Mailing List Archive

please post your full config.

I would also check your firewall config (iptables/nftables) on the system to see
if it's blocking the connection.

Also make sure you have a route to the destination IP (you probably have a
default route that does this, but it is something we've run across)

are you seeing any startup errors? or config errors (start rsyslog manually with
rsyslogd -N1

if none of that helps, we may need to get debug info, but start with the simpler
stuff. Normally this 'just works' so I'd guess that it's a syntax error
somewhere in the config.

David Lang

On Wed, 16 Aug 2023, kathy lyons via rsyslog wrote:

> I hope this is the right place to ask this question. I have a basic
> rsyslog setup sending udp data from a Debian 11 host to a remote server.
> At the bottom of my rsyslog.conf file I have:
>
> *.* @x.x.x.x
>
> Logs are being sent to /var/log/daemon.log, /var/log/syslog, etc. so I am
> not worried about that. The problem is that on the device itself I do not
> see any logs leaving the device. Nor do I see them at the firewall
> (x.x.x.x). I have used netcat to see if the remote port is open and
> reachable and it is. I have re-install rsyslog and restarted it. Nothing
> seems to work.
>
> However, when I issue the logger command:
>
> logger -n x.x.x.x -P 514 -d "This is a test"
>
> I see that data. What else can I check with my rsyslog setup? Thank you.
> _______________________________________________
> rsyslog mailing list
> https://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
>
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.

Also be sure that you're not stopping processing your event before it
reaches the forwarding entry.

As David wrote - it's hard to debug a config if you don't see it as a whole.

On 16.08.2023 18:15, David Lang via rsyslog wrote:
> please post your full config.
>
> I would also check your firewall config (iptables/nftables) on the
> system to see if it's blocking the connection.
>
> Also make sure you have a route to the destination IP (you probably
> have a default route that does this, but it is something we've run
> across)
>
> are you seeing any startup errors? or config errors (start rsyslog
> manually with rsyslogd -N1
>
> if none of that helps, we may need to get debug info, but start with
> the simpler stuff. Normally this 'just works' so I'd guess that it's a
> syntax error somewhere in the config.
>
> David Lang
>
> On Wed, 16 Aug 2023, kathy lyons via rsyslog wrote:
>
>> I hope this is the right place to ask this question.  I have a basic
>> rsyslog setup sending udp data from a Debian 11 host to a remote server.
>> At the bottom of my rsyslog.conf file I have:
>>
>>  *.* @x.x.x.x
>>
>> Logs are being sent to /var/log/daemon.log, /var/log/syslog, etc. so
>> I am
>> not worried about that. The problem is that on the device itself I do
>> not
>> see any logs leaving the device. Nor do I see them at the firewall
>> (x.x.x.x).  I  have used netcat to see if the remote port is open and
>> reachable and it is.  I have re-install rsyslog and restarted it. 
>> Nothing
>> seems to work.
>>
>> However, when I issue the logger command:
>>
>> logger -n x.x.x.x -P 514 -d "This is a test"
>>
>> I see that data.  What else can I check with my rsyslog setup? Thank
>> you.
>> _______________________________________________
>> rsyslog mailing list
>> https://lists.adiscon.net/mailman/listinfo/rsyslog
>> http://www.rsyslog.com/professional-services/
>> What's up with rsyslog? Follow https://twitter.com/rgerhards
>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
>> myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT
>> POST if you DON'T LIKE THAT.
>>
> _______________________________________________
> rsyslog mailing list
> https://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
> myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST
> if you DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.

Note that “@x.x.x.x” uses UDP, not TCP. If you want TCP use “@@x.x.x.x”

