Mailing List Archive

omhttp - can't get simple case to send http
I have a simple configuration where I'm trying to post the syslog message
to a REST application. But the omhttp module doesn't seem to be sending.

This is my configuration:
module (load="omhttp")
template(name="tpl1" type="string" string="{\"type\":\"syslog\",
\"host\":\"%HOSTNAME%\"}")
if (re_match($msg, "(.*REST.*)")) then {
action(
type="omhttp"
server="192.168.55.4"
serverport="8080"
restpath="log"
template="tpl1"
action.resumeRetryCount="3"
errorfile="/var/log/omhttp_errors.log"
checkpath=""
)
}

This is the log that gets printed in /var/log/omhttp_errors.log when I
inject a matching syslog message:
{ "request": { "url": "https:\/\/192.168.55.4:8080\/log", "postdata":
"{\"type\":\"syslog\", \"host\":\"localhost\"}" }, "response": { "status":
0, "message": "NULL: curl request failed or no response" } }


This curl command successfully sends the request to my REST application so
I know that the application is running and the send is possible from the VM.
curl -X POST -H "Content-Type: application/json" -d '{"name": "test"}'
http://192.168.55.4:8080/log

What am I doing wrong?

I was using version 2202, but also tried upgrading to 2204.

Thanks.
Kevin
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: omhttp - can't get simple case to send http [ In reply to ]
what do you get on the server that you are posting to? does it show the
connection, does it show any error?

do a tcpdump and see if the connection is happening

try doing a curl manually, see if you get an error (a possibility would be a
certificate error for example)

David Lang


On Sat, 23 Apr 2022, Kevin McKibbin via rsyslog wrote:

> Date: Sat, 23 Apr 2022 00:14:21 -0600
> From: Kevin McKibbin via rsyslog <rsyslog@lists.adiscon.com>
> To: rsyslog@lists.adiscon.com
> Cc: Kevin McKibbin <kevinmckibbin123@gmail.com>
> Subject: [rsyslog] omhttp - can't get simple case to send http
>
> I have a simple configuration where I'm trying to post the syslog message
> to a REST application. But the omhttp module doesn't seem to be sending.
>
> This is my configuration:
> module (load="omhttp")
> template(name="tpl1" type="string" string="{\"type\":\"syslog\",
> \"host\":\"%HOSTNAME%\"}")
> if (re_match($msg, "(.*REST.*)")) then {
> action(
> type="omhttp"
> server="192.168.55.4"
> serverport="8080"
> restpath="log"
> template="tpl1"
> action.resumeRetryCount="3"
> errorfile="/var/log/omhttp_errors.log"
> checkpath=""
> )
> }
>
> This is the log that gets printed in /var/log/omhttp_errors.log when I
> inject a matching syslog message:
> { "request": { "url": "https:\/\/192.168.55.4:8080\/log", "postdata":
> "{\"type\":\"syslog\", \"host\":\"localhost\"}" }, "response": { "status":
> 0, "message": "NULL: curl request failed or no response" } }
>
>
> This curl command successfully sends the request to my REST application so
> I know that the application is running and the send is possible from the VM.
> curl -X POST -H "Content-Type: application/json" -d '{"name": "test"}'
> http://192.168.55.4:8080/log
>
> What am I doing wrong?
>
> I was using version 2202, but also tried upgrading to 2204.
>
> Thanks.
> Kevin
> _______________________________________________
> rsyslog mailing list
> https://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
>
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: omhttp - can't get simple case to send http [ In reply to ]
The curl command works properly. I can see the http message in the REST
application.

When trying sending through rsyslog, I can't see anything happening:
- tcpdump doesn't report anything captured (but running the curl command
shows captured packets)
- ss -an doesn't report any ports being opened to send to the rest
application (but running the curl command shows a port getting opened)
- the omhttp log shows one line when the first syslog message is processed
and then does not print any additional lines in the log until I restart
rsyslog

This is basic http, not https so there's no cert errors.

Is there any additional debug logging I can look at to figure out what's
wrong?

Kevin

On Sat, 23 Apr 2022 at 00:32, David Lang <david@lang.hm> wrote:

