.15482 > 160.xxx.xxx.xxx.514: SYSLOG local7.notice, length: 647

Ncat works for localhost and from the firewall

[Expert@FW:0]# nc -u 160.xxx.xxx.xxx 514
test from admin firewall

# tail -4 fw_traffic.log
2021-03-26T12:44:36.735062+01:00 testmessage by netcat udp
2021-03-26T13:21:50.162778+01:00 testmessage by netcat udp
2021-03-26T15:55:55.209019+01:00 test from admin firewall
2021-03-26T15:57:14.529362+01:00 test from admin firewall

_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: rsyslog fails to collect FW traffic logs [ In reply to ]
Hello,

any ideas from anyone?
Last try with updated config:

# Provides UDP syslog reception
$ModLoad imudp
ruleset(name="remote") {
*.* action(type="omfile" file="/app/FW_log/fw_traffic.log ")
}
$InputUDPServerBindRuleset remote #Define a new input and bind it to the "remote1" rule set
$RuleSet RSYSLOG_DefaultRuleset #End the rule set by switching back to the default rule set
$UDPServerRun 514

But didn't help to gather logs from FW

Kind regards,
Erik

-----Urspr?ngliche Nachricht-----
Von: rsyslog <rsyslog-bounces@lists.adiscon.com> Im Auftrag von Erik.Moritz--- via rsyslog
Gesendet: Freitag, 26. M?rz 2021 16:30
An: rsyslog@lists.adiscon.com
Cc: Moritz, Erik <Erik.Moritz@t-systems.com>
Betreff: [rsyslog] rsyslog fails to collect FW traffic logs

Hello,

maybe someone can give me the hint I need. I am trying to collect traffic logs from FW by rsyslogd on e rhel7 system

rsyslog-8.24.0-57.el7_9.x86_64

linux FW is disabled
#firewall-cmd --state
not running

/etc/rsyslog.conf

# Provides UDP syslog reception
$ModLoad imudp
$RuleSet remote
*.* /app/FW_log/fw_traffic.log
$InputUDPServerBindRuleset remote #Define a new input and bind it to the "remote1" rule set
$RuleSet RSYSLOG_DefaultRuleset #End the rule set by switching back to the default rule set
$UDPServerRun 514

Rsyslog is listening 514

netstat -tulpen | grep rsyslog
udp 0 0 0.0.0.0:45073 0.0.0.0:* 0 204418 7730/rsyslogd
udp 0 0 0.0.0.0:48919 0.0.0.0:* 0 204412 7730/rsyslogd
udp 0 0 0.0.0.0:52741 0.0.0.0:* 0 204411 7730/rsyslogd
udp 0 0 0.0.0.0:57513 0.0.0.0:* 0 204413 7730/rsyslogd
udp 0 0 0.0.0.0:514 0.0.0.0:* 0 225843 7730/rsyslogd
udp6 0 0 :::514 :::* 0 225844 7730/rsyslogd


messages are being sent by the FW
160.xxx.xxx.xxx = dffmz01sysl01p
6.xxx.xxx.xxx = FW
On the rsyslog server
tcpdump -i any | more
13:24:36.640675 IP 6.xxx.xxx.xxx.9688 > 160.xxx.xxx.xxx.syslog: SYSLOG local7.notice, length: 647
13:24:36.640675 IP 6.xxx.xxx.xxx.9688 > 160.xxx.xxx.xxx.syslog: SYSLOG local7.notice, length: 647

FW is sending logs via port 514:
14:52:37.140824 IP 6.xxx.xxx.xxx.3353 > 160.xxx.xxx.xxx.514: SYSLOG local7.notice, length: 606
14:52:37.140823 IP 6.xxx.xxx.xxx.15482 > 160.xxx.xxx.xxx.514: SYSLOG local7.notice, length: 647

Ncat works for localhost and from the firewall

[Expert@FW:0]# nc -u 160.xxx.xxx.xxx 514 test from admin firewall

# tail -4 fw_traffic.log
2021-03-26T12:44:36.735062+01:00 testmessage by netcat udp
2021-03-26T13:21:50.162778+01:00 testmessage by netcat udp
2021-03-26T15:55:55.209019+01:00 test from admin firewall
2021-03-26T15:57:14.529362+01:00 test from admin firewall

_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: rsyslog fails to collect FW traffic logs [ In reply to ]
check your iptables rules

David Lang

On Mon, 12 Apr 2021, Erik.Moritz--- via rsyslog wrote:

> Date: Mon, 12 Apr 2021 11:47:16 +0000
> From: Erik.Moritz--- via rsyslog <rsyslog@lists.adiscon.com>
> To: rsyslog@lists.adiscon.com
> Cc: Erik.Moritz@t-systems.com
> Subject: Re: [rsyslog] rsyslog fails to collect FW traffic logs
>
> Hello,
>
> any ideas from anyone?
> Last try with updated config:
>
> # Provides UDP syslog reception
> $ModLoad imudp
> ruleset(name="remote") {
> *.* action(type="omfile" file="/app/FW_log/fw_traffic.log ")
> }
> $InputUDPServerBindRuleset remote #Define a new input and bind it to the "remote1" rule set
> $RuleSet RSYSLOG_DefaultRuleset #End the rule set by switching back to the default rule set
> $UDPServerRun 514
>
> But didn't help to gather logs from FW
>
> Kind regards,
> Erik
>
> -----Urspr?ngliche Nachricht-----
> Von: rsyslog <rsyslog-bounces@lists.adiscon.com> Im Auftrag von Erik.Moritz--- via rsyslog
> Gesendet: Freitag, 26. M?rz 2021 16:30
> An: rsyslog@lists.adiscon.com
> Cc: Moritz, Erik <Erik.Moritz@t-systems.com>
> Betreff: [rsyslog] rsyslog fails to collect FW traffic logs
>
> Hello,
>
> maybe someone can give me the hint I need. I am trying to collect traffic logs from FW by rsyslogd on e rhel7 system
>
> rsyslog-8.24.0-57.el7_9.x86_64
>
> linux FW is disabled
> #firewall-cmd --state
> not running
>
> /etc/rsyslog.conf
>
> # Provides UDP syslog reception
> $ModLoad imudp
> $RuleSet remote
> *.* /app/FW_log/fw_traffic.log
> $InputUDPServerBindRuleset remote #Define a new input and bind it to the "remote1" rule set
> $RuleSet RSYSLOG_DefaultRuleset #End the rule set by switching back to the default rule set
> $UDPServerRun 514
>
> Rsyslog is listening 514
>
> netstat -tulpen | grep rsyslog
> udp 0 0 0.0.0.0:45073 0.0.0.0:* 0 204418 7730/rsyslogd
> udp 0 0 0.0.0.0:48919 0.0.0.0:* 0 204412 7730/rsyslogd
> udp 0 0 0.0.0.0:52741 0.0.0.0:* 0 204411 7730/rsyslogd
> udp 0 0 0.0.0.0:57513 0.0.0.0:* 0 204413 7730/rsyslogd
> udp 0 0 0.0.0.0:514 0.0.0.0:* 0 225843 7730/rsyslogd
> udp6 0 0 :::514 :::* 0 225844 7730/rsyslogd
>
>
> messages are being sent by the FW
> 160.xxx.xxx.xxx = dffmz01sysl01p
> 6.xxx.xxx.xxx = FW
> On the rsyslog server
> tcpdump -i any | more
> 13:24:36.640675 IP 6.xxx.xxx.xxx.9688 > 160.xxx.xxx.xxx.syslog: SYSLOG local7.notice, length: 647
> 13:24:36.640675 IP 6.xxx.xxx.xxx.9688 > 160.xxx.xxx.xxx.syslog: SYSLOG local7.notice, length: 647
>
> FW is sending logs via port 514:
> 14:52:37.140824 IP 6.xxx.xxx.xxx.3353 > 160.xxx.xxx.xxx.514: SYSLOG local7.notice, length: 606
> 14:52:37.140823 IP 6.xxx.xxx.xxx.15482 > 160.xxx.xxx.xxx.514: SYSLOG local7.notice, length: 647
>
> Ncat works for localhost and from the firewall
>
> [Expert@FW:0]# nc -u 160.xxx.xxx.xxx 514 test from admin firewall
>
> # tail -4 fw_traffic.log
> 2021-03-26T12:44:36.735062+01:00 testmessage by netcat udp
> 2021-03-26T13:21:50.162778+01:00 testmessage by netcat udp
> 2021-03-26T15:55:55.209019+01:00 test from admin firewall
> 2021-03-26T15:57:14.529362+01:00 test from admin firewall
>
> _______________________________________________
> rsyslog mailing list
> https://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
> _______________________________________________
> rsyslog mailing list
> https://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
>
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: rsyslog fails to collect FW traffic logs [ In reply to ]
Although I never use the old syntax, for what you’re attempting I don’t think the *.* in front of the action statement is needed.