Regards,


> On Aug 16, 2023, at 12:00, Mariusz Kruk via rsyslog <rsyslog@lists.adiscon.com> wrote:
>
> Also be sure that you're not stopping processing your event before it reaches the forwarding entry.
>
> As David wrote - it's hard to debug a config if you don't see it as a whole.
>
> On 16.08.2023 18:15, David Lang via rsyslog wrote:
>> please post your full config.
>>
>> I would also check your firewall config (iptables/nftables) on the system to see if it's blocking the connection.
>>
>> Also make sure you have a route to the destination IP (you probably have a default route that does this, but it is something we've run across)
>>
>> are you seeing any startup errors? or config errors (start rsyslog manually with rsyslogd -N1
>>
>> if none of that helps, we may need to get debug info, but start with the simpler stuff. Normally this 'just works' so I'd guess that it's a syntax error somewhere in the config.
>>
>> David Lang
>>
>> On Wed, 16 Aug 2023, kathy lyons via rsyslog wrote:
>>
>>> I hope this is the right place to ask this question. I have a basic
>>> rsyslog setup sending udp data from a Debian 11 host to a remote server.
>>> At the bottom of my rsyslog.conf file I have:
>>>
>>> *.* @x.x.x.x
>>>
>>> Logs are being sent to /var/log/daemon.log, /var/log/syslog, etc. so I am
>>> not worried about that. The problem is that on the device itself I do not
>>> see any logs leaving the device. Nor do I see them at the firewall
>>> (x.x.x.x). I have used netcat to see if the remote port is open and
>>> reachable and it is. I have re-install rsyslog and restarted it. Nothing
>>> seems to work.
>>>
>>> However, when I issue the logger command:
>>>
>>> logger -n x.x.x.x -P 514 -d "This is a test"
>>>
>>> I see that data. What else can I check with my rsyslog setup? Thank you.
>>> _______________________________________________
>>> rsyslog mailing list
>>> https://lists.adiscon.net/mailman/listinfo/rsyslog
>>> http://www.rsyslog.com/professional-services/
>>> What's up with rsyslog? Follow https://twitter.com/rgerhards
>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
>>>
>> _______________________________________________
>> rsyslog mailing list
>> https://lists.adiscon.net/mailman/listinfo/rsyslog
>> http://www.rsyslog.com/professional-services/
>> What's up with rsyslog? Follow https://twitter.com/rgerhards
>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
> _______________________________________________
> rsyslog mailing list
> https://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.

_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.

Here it is:

module(load="imfile")
module(load="imuxsock")
module(load="imklog")
module(load="imjournal")

timezone(id="UTC")
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat

$RepeatedMsgReduction on

$FileOwner syslog
$FileGroup adm

global(net.enableDNS="off" workDirectory="/var/spool/rsyslog"
maxMessageSize="128K")

$IncludeConfig /etc/rsyslog.d/*.conf

audit.* action(type="omfile" file="/var/log/audit/audit.log")
& stop
auth.warning;authpriv.info.* action(type="omfile"
file="/var/log/auth.log")
& stop
auth,authpriv.none action(type="omfile"
file="/var/log/syslog")
& stop
cron.info action(type="omfile"
file="/var/log/cron.log")
& stop
daemon.info action(type="omfile" file="/var/log/daemon.log")
& stop
kern.info action(type="omfile" file="/var/log/kern.log")
& stop
user.info action(type="omfile" file="/var/log/user.log")
& stop

local7.* action(type="omfile" file="/var/log/boot.log")
& stop

*.* @x.x.x.x

rsyslogd -N1 shows no errors. strace shows no errors.

On Wed, Aug 16, 2023 at 12:15?PM David Lang <david@lang.hm> wrote:

> please post your full config.
>
> I would also check your firewall config (iptables/nftables) on the system
> to see
> if it's blocking the connection.
>
> Also make sure you have a route to the destination IP (you probably have a
> default route that does this, but it is something we've run across)
>
> are you seeing any startup errors? or config errors (start rsyslog
> manually with
> rsyslogd -N1
>
> if none of that helps, we may need to get debug info, but start with the
> simpler
> stuff. Normally this 'just works' so I'd guess that it's a syntax error
> somewhere in the config.
>
> David Lang
>
> On Wed, 16 Aug 2023, kathy lyons via rsyslog wrote:
>
> > I hope this is the right place to ask this question. I have a basic
> > rsyslog setup sending udp data from a Debian 11 host to a remote server.
> > At the bottom of my rsyslog.conf file I have:
> >
> > *.* @x.x.x.x
> >
> > Logs are being sent to /var/log/daemon.log, /var/log/syslog, etc. so I am
> > not worried about that. The problem is that on the device itself I do not
> > see any logs leaving the device. Nor do I see them at the firewall
> > (x.x.x.x). I have used netcat to see if the remote port is open and
> > reachable and it is. I have re-install rsyslog and restarted it.
> Nothing
> > seems to work.
> >
> > However, when I issue the logger command:
> >
> > logger -n x.x.x.x -P 514 -d "This is a test"
> >
> > I see that data. What else can I check with my rsyslog setup? Thank
> you.
> > _______________________________________________
> > rsyslog mailing list
> > https://lists.adiscon.net/mailman/listinfo/rsyslog
> > http://www.rsyslog.com/professional-services/
> > What's up with rsyslog? Follow https://twitter.com/rgerhards
> > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
> DON'T LIKE THAT.
> >
>
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.

all of those &stop lines are telling rsyslog that if it matches the filter and
writes it to the file that it should stop processing that message.