> what do you get on the server that you are posting to? does it show the
> connection, does it show any error?
>
> do a tcpdump and see if the connection is happening
>
> try doing a curl manually, see if you get an error (a possibility would be
> a
> certificate error for example)
>
> David Lang
>
>
> On Sat, 23 Apr 2022, Kevin McKibbin via rsyslog wrote:
>
> > Date: Sat, 23 Apr 2022 00:14:21 -0600
> > From: Kevin McKibbin via rsyslog <rsyslog@lists.adiscon.com>
> > To: rsyslog@lists.adiscon.com
> > Cc: Kevin McKibbin <kevinmckibbin123@gmail.com>
> > Subject: [rsyslog] omhttp - can't get simple case to send http
> >
> > I have a simple configuration where I'm trying to post the syslog message
> > to a REST application. But the omhttp module doesn't seem to be sending.
> >
> > This is my configuration:
> > module (load="omhttp")
> > template(name="tpl1" type="string" string="{\"type\":\"syslog\",
> > \"host\":\"%HOSTNAME%\"}")
> > if (re_match($msg, "(.*REST.*)")) then {
> > action(
> > type="omhttp"
> > server="192.168.55.4"
> > serverport="8080"
> > restpath="log"
> > template="tpl1"
> > action.resumeRetryCount="3"
> > errorfile="/var/log/omhttp_errors.log"
> > checkpath=""
> > )
> > }
> >
> > This is the log that gets printed in /var/log/omhttp_errors.log when I
> > inject a matching syslog message:
> > { "request": { "url": "https:\/\/192.168.55.4:8080\/log", "postdata":
> > "{\"type\":\"syslog\", \"host\":\"localhost\"}" }, "response": {
> "status":
> > 0, "message": "NULL: curl request failed or no response" } }
> >
> >
> > This curl command successfully sends the request to my REST application
> so
> > I know that the application is running and the send is possible from the
> VM.
> > curl -X POST -H "Content-Type: application/json" -d '{"name": "test"}'
> > http://192.168.55.4:8080/log
> >
> > What am I doing wrong?
> >
> > I was using version 2202, but also tried upgrading to 2204.
> >
> > Thanks.
> > Kevin
> > _______________________________________________
> > rsyslog mailing list
> > https://lists.adiscon.net/mailman/listinfo/rsyslog
> > http://www.rsyslog.com/professional-services/
> > What's up with rsyslog? Follow https://twitter.com/rgerhards
> > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
> DON'T LIKE THAT.
> >
>
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: omhttp - can't get simple case to send http [ In reply to ]
Is your SELinux in Enforcing mode?

MK

On 25.04.2022 17:15, Kevin McKibbin via rsyslog wrote:
> The curl command works properly. I can see the http message in the REST
> application.
>
> When trying sending through rsyslog, I can't see anything happening:
> - tcpdump doesn't report anything captured (but running the curl command
> shows captured packets)
> - ss -an doesn't report any ports being opened to send to the rest
> application (but running the curl command shows a port getting opened)
> - the omhttp log shows one line when the first syslog message is processed
> and then does not print any additional lines in the log until I restart
> rsyslog
>
> This is basic http, not https so there's no cert errors.
>
> Is there any additional debug logging I can look at to figure out what's
> wrong?
>
> Kevin
>
> On Sat, 23 Apr 2022 at 00:32, David Lang <david@lang.hm> wrote:
>
>> what do you get on the server that you are posting to? does it show the
>> connection, does it show any error?
>>
>> do a tcpdump and see if the connection is happening
>>
>> try doing a curl manually, see if you get an error (a possibility would be
>> a
>> certificate error for example)
>>
>> David Lang
>>
>>
>> On Sat, 23 Apr 2022, Kevin McKibbin via rsyslog wrote:
>>
>>> Date: Sat, 23 Apr 2022 00:14:21 -0600
>>> From: Kevin McKibbin via rsyslog <rsyslog@lists.adiscon.com>
>>> To: rsyslog@lists.adiscon.com
>>> Cc: Kevin McKibbin <kevinmckibbin123@gmail.com>
>>> Subject: [rsyslog] omhttp - can't get simple case to send http
>>>
>>> I have a simple configuration where I'm trying to post the syslog message
>>> to a REST application. But the omhttp module doesn't seem to be sending.
>>>
>>> This is my configuration:
>>> module (load="omhttp")
>>> template(name="tpl1" type="string" string="{\"type\":\"syslog\",
>>> \"host\":\"%HOSTNAME%\"}")
>>> if (re_match($msg, "(.*REST.*)")) then {
>>> action(
>>> type="omhttp"
>>> server="192.168.55.4"
>>> serverport="8080"
>>> restpath="log"
>>> template="tpl1"
>>> action.resumeRetryCount="3"
>>> errorfile="/var/log/omhttp_errors.log"
>>> checkpath=""
>>> )
>>> }
>>>
>>> This is the log that gets printed in /var/log/omhttp_errors.log when I
>>> inject a matching syslog message:
>>> { "request": { "url": "https:\/\/192.168.55.4:8080\/log", "postdata":
>>> "{\"type\":\"syslog\", \"host\":\"localhost\"}" }, "response": {
>> "status":
>>> 0, "message": "NULL: curl request failed or no response" } }
>>>
>>>
>>> This curl command successfully sends the request to my REST application
>> so
>>> I know that the application is running and the send is possible from the
>> VM.
>>> curl -X POST -H "Content-Type: application/json" -d '{"name": "test"}'
>>> http://192.168.55.4:8080/log
>>>
>>> What am I doing wrong?
>>>
>>> I was using version 2202, but also tried upgrading to 2204.
>>>
>>> Thanks.
>>> Kevin
>>> _______________________________________________
>>> rsyslog mailing list
>>> https://lists.adiscon.net/mailman/listinfo/rsyslog
>>> http://www.rsyslog.com/professional-services/
>>> What's up with rsyslog? Follow https://twitter.com/rgerhards
>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
>> DON'T LIKE THAT.
> _______________________________________________
> rsyslog mailing list
> https://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: omhttp - can't get simple case to send http [ In reply to ]
Thanks! Updating the SELinux mode fixed my issue.

