• Strange problem with rsyslog

    From =?UTF-8?Q?Jaros=C5=82aw?= Rafa@110:110/2002 to All on Fri Feb 14 08:16:42 2014
    I have a strange problem with rsyslog. I have experienced it on three
    different machines with different OSes (Fedora, CentOS, Ubuntu) and
    different rsyslog versions, have googled for solution to no avail. I
    have no idea what might be going on, maybe someone can help?

    The problem is, rsyslogd does not show in logs the messages coming in
    from remote machines. Of course, I have the required directives $ModLoad
    imudp and $UDPServerRun 514 in the config file, I have also put a
    catch-all rule *.* /var/log/alllog on top of all the rules to not miss
    any message. However, both in the alllog file and in the
    other /var/log/* files there are only messages generated by the local
    host.

    Netstat shows that rsyslogd is listening on UDP port 514. Tcpdump shows
    that messages from other machines are coming in at UDP port 514. But
    rsyslogd even started in debug mode ("-d" switch) does not show any
    trace of these messages (however, it informs precisely about any of the
    local host generated messages).

    What's more interesting, when I tried to send a test message from
    another computer to rsyslog using a method I found on some forum:

    echo "test message" | nc -w0 -u 192.168.2.5 514

    (where 192.168.2.5 is the address of the problematic rsyslogd machine),
    this message *is* logged by rsyslogd in the alllog file.

    How to solve this???
    --=20
    Regards,
    Jaroslaw Rafa
    raj@ap.krakow.pl
    --
    "In a million years, when kids go to school, they're gonna know: once there
    was a Hushpuppy, and she lived with her daddy in the Bathtub."


    --- MBSE BBS v1.0.1 (GNU/Linux-i386)
    * Origin: Academic Computer Center CYFRONET AGH (110:110/2002@linuxnet)
  • From Joe Beanfish@110:110/2002 to All on Fri Feb 14 14:35:10 2014
    On Fri, 14 Feb 2014 09:16:42 +0100, Jarosław Rafa wrote:
    The problem is, rsyslogd does not show in logs the messages coming in
    from remote machines. Of course, I have the required directives $ModLoad imudp and $UDPServerRun 514 in the config file, I have also put a
    catch-all rule *.* /var/log/alllog on top of all the rules to not miss
    any message. However, both in the alllog file and in the other
    /var/log/* files there are only messages generated by the local host.

    Netstat shows that rsyslogd is listening on UDP port 514. Tcpdump shows
    that messages from other machines are coming in at UDP port 514. But
    rsyslogd even started in debug mode ("-d" switch) does not show any
    trace of these messages (however, it informs precisely about any of the
    local host generated messages).

    What's more interesting, when I tried to send a test message from
    another computer to rsyslog using a method I found on some forum:

    echo "test message" | nc -w0 -u 192.168.2.5 514

    (where 192.168.2.5 is the address of the problematic rsyslogd machine),
    this message *is* logged by rsyslogd in the alllog file.

    I'm not thoroughly familiar with it, but check rsyslog.conf to see if
    there's any setting that may be filtering/blocking/dropping things.

    Compare the tcpdump of the working test to the real messages coming in
    to find differences in payload that might be significant.

    --- MBSE BBS v1.0.1 (GNU/Linux-i386)
    * Origin: A noiseless patient Spider (110:110/2002@linuxnet)
  • From Jorgen Grahn@1:0/0 to All on Sat Feb 15 06:34:41 2014
    On Fri, 2014-02-14, Joe Beanfish wrote:
    On Fri, 14 Feb 2014 09:16:42 +0100, Jaros??aw Rafa wrote:
    The problem is, rsyslogd does not show in logs the messages coming in
    from remote machines. Of course, I have the required directives $ModLoad
    imudp and $UDPServerRun 514 in the config file, I have also put a
    catch-all rule *.* /var/log/alllog on top of all the rules to not miss
    any message. However, both in the alllog file and in the other
    /var/log/* files there are only messages generated by the local host.

    Netstat shows that rsyslogd is listening on UDP port 514. Tcpdump shows
    that messages from other machines are coming in at UDP port 514. But
    rsyslogd even started in debug mode ("-d" switch) does not show any
    trace of these messages (however, it informs precisely about any of the
    local host generated messages).

    What's more interesting, when I tried to send a test message from
    another computer to rsyslog using a method I found on some forum:

    echo "test message" | nc -w0 -u 192.168.2.5 514

    (where 192.168.2.5 is the address of the problematic rsyslogd machine),
    this message *is* logged by rsyslogd in the alllog file.

    I'm not thoroughly familiar with it, but check rsyslog.conf to see if
    there's any setting that may be filtering/blocking/dropping things.

    Compare the tcpdump of the working test to the real messages coming in
    to find differences in payload that might be significant.

    Yes. I /do/ know that a real message looks rather different from
    "test message", but it's weird that a broken message would get through
    and a normal one would not.

    (A real message would encode things as facility, and I think also the timestamp.)

    Other than that, I agree with both of you. I would also tcpdump and
    so on. strace(1) on rsyslogd too, except you have confirmed already
    that it's actually listening.

    /Jorgen

    --
    // Jorgen Grahn <grahn@ Oo o. . .
    \X/ snipabacken.se> O o .

    --- MBSE BBS v1.0.1 (GNU/Linux-i386)
    * Origin: The Kofo System II BBS telnet://fido2.kofobb
  • From Eric Pozharski@110:110/2002 to =?UTF-8?Q?Jaros=C5=82aw?= Rafa on Sat Feb 15 11:32:25 2014
    with <1392365801.1874.17.camel@Jarek> Jarosław Rafa wrote:

    *SKIP*
    What's more interesting, when I tried to send a test message from
    another computer to rsyslog using a method I found on some forum:

    echo "test message" | nc -w0 -u 192.168.2.5 514

    (where 192.168.2.5 is the address of the problematic rsyslogd machine),
    this message *is* logged by rsyslogd in the alllog file.

    That strongly suggests configuration problem. Read carefully manpages
    and example configuration files of rsyslogd. Watch for words:
    "accept", "deny", "filter", and "remote". Check rsyslogd's manpage if
    it can show its idea about what finaly configuration it works with (may
    be in vein).

    How to solve this???

    Personally, my choice is do-one-thing-and-do-it-good
    'inetutils-syslogd'.

    --
    Torvalds' goal for Linux is very simple: World Domination
    Stallman's goal for GNU is even simpler: Freedom

    --- MBSE BBS v1.0.1 (GNU/Linux-i386)
    * Origin: SunSITE.dk - Supporting Open source (110:110/2002@linuxnet)