As a result, anything that gets written to a local file will stop processing
before it gets down to your udp sending action

David Lang

On Thu, 17 Aug 2023, kathy lyons wrote:

> Date: Thu, 17 Aug 2023 13:12:03 -0400
> From: kathy lyons <kathy.lyons@zayo.com>
> To: David Lang <david@lang.hm>
> Cc: kathy lyons via rsyslog <rsyslog@lists.adiscon.com>
> Subject: Re: [rsyslog] rsyslog - problem sending udp traffic
>
> Here it is:
>
> module(load="imfile")
> module(load="imuxsock")
> module(load="imklog")
> module(load="imjournal")
>
> timezone(id="UTC")
> $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
>
> $RepeatedMsgReduction on
>
> $FileOwner syslog
> $FileGroup adm
>
> global(net.enableDNS="off" workDirectory="/var/spool/rsyslog"
> maxMessageSize="128K")
>
> $IncludeConfig /etc/rsyslog.d/*.conf
>
> audit.* action(type="omfile" file="/var/log/audit/audit.log")
> & stop
> auth.warning;authpriv.info.* action(type="omfile"
> file="/var/log/auth.log")
> & stop
> auth,authpriv.none action(type="omfile"
> file="/var/log/syslog")
> & stop
> cron.info action(type="omfile"
> file="/var/log/cron.log")
> & stop
> daemon.info action(type="omfile" file="/var/log/daemon.log")
> & stop
> kern.info action(type="omfile" file="/var/log/kern.log")
> & stop
> user.info action(type="omfile" file="/var/log/user.log")
> & stop
>
> local7.* action(type="omfile" file="/var/log/boot.log")
> & stop
>
> *.* @x.x.x.x
>
> rsyslogd -N1 shows no errors. strace shows no errors.
>
> On Wed, Aug 16, 2023 at 12:15?PM David Lang <david@lang.hm> wrote:
>
>> please post your full config.
>>
>> I would also check your firewall config (iptables/nftables) on the system
>> to see
>> if it's blocking the connection.
>>
>> Also make sure you have a route to the destination IP (you probably have a
>> default route that does this, but it is something we've run across)
>>
>> are you seeing any startup errors? or config errors (start rsyslog
>> manually with
>> rsyslogd -N1
>>
>> if none of that helps, we may need to get debug info, but start with the
>> simpler
>> stuff. Normally this 'just works' so I'd guess that it's a syntax error
>> somewhere in the config.
>>
>> David Lang
>>
>> On Wed, 16 Aug 2023, kathy lyons via rsyslog wrote:
>>
>>> I hope this is the right place to ask this question. I have a basic
>>> rsyslog setup sending udp data from a Debian 11 host to a remote server.
>>> At the bottom of my rsyslog.conf file I have:
>>>
>>> *.* @x.x.x.x
>>>
>>> Logs are being sent to /var/log/daemon.log, /var/log/syslog, etc. so I am
>>> not worried about that. The problem is that on the device itself I do not
>>> see any logs leaving the device. Nor do I see them at the firewall
>>> (x.x.x.x). I have used netcat to see if the remote port is open and
>>> reachable and it is. I have re-install rsyslog and restarted it.
>> Nothing
>>> seems to work.
>>>
>>> However, when I issue the logger command:
>>>
>>> logger -n x.x.x.x -P 514 -d "This is a test"
>>>
>>> I see that data. What else can I check with my rsyslog setup? Thank
>> you.
>>> _______________________________________________
>>> rsyslog mailing list
>>> https://lists.adiscon.net/mailman/listinfo/rsyslog
>>> http://www.rsyslog.com/professional-services/
>>> What's up with rsyslog? Follow https://twitter.com/rgerhards
>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
>> DON'T LIKE THAT.
>>>
>>
>
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.

Move the forwarding rule to the top, that should solve your issue.

Rainer

Sent from phone, thus brief.

