Hello,
maybe someone can give me the hint I need. I am trying to collect traffic logs from FW by rsyslogd on e rhel7 system
rsyslog-8.24.0-57.el7_9.x86_64
linux FW is disabled
#firewall-cmd --state
not running
/etc/rsyslog.conf
# Provides UDP syslog reception
$ModLoad imudp
$RuleSet remote1
*.* /app/FW_log/fw_traffic.log
$RuleSet RSYSLOG_DefaultRuleset #End the rule set by switching back to the default rule set
$InputUDPServerBindRuleset remote1 #Define a new input and bind it to the "remote1" rule set
$UDPServerRun 514
Rsyslog is listening 514
netstat -tulpen | grep rsyslog
udp 0 0 0.0.0.0:45073 0.0.0.0:* 0 204418 7730/rsyslogd
udp 0 0 0.0.0.0:48919 0.0.0.0:* 0 204412 7730/rsyslogd
udp 0 0 0.0.0.0:52741 0.0.0.0:* 0 204411 7730/rsyslogd
udp 0 0 0.0.0.0:57513 0.0.0.0:* 0 204413 7730/rsyslogd
udp 0 0 0.0.0.0:514 0.0.0.0:* 0 225843 7730/rsyslogd
udp6 0 0 :::514 :::* 0 225844 7730/rsyslogd
messages are being sent by the FW
160.xxx.xxx.xxx = dffmz01sysl01p
6.xxx.xxx.xxx = FW
On the rsyslog server
tcpdump -i any | more
13:24:36.640675 IP 6.xxx.xxx.xxx.9688 > 160.xxx.xxx.xxx.syslog: SYSLOG local7.notice, length: 647
13:24:36.640675 IP 6.xxx.xxx.xxx.9688 > 160.xxx.xxx.xxx.syslog: SYSLOG local7.notice, length: 647
FW is sending logs via port 514:
14:52:37.140824 IP 6.xxx.xxx.xxx.3353 > 160.xxx.xxx.xxx.514: SYSLOG local7.notice, length: 606
14:52:37.140823 IP 6.xxx.xxx.xxx.15482 > 160.xxx.xxx.xxx.514: SYSLOG local7.notice, length: 647
Ncat works for localhost and from the firewall
[Expert@FW:0]# nc -u 160.xxx.xxx.xxx 514
test from admin firewall
# tail -4 fw_traffic.log
2021-03-26T12:44:36.735062+01:00 testmessage by netcat udp
2021-03-26T13:21:50.162778+01:00 testmessage by netcat udp
2021-03-26T15:55:55.209019+01:00 test from admin firewall
2021-03-26T15:57:14.529362+01:00 test from admin firewall
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
maybe someone can give me the hint I need. I am trying to collect traffic logs from FW by rsyslogd on e rhel7 system
rsyslog-8.24.0-57.el7_9.x86_64
linux FW is disabled
#firewall-cmd --state
not running
/etc/rsyslog.conf
# Provides UDP syslog reception
$ModLoad imudp
$RuleSet remote1
*.* /app/FW_log/fw_traffic.log
$RuleSet RSYSLOG_DefaultRuleset #End the rule set by switching back to the default rule set
$InputUDPServerBindRuleset remote1 #Define a new input and bind it to the "remote1" rule set
$UDPServerRun 514
Rsyslog is listening 514
netstat -tulpen | grep rsyslog
udp 0 0 0.0.0.0:45073 0.0.0.0:* 0 204418 7730/rsyslogd
udp 0 0 0.0.0.0:48919 0.0.0.0:* 0 204412 7730/rsyslogd
udp 0 0 0.0.0.0:52741 0.0.0.0:* 0 204411 7730/rsyslogd
udp 0 0 0.0.0.0:57513 0.0.0.0:* 0 204413 7730/rsyslogd
udp 0 0 0.0.0.0:514 0.0.0.0:* 0 225843 7730/rsyslogd
udp6 0 0 :::514 :::* 0 225844 7730/rsyslogd
messages are being sent by the FW
160.xxx.xxx.xxx = dffmz01sysl01p
6.xxx.xxx.xxx = FW
On the rsyslog server
tcpdump -i any | more
13:24:36.640675 IP 6.xxx.xxx.xxx.9688 > 160.xxx.xxx.xxx.syslog: SYSLOG local7.notice, length: 647
13:24:36.640675 IP 6.xxx.xxx.xxx.9688 > 160.xxx.xxx.xxx.syslog: SYSLOG local7.notice, length: 647
FW is sending logs via port 514:
14:52:37.140824 IP 6.xxx.xxx.xxx.3353 > 160.xxx.xxx.xxx.514: SYSLOG local7.notice, length: 606
14:52:37.140823 IP 6.xxx.xxx.xxx.15482 > 160.xxx.xxx.xxx.514: SYSLOG local7.notice, length: 647
Ncat works for localhost and from the firewall
[Expert@FW:0]# nc -u 160.xxx.xxx.xxx 514
test from admin firewall
# tail -4 fw_traffic.log
2021-03-26T12:44:36.735062+01:00 testmessage by netcat udp
2021-03-26T13:21:50.162778+01:00 testmessage by netcat udp
2021-03-26T15:55:55.209019+01:00 test from admin firewall
2021-03-26T15:57:14.529362+01:00 test from admin firewall
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.