[rsyslog] Problem to receive TCP event

Laurent Pinsivy lpinsivy at merethis.com
Wed Sep 8 16:53:38 CEST 2010


Hello,

I try to receive TCP event from windows machine using Centreon-E2S (which I
developed) on Rsyslog 3.22.1

Rsyslog listen on TCP/514 and UDP/514:

# netstat -ano | grep 514
tcp        0      0 0.0.0.0:514                 0.0.0.0:*
LISTEN      off (0.00/0/0)
tcp        0      0 :::514                      :::*
LISTEN      off (0.00/0/0)
udp        0      0 0.0.0.0:514                 0.0.0.0:*
off (0.00/0/0)
udp        0      0 :::514
:::*                                    off (0.00/0/0)

If I insert breakpoint in my program, I can see:

tcp        0      0 192.168.2.170:514           192.168.1.14:62637
ESTABLISHED off (0.00/0/0)

With wireshark, i can see message of event:

108.097297 192.168.1.14 -> 192.168.2.170 TCP 56390 > shell [SYN] Seq=0
Win=8192 Len=0 MSS=1260 WS=2
108.097655 192.168.1.14 -> 192.168.2.170 TCP 56390 > shell [ACK] Seq=1 Ack=1
Win=66780 Len=0
108.097790 192.168.1.14 -> 192.168.2.170 RSH <131>E6400-Laurent EventCreate
Type: Error, Category: (0), Event ID: 7, User: E6400-Laurent\Laurent,
Description: test
108.099833 192.168.1.14 -> 192.168.2.170 TCP 56390 > shell [FIN, ACK]
Seq=119 Ack=1 Win=66780 Len=0
108.100104 192.168.1.14 -> 192.168.2.170 TCP 56390 > shell [ACK] Seq=120
Ack=2 Win=66780 Len=0

But rsyslog don't insert it into a database or on a file /var/log/messages

Rsyslog configuration is:

$ModLoad imtcp.so
$InputTCPServerRun 514
$ModLoad imudp.so
$UDPServerRun 514

UDP/514 messages are working well and are inserted into a database and a
file /var/log/messages:

2010-09-08T14:44:20.144648+02:00 E6400-Laurent EventCreate Type: Error,
Category: (0), Event ID: 7, User: E6400-Laurent\Laurent, Description: test

I try to use the rsyslog debug but I don't understand the result:

4783.101672000:imtcp.c: --------<NSDSEL_PTCP> calling select, active fds
(max 5): 4 5
4793.005236000:imtcp.c: New connect on NSD 0x165e6530.
4793.006433000:imtcp.c: --------<NSDSEL_PTCP> calling select, active fds
(max 16): 4 5 16
4793.006450000:imtcp.c: netstream 0x16602f40 with new data
4793.006463000:imtcp.c: --------<NSDSEL_PTCP> calling select, active fds
(max 16): 4 5 16
4793.007708000:imtcp.c: netstream 0x16602f40 with new data
4793.007748000:imtcp.c: --------<NSDSEL_PTCP> calling select, active fds
(max 5): 4 5

Function to send UDP or TCP message is the same expected transport. I try to
encode the message using ANSI or ASCII but nothing appear.

Do you have any solution+?

Best regards,

Laurent Pinsivy



More information about the rsyslog mailing list