David Lang via rsyslog <rsyslog@lists.adiscon.com> schrieb am Do., 17. Aug.
2023, 19:16:

> all of those &stop lines are telling rsyslog that if it matches the filter
> and
> writes it to the file that it should stop processing that message.
>
> As a result, anything that gets written to a local file will stop
> processing
> before it gets down to your udp sending action
>
> David Lang
>
> On Thu, 17 Aug 2023, kathy lyons wrote:
>
> > Date: Thu, 17 Aug 2023 13:12:03 -0400
> > From: kathy lyons <kathy.lyons@zayo.com>
> > To: David Lang <david@lang.hm>
> > Cc: kathy lyons via rsyslog <rsyslog@lists.adiscon.com>
> > Subject: Re: [rsyslog] rsyslog - problem sending udp traffic
> >
> > Here it is:
> >
> > module(load="imfile")
> > module(load="imuxsock")
> > module(load="imklog")
> > module(load="imjournal")
> >
> > timezone(id="UTC")
> > $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
> >
> > $RepeatedMsgReduction on
> >
> > $FileOwner syslog
> > $FileGroup adm
> >
> > global(net.enableDNS="off" workDirectory="/var/spool/rsyslog"
> > maxMessageSize="128K")
> >
> > $IncludeConfig /etc/rsyslog.d/*.conf
> >
> > audit.* action(type="omfile" file="/var/log/audit/audit.log")
> > & stop
> > auth.warning;authpriv.info.* action(type="omfile"
> > file="/var/log/auth.log")
> > & stop
> > auth,authpriv.none action(type="omfile"
> > file="/var/log/syslog")
> > & stop
> > cron.info action(type="omfile"
> > file="/var/log/cron.log")
> > & stop
> > daemon.info action(type="omfile" file="/var/log/daemon.log")
> > & stop
> > kern.info action(type="omfile" file="/var/log/kern.log")
> > & stop
> > user.info action(type="omfile" file="/var/log/user.log")
> > & stop
> >
> > local7.* action(type="omfile" file="/var/log/boot.log")
> > & stop
> >
> > *.* @x.x.x.x
> >
> > rsyslogd -N1 shows no errors. strace shows no errors.
> >
> > On Wed, Aug 16, 2023 at 12:15?PM David Lang <david@lang.hm> wrote:
> >
> >> please post your full config.
> >>
> >> I would also check your firewall config (iptables/nftables) on the
> system
> >> to see
> >> if it's blocking the connection.
> >>
> >> Also make sure you have a route to the destination IP (you probably
> have a
> >> default route that does this, but it is something we've run across)
> >>
> >> are you seeing any startup errors? or config errors (start rsyslog
> >> manually with
> >> rsyslogd -N1
> >>
> >> if none of that helps, we may need to get debug info, but start with the
> >> simpler
> >> stuff. Normally this 'just works' so I'd guess that it's a syntax error
> >> somewhere in the config.
> >>
> >> David Lang
> >>
> >> On Wed, 16 Aug 2023, kathy lyons via rsyslog wrote:
> >>
> >>> I hope this is the right place to ask this question. I have a basic
> >>> rsyslog setup sending udp data from a Debian 11 host to a remote
> server.
> >>> At the bottom of my rsyslog.conf file I have:
> >>>
> >>> *.* @x.x.x.x
> >>>
> >>> Logs are being sent to /var/log/daemon.log, /var/log/syslog, etc. so I
> am
> >>> not worried about that. The problem is that on the device itself I do
> not
> >>> see any logs leaving the device. Nor do I see them at the firewall
> >>> (x.x.x.x). I have used netcat to see if the remote port is open and
> >>> reachable and it is. I have re-install rsyslog and restarted it.
> >> Nothing
> >>> seems to work.
> >>>
> >>> However, when I issue the logger command:
> >>>
> >>> logger -n x.x.x.x -P 514 -d "This is a test"
> >>>
> >>> I see that data. What else can I check with my rsyslog setup? Thank
> >> you.
> >>> _______________________________________________
> >>> rsyslog mailing list
> >>> https://lists.adiscon.net/mailman/listinfo/rsyslog
> >>> http://www.rsyslog.com/professional-services/
> >>> What's up with rsyslog? Follow https://twitter.com/rgerhards
> >>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
> myriad
> >> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
> >> DON'T LIKE THAT.
> >>>
> >>
> >
> _______________________________________________
> rsyslog mailing list
> https://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
> DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.

That works - thanks! The only thing it does not do is forward the logs we
have configured in /etc/rsyslog.d. Is that correct or is there potentially
a different issue? We put the stops in there because the audit logs were
appearing in /var/log/syslog.