I changed /etc/selinux/config to have this:
SELINUX=permissive

After reboot, rsyslog-omhttp can successfully send to the REST api.

Kevin


On Mon, 25 Apr 2022 at 11:06, Mariusz Kruk via rsyslog <
rsyslog@lists.adiscon.com> wrote:

> Is your SELinux in Enforcing mode?
>
> MK
>
> On 25.04.2022 17:15, Kevin McKibbin via rsyslog wrote:
> > The curl command works properly. I can see the http message in the REST
> > application.
> >
> > When trying sending through rsyslog, I can't see anything happening:
> > - tcpdump doesn't report anything captured (but running the curl command
> > shows captured packets)
> > - ss -an doesn't report any ports being opened to send to the rest
> > application (but running the curl command shows a port getting opened)
> > - the omhttp log shows one line when the first syslog message is
> processed
> > and then does not print any additional lines in the log until I restart
> > rsyslog
> >
> > This is basic http, not https so there's no cert errors.
> >
> > Is there any additional debug logging I can look at to figure out what's
> > wrong?
> >
> > Kevin
> >
> > On Sat, 23 Apr 2022 at 00:32, David Lang <david@lang.hm> wrote:
> >
> >> what do you get on the server that you are posting to? does it show the
> >> connection, does it show any error?
> >>
> >> do a tcpdump and see if the connection is happening
> >>
> >> try doing a curl manually, see if you get an error (a possibility would
> be
> >> a
> >> certificate error for example)
> >>
> >> David Lang
> >>
> >>
> >> On Sat, 23 Apr 2022, Kevin McKibbin via rsyslog wrote:
> >>
> >>> Date: Sat, 23 Apr 2022 00:14:21 -0600
> >>> From: Kevin McKibbin via rsyslog <rsyslog@lists.adiscon.com>
> >>> To: rsyslog@lists.adiscon.com
> >>> Cc: Kevin McKibbin <kevinmckibbin123@gmail.com>
> >>> Subject: [rsyslog] omhttp - can't get simple case to send http
> >>>
> >>> I have a simple configuration where I'm trying to post the syslog
> message
> >>> to a REST application. But the omhttp module doesn't seem to be
> sending.
> >>>
> >>> This is my configuration:
> >>> module (load="omhttp")
> >>> template(name="tpl1" type="string" string="{\"type\":\"syslog\",
> >>> \"host\":\"%HOSTNAME%\"}")
> >>> if (re_match($msg, "(.*REST.*)")) then {
> >>> action(
> >>> type="omhttp"
> >>> server="192.168.55.4"
> >>> serverport="8080"
> >>> restpath="log"
> >>> template="tpl1"
> >>> action.resumeRetryCount="3"
> >>> errorfile="/var/log/omhttp_errors.log"
> >>> checkpath=""
> >>> )
> >>> }
> >>>
> >>> This is the log that gets printed in /var/log/omhttp_errors.log when I
> >>> inject a matching syslog message:
> >>> { "request": { "url": "https:\/\/192.168.55.4:8080\/log", "postdata":
> >>> "{\"type\":\"syslog\", \"host\":\"localhost\"}" }, "response": {
> >> "status":
> >>> 0, "message": "NULL: curl request failed or no response" } }
> >>>
> >>>
> >>> This curl command successfully sends the request to my REST application
> >> so
> >>> I know that the application is running and the send is possible from
> the
> >> VM.
> >>> curl -X POST -H "Content-Type: application/json" -d '{"name": "test"}'
> >>> http://192.168.55.4:8080/log
> >>>
> >>> What am I doing wrong?
> >>>
> >>> I was using version 2202, but also tried upgrading to 2204.
> >>>
> >>> Thanks.
> >>> Kevin
> >>> _______________________________________________
> >>> rsyslog mailing list
> >>> https://lists.adiscon.net/mailman/listinfo/rsyslog
> >>> http://www.rsyslog.com/professional-services/
> >>> What's up with rsyslog? Follow https://twitter.com/rgerhards
> >>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
> myriad
> >> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
> >> DON'T LIKE THAT.
> > _______________________________________________
> > rsyslog mailing list
> > https://lists.adiscon.net/mailman/listinfo/rsyslog
> > http://www.rsyslog.com/professional-services/
> > What's up with rsyslog? Follow https://twitter.com/rgerhards
> > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
> DON'T LIKE THAT.
> _______________________________________________
> rsyslog mailing list
> https://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
> DON'T LIKE THAT.
>
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.