ruleset (…) {
action1(…)
action2(…)
if (something) then stop
action3(…)
if (somethingElse) then {
call ruleset2
} else {
call ruleset3
action4(…)
}
}



> Apr 12, 2021, at 06:47, Erik.Moritz--- via rsyslog <rsyslog@lists.adiscon.com> wrote:
>
> Hello,
>
> any ideas from anyone?
> Last try with updated config:
>
> # Provides UDP syslog reception
> $ModLoad imudp
> ruleset(name="remote") {
> *.* action(type="omfile" file="/app/FW_log/fw_traffic.log ")
> }
> $InputUDPServerBindRuleset remote #Define a new input and bind it to the "remote1" rule set
> $RuleSet RSYSLOG_DefaultRuleset #End the rule set by switching back to the default rule set
> $UDPServerRun 514
>
> But didn't help to gather logs from FW
>
> Kind regards,
> Erik
>
> -----Ursprüngliche Nachricht-----
> Von: rsyslog <rsyslog-bounces@lists.adiscon.com> Im Auftrag von Erik.Moritz--- via rsyslog
> Gesendet: Freitag, 26. März 2021 16:30
> An: rsyslog@lists.adiscon.com
> Cc: Moritz, Erik <Erik.Moritz@t-systems.com>
> Betreff: [rsyslog] rsyslog fails to collect FW traffic logs
>
> Hello,
>
> maybe someone can give me the hint I need. I am trying to collect traffic logs from FW by rsyslogd on e rhel7 system
>
> rsyslog-8.24.0-57.el7_9.x86_64
>
> linux FW is disabled
> #firewall-cmd --state
> not running
>
> /etc/rsyslog.conf
>
> # Provides UDP syslog reception
> $ModLoad imudp
> $RuleSet remote
> *.* /app/FW_log/fw_traffic.log
> $InputUDPServerBindRuleset remote #Define a new input and bind it to the "remote1" rule set
> $RuleSet RSYSLOG_DefaultRuleset #End the rule set by switching back to the default rule set
> $UDPServerRun 514
>
> Rsyslog is listening 514
>
> netstat -tulpen | grep rsyslog
> udp 0 0 0.0.0.0:45073 0.0.0.0:* 0 204418 7730/rsyslogd
> udp 0 0 0.0.0.0:48919 0.0.0.0:* 0 204412 7730/rsyslogd
> udp 0 0 0.0.0.0:52741 0.0.0.0:* 0 204411 7730/rsyslogd
> udp 0 0 0.0.0.0:57513 0.0.0.0:* 0 204413 7730/rsyslogd
> udp 0 0 0.0.0.0:514 0.0.0.0:* 0 225843 7730/rsyslogd
> udp6 0 0 :::514 :::* 0 225844 7730/rsyslogd
>
>
> messages are being sent by the FW
> 160.xxx.xxx.xxx = dffmz01sysl01p
> 6.xxx.xxx.xxx = FW
> On the rsyslog server
> tcpdump -i any | more
> 13:24:36.640675 IP 6.xxx.xxx.xxx.9688 > 160.xxx.xxx.xxx.syslog: SYSLOG local7.notice, length: 647
> 13:24:36.640675 IP 6.xxx.xxx.xxx.9688 > 160.xxx.xxx.xxx.syslog: SYSLOG local7.notice, length: 647
>
> FW is sending logs via port 514:
> 14:52:37.140824 IP 6.xxx.xxx.xxx.3353 > 160.xxx.xxx.xxx.514: SYSLOG local7.notice, length: 606
> 14:52:37.140823 IP 6.xxx.xxx.xxx.15482 > 160.xxx.xxx.xxx.514: SYSLOG local7.notice, length: 647
>
> Ncat works for localhost and from the firewall
>
> [Expert@FW:0]# nc -u 160.xxx.xxx.xxx 514 test from admin firewall
>
> # tail -4 fw_traffic.log
> 2021-03-26T12:44:36.735062+01:00 testmessage by netcat udp
> 2021-03-26T13:21:50.162778+01:00 testmessage by netcat udp
> 2021-03-26T15:55:55.209019+01:00 test from admin firewall
> 2021-03-26T15:57:14.529362+01:00 test from admin firewall
>
> _______________________________________________
> rsyslog mailing list
> https://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
> _______________________________________________
> rsyslog mailing list
> https://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.

_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.