On Fri, Aug 18, 2023 at 3:18?AM Rainer Gerhards <rgerhards@hq.adiscon.com>
wrote:

> Move the forwarding rule to the top, that should solve your issue.
>
> Rainer
>
> Sent from phone, thus brief.
>
> David Lang via rsyslog <rsyslog@lists.adiscon.com> schrieb am Do., 17.
> Aug. 2023, 19:16:
>
>> all of those &stop lines are telling rsyslog that if it matches the
>> filter and
>> writes it to the file that it should stop processing that message.
>>
>> As a result, anything that gets written to a local file will stop
>> processing
>> before it gets down to your udp sending action
>>
>> David Lang
>>
>> On Thu, 17 Aug 2023, kathy lyons wrote:
>>
>> > Date: Thu, 17 Aug 2023 13:12:03 -0400
>> > From: kathy lyons <kathy.lyons@zayo.com>
>> > To: David Lang <david@lang.hm>
>> > Cc: kathy lyons via rsyslog <rsyslog@lists.adiscon.com>
>> > Subject: Re: [rsyslog] rsyslog - problem sending udp traffic
>> >
>> > Here it is:
>> >
>> > module(load="imfile")
>> > module(load="imuxsock")
>> > module(load="imklog")
>> > module(load="imjournal")
>> >
>> > timezone(id="UTC")
>> > $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
>> >
>> > $RepeatedMsgReduction on
>> >
>> > $FileOwner syslog
>> > $FileGroup adm
>> >
>> > global(net.enableDNS="off" workDirectory="/var/spool/rsyslog"
>> > maxMessageSize="128K")
>> >
>> > $IncludeConfig /etc/rsyslog.d/*.conf
>> >
>> > audit.* action(type="omfile" file="/var/log/audit/audit.log")
>> > & stop
>> > auth.warning;authpriv.info.* action(type="omfile"
>> > file="/var/log/auth.log")
>> > & stop
>> > auth,authpriv.none action(type="omfile"
>> > file="/var/log/syslog")
>> > & stop
>> > cron.info action(type="omfile"
>> > file="/var/log/cron.log")
>> > & stop
>> > daemon.info action(type="omfile" file="/var/log/daemon.log")
>> > & stop
>> > kern.info action(type="omfile" file="/var/log/kern.log")
>> > & stop
>> > user.info action(type="omfile" file="/var/log/user.log")
>> > & stop
>> >
>> > local7.* action(type="omfile" file="/var/log/boot.log")
>> > & stop
>> >
>> > *.* @x.x.x.x
>> >
>> > rsyslogd -N1 shows no errors. strace shows no errors.
>> >
>> > On Wed, Aug 16, 2023 at 12:15?PM David Lang <david@lang.hm> wrote:
>> >
>> >> please post your full config.
>> >>
>> >> I would also check your firewall config (iptables/nftables) on the
>> system
>> >> to see
>> >> if it's blocking the connection.
>> >>
>> >> Also make sure you have a route to the destination IP (you probably
>> have a
>> >> default route that does this, but it is something we've run across)
>> >>
>> >> are you seeing any startup errors? or config errors (start rsyslog
>> >> manually with
>> >> rsyslogd -N1
>> >>
>> >> if none of that helps, we may need to get debug info, but start with
>> the
>> >> simpler
>> >> stuff. Normally this 'just works' so I'd guess that it's a syntax error
>> >> somewhere in the config.
>> >>
>> >> David Lang
>> >>
>> >> On Wed, 16 Aug 2023, kathy lyons via rsyslog wrote:
>> >>
>> >>> I hope this is the right place to ask this question. I have a basic
>> >>> rsyslog setup sending udp data from a Debian 11 host to a remote
>> server.
>> >>> At the bottom of my rsyslog.conf file I have:
>> >>>
>> >>> *.* @x.x.x.x
>> >>>
>> >>> Logs are being sent to /var/log/daemon.log, /var/log/syslog, etc. so
>> I am
>> >>> not worried about that. The problem is that on the device itself I do
>> not
>> >>> see any logs leaving the device. Nor do I see them at the firewall
>> >>> (x.x.x.x). I have used netcat to see if the remote port is open and
>> >>> reachable and it is. I have re-install rsyslog and restarted it.
>> >> Nothing
>> >>> seems to work.
>> >>>
>> >>> However, when I issue the logger command:
>> >>>
>> >>> logger -n x.x.x.x -P 514 -d "This is a test"
>> >>>
>> >>> I see that data. What else can I check with my rsyslog setup? Thank
>> >> you.
>> >>> _______________________________________________
>> >>> rsyslog mailing list
>> >>> https://lists.adiscon.net/mailman/listinfo/rsyslog
>> >>> http://www.rsyslog.com/professional-services/
>> >>> What's up with rsyslog? Follow https://twitter.com/rgerhards
>> >>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
>> myriad
>> >> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
>> >> DON'T LIKE THAT.
>> >>>
>> >>
>> >
>> _______________________________________________
>> rsyslog mailing list
>> https://lists.adiscon.net/mailman/listinfo/rsyslog
>> http://www.rsyslog.com/professional-services/
>> What's up with rsyslog? Follow https://twitter.com/rgerhards
>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
>> DON'T LIKE THAT.
>
>
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.

start rsyslog with command line rsyslogd -o /path/to/file and that file will
have the full config as rsyslog sees it.

you probably still have a problem with the order of things, but without seeing
the full config, we can only guess at what's happening.

why do you have so many stop statement? your filters are not overlapping. If you
did not have the stop statements, the order would not matter as they would all
be evaluated.

David Lang

On Mon, 21 Aug 2023, kathy lyons wrote:

> Date: Mon, 21 Aug 2023 07:07:40 -0400
> From: kathy lyons <kathy.lyons@zayo.com>
> To: Rainer Gerhards <rgerhards@hq.adiscon.com>
> Cc: rsyslog-users <rsyslog@lists.adiscon.com>, David Lang <david@lang.hm>
> Subject: Re: [rsyslog] rsyslog - problem sending udp traffic
>
> That works - thanks! The only thing it does not do is forward the logs we
> have configured in /etc/rsyslog.d. Is that correct or is there potentially
> a different issue? We put the stops in there because the audit logs were
> appearing in /var/log/syslog.
>
> On Fri, Aug 18, 2023 at 3:18?AM Rainer Gerhards <rgerhards@hq.adiscon.com>
> wrote:
>
>> Move the forwarding rule to the top, that should solve your issue.
>>
>> Rainer
>>
>> Sent from phone, thus brief.
>>
>> David Lang via rsyslog <rsyslog@lists.adiscon.com> schrieb am Do., 17.
>> Aug. 2023, 19:16:
>>
>>> all of those &stop lines are telling rsyslog that if it matches the
>>> filter and
>>> writes it to the file that it should stop processing that message.
>>>
>>> As a result, anything that gets written to a local file will stop
>>> processing
>>> before it gets down to your udp sending action
>>>
>>> David Lang
>>>
>>> On Thu, 17 Aug 2023, kathy lyons wrote:
>>>
>>>> Date: Thu, 17 Aug 2023 13:12:03 -0400
>>>> From: kathy lyons <kathy.lyons@zayo.com>
>>>> To: David Lang <david@lang.hm>
>>>> Cc: kathy lyons via rsyslog <rsyslog@lists.adiscon.com>
>>>> Subject: Re: [rsyslog] rsyslog - problem sending udp traffic
>>>>
>>>> Here it is:
>>>>
>>>> module(load="imfile")
>>>> module(load="imuxsock")
>>>> module(load="imklog")
>>>> module(load="imjournal")
>>>>
>>>> timezone(id="UTC")
>>>> $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
>>>>
>>>> $RepeatedMsgReduction on
>>>>
>>>> $FileOwner syslog
>>>> $FileGroup adm
>>>>
>>>> global(net.enableDNS="off" workDirectory="/var/spool/rsyslog"
>>>> maxMessageSize="128K")
>>>>
>>>> $IncludeConfig /etc/rsyslog.d/*.conf
>>>>
>>>> audit.* action(type="omfile" file="/var/log/audit/audit.log")
>>>> & stop
>>>> auth.warning;authpriv.info.* action(type="omfile"
>>>> file="/var/log/auth.log")
>>>> & stop
>>>> auth,authpriv.none action(type="omfile"
>>>> file="/var/log/syslog")
>>>> & stop
>>>> cron.info action(type="omfile"
>>>> file="/var/log/cron.log")
>>>> & stop
>>>> daemon.info action(type="omfile" file="/var/log/daemon.log")
>>>> & stop
>>>> kern.info action(type="omfile" file="/var/log/kern.log")
>>>> & stop
>>>> user.info action(type="omfile" file="/var/log/user.log")
>>>> & stop
>>>>
>>>> local7.* action(type="omfile" file="/var/log/boot.log")
>>>> & stop
>>>>
>>>> *.* @x.x.x.x
>>>>
>>>> rsyslogd -N1 shows no errors. strace shows no errors.
>>>>
>>>> On Wed, Aug 16, 2023 at 12:15?PM David Lang <david@lang.hm> wrote:
>>>>
>>>>> please post your full config.
>>>>>
>>>>> I would also check your firewall config (iptables/nftables) on the
>>> system
>>>>> to see
>>>>> if it's blocking the connection.
>>>>>
>>>>> Also make sure you have a route to the destination IP (you probably
>>> have a
>>>>> default route that does this, but it is something we've run across)
>>>>>
>>>>> are you seeing any startup errors? or config errors (start rsyslog
>>>>> manually with
>>>>> rsyslogd -N1
>>>>>
>>>>> if none of that helps, we may need to get debug info, but start with
>>> the
>>>>> simpler
>>>>> stuff. Normally this 'just works' so I'd guess that it's a syntax error
>>>>> somewhere in the config.
>>>>>
>>>>> David Lang
>>>>>
>>>>> On Wed, 16 Aug 2023, kathy lyons via rsyslog wrote:
>>>>>
>>>>>> I hope this is the right place to ask this question. I have a basic
>>>>>> rsyslog setup sending udp data from a Debian 11 host to a remote
>>> server.
>>>>>> At the bottom of my rsyslog.conf file I have:
>>>>>>
>>>>>> *.* @x.x.x.x
>>>>>>
>>>>>> Logs are being sent to /var/log/daemon.log, /var/log/syslog, etc. so
>>> I am
>>>>>> not worried about that. The problem is that on the device itself I do
>>> not
>>>>>> see any logs leaving the device. Nor do I see them at the firewall
>>>>>> (x.x.x.x). I have used netcat to see if the remote port is open and
>>>>>> reachable and it is. I have re-install rsyslog and restarted it.
>>>>> Nothing
>>>>>> seems to work.
>>>>>>
>>>>>> However, when I issue the logger command:
>>>>>>
>>>>>> logger -n x.x.x.x -P 514 -d "This is a test"
>>>>>>
>>>>>> I see that data. What else can I check with my rsyslog setup? Thank
>>>>> you.
>>>>>> _______________________________________________
>>>>>> rsyslog mailing list
>>>>>> https://lists.adiscon.net/mailman/listinfo/rsyslog
>>>>>> http://www.rsyslog.com/professional-services/
>>>>>> What's up with rsyslog? Follow https://twitter.com/rgerhards
>>>>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
>>> myriad
>>>>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
>>>>> DON'T LIKE THAT.
>>>>>>
>>>>>
>>>>
>>> _______________________________________________
>>> rsyslog mailing list
>>> https://lists.adiscon.net/mailman/listinfo/rsyslog
>>> http://www.rsyslog.com/professional-services/
>>> What's up with rsyslog? Follow https://twitter.com/rgerhards
>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
>>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
>>> DON'T LIKE THAT.
>>
>>
>
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.

You should move the forwarding rule really to the top, above the include
statement. Thus I really meant top because it solves all such rule
dependency issues (I am not a fan of splitting configs, it unnecessarily
complicates things, at least in almost all cases) ????.

Rainer


kathy lyons <kathy.lyons@zayo.com> schrieb am Mo., 21. Aug. 2023, 13:07:

> That works - thanks! The only thing it does not do is forward the logs we
> have configured in /etc/rsyslog.d. Is that correct or is there potentially
> a different issue? We put the stops in there because the audit logs were
> appearing in /var/log/syslog.
>
> On Fri, Aug 18, 2023 at 3:18?AM Rainer Gerhards <rgerhards@hq.adiscon.com>
> wrote:
>
>> Move the forwarding rule to the top, that should solve your issue.
>>
>> Rainer
>>
>> Sent from phone, thus brief.
>>
>> David Lang via rsyslog <rsyslog@lists.adiscon.com> schrieb am Do., 17.
>> Aug. 2023, 19:16:
>>
>>> all of those &stop lines are telling rsyslog that if it matches the
>>> filter and
>>> writes it to the file that it should stop processing that message.
>>>
>>> As a result, anything that gets written to a local file will stop
>>> processing
>>> before it gets down to your udp sending action
>>>
>>> David Lang
>>>
>>> On Thu, 17 Aug 2023, kathy lyons wrote:
>>>
>>> > Date: Thu, 17 Aug 2023 13:12:03 -0400
>>> > From: kathy lyons <kathy.lyons@zayo.com>
>>> > To: David Lang <david@lang.hm>
>>> > Cc: kathy lyons via rsyslog <rsyslog@lists.adiscon.com>
>>> > Subject: Re: [rsyslog] rsyslog - problem sending udp traffic
>>> >
>>> > Here it is:
>>> >
>>> > module(load="imfile")
>>> > module(load="imuxsock")
>>> > module(load="imklog")
>>> > module(load="imjournal")
>>> >
>>> > timezone(id="UTC")
>>> > $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
>>> >
>>> > $RepeatedMsgReduction on
>>> >
>>> > $FileOwner syslog
>>> > $FileGroup adm
>>> >
>>> > global(net.enableDNS="off" workDirectory="/var/spool/rsyslog"
>>> > maxMessageSize="128K")
>>> >
>>> > $IncludeConfig /etc/rsyslog.d/*.conf
>>> >
>>> > audit.* action(type="omfile" file="/var/log/audit/audit.log")
>>> > & stop
>>> > auth.warning;authpriv.info.* action(type="omfile"
>>> > file="/var/log/auth.log")
>>> > & stop
>>> > auth,authpriv.none action(type="omfile"
>>> > file="/var/log/syslog")
>>> > & stop
>>> > cron.info action(type="omfile"
>>> > file="/var/log/cron.log")
>>> > & stop
>>> > daemon.info action(type="omfile" file="/var/log/daemon.log")
>>> > & stop
>>> > kern.info action(type="omfile" file="/var/log/kern.log")
>>> > & stop
>>> > user.info action(type="omfile" file="/var/log/user.log")
>>> > & stop
>>> >
>>> > local7.* action(type="omfile" file="/var/log/boot.log")
>>> > & stop
>>> >
>>> > *.* @x.x.x.x
>>> >
>>> > rsyslogd -N1 shows no errors. strace shows no errors.
>>> >
>>> > On Wed, Aug 16, 2023 at 12:15?PM David Lang <david@lang.hm> wrote:
>>> >
>>> >> please post your full config.
>>> >>
>>> >> I would also check your firewall config (iptables/nftables) on the
>>> system
>>> >> to see
>>> >> if it's blocking the connection.
>>> >>
>>> >> Also make sure you have a route to the destination IP (you probably
>>> have a
>>> >> default route that does this, but it is something we've run across)
>>> >>
>>> >> are you seeing any startup errors? or config errors (start rsyslog
>>> >> manually with
>>> >> rsyslogd -N1
>>> >>
>>> >> if none of that helps, we may need to get debug info, but start with
>>> the
>>> >> simpler
>>> >> stuff. Normally this 'just works' so I'd guess that it's a syntax
>>> error
>>> >> somewhere in the config.
>>> >>
>>> >> David Lang
>>> >>
>>> >> On Wed, 16 Aug 2023, kathy lyons via rsyslog wrote:
>>> >>
>>> >>> I hope this is the right place to ask this question. I have a basic
>>> >>> rsyslog setup sending udp data from a Debian 11 host to a remote
>>> server.
>>> >>> At the bottom of my rsyslog.conf file I have:
>>> >>>
>>> >>> *.* @x.x.x.x
>>> >>>
>>> >>> Logs are being sent to /var/log/daemon.log, /var/log/syslog, etc. so
>>> I am
>>> >>> not worried about that. The problem is that on the device itself I
>>> do not
>>> >>> see any logs leaving the device. Nor do I see them at the firewall
>>> >>> (x.x.x.x). I have used netcat to see if the remote port is open and
>>> >>> reachable and it is. I have re-install rsyslog and restarted it.
>>> >> Nothing
>>> >>> seems to work.
>>> >>>
>>> >>> However, when I issue the logger command:
>>> >>>
>>> >>> logger -n x.x.x.x -P 514 -d "This is a test"
>>> >>>
>>> >>> I see that data. What else can I check with my rsyslog setup? Thank
>>> >> you.
>>> >>> _______________________________________________
>>> >>> rsyslog mailing list
>>> >>> https://lists.adiscon.net/mailman/listinfo/rsyslog
>>> >>> http://www.rsyslog.com/professional-services/
>>> >>> What's up with rsyslog? Follow https://twitter.com/rgerhards
>>> >>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
>>> myriad
>>> >> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
>>> >> DON'T LIKE THAT.
>>> >>>
>>> >>
>>> >
>>> _______________________________________________
>>> rsyslog mailing list
>>> https://lists.adiscon.net/mailman/listinfo/rsyslog
>>> http://www.rsyslog.com/professional-services/
>>> What's up with rsyslog? Follow https://twitter.com/rgerhards
>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
>>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
>>> DON'T LIKE THAT.
>>
>>
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.