[rsyslog] Problem to receive TCP event

Rainer Gerhards rgerhards at hq.adiscon.com
Wed Sep 8 18:53:31 CEST 2010



> -----Original Message-----
> From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog-
> bounces at lists.adiscon.com] On Behalf Of Laurent Pinsivy
> Sent: Wednesday, September 08, 2010 4:54 PM
> To: rsyslog at lists.adiscon.com
> Subject: [rsyslog] Problem to receive TCP event
> 
> Hello,
> 
> I try to receive TCP event from windows machine using Centreon-E2S
> (which I
> developed) on Rsyslog 3.22.1
> 
> Rsyslog listen on TCP/514 and UDP/514:
> 
> # netstat -ano | grep 514
> tcp        0      0 0.0.0.0:514                 0.0.0.0:*
> LISTEN      off (0.00/0/0)
> tcp        0      0 :::514                      :::*
> LISTEN      off (0.00/0/0)
> udp        0      0 0.0.0.0:514                 0.0.0.0:*
> off (0.00/0/0)
> udp        0      0 :::514
> :::*                                    off (0.00/0/0)
> 
> If I insert breakpoint in my program, I can see:
> 
> tcp        0      0 192.168.2.170:514           192.168.1.14:62637
> ESTABLISHED off (0.00/0/0)
> 
> With wireshark, i can see message of event:
> 
> 108.097297 192.168.1.14 -> 192.168.2.170 TCP 56390 > shell [SYN] Seq=0
> Win=8192 Len=0 MSS=1260 WS=2
> 108.097655 192.168.1.14 -> 192.168.2.170 TCP 56390 > shell [ACK] Seq=1
> Ack=1
> Win=66780 Len=0
> 108.097790 192.168.1.14 -> 192.168.2.170 RSH <131>E6400-Laurent
> EventCreate
> Type: Error, Category: (0), Event ID: 7, User: E6400-Laurent\Laurent,
> Description: test

The message is not well-formed, so some properties are probably not correctly
populated.

> 108.099833 192.168.1.14 -> 192.168.2.170 TCP 56390 > shell [FIN, ACK]
> Seq=119 Ack=1 Win=66780 Len=0
> 108.100104 192.168.1.14 -> 192.168.2.170 TCP 56390 > shell [ACK]
> Seq=120
> Ack=2 Win=66780 Len=0
> 
> But rsyslog don't insert it into a database or on a file
> /var/log/messages
> 
> Rsyslog configuration is:
> 
> $ModLoad imtcp.so
> $InputTCPServerRun 514
> $ModLoad imudp.so
> $UDPServerRun 514
> 

That's not the full config, it has no actions ;)

Can you use

*.* /path/to/catchall;RSYSLOG_DebugFormat

And let us know if something arrives there (and if so, what)

> UDP/514 messages are working well and are inserted into a database and
> a
> file /var/log/messages:
> 
> 2010-09-08T14:44:20.144648+02:00 E6400-Laurent EventCreate Type: Error,
> Category: (0), Event ID: 7, User: E6400-Laurent\Laurent, Description:
> test
> 
> I try to use the rsyslog debug but I don't understand the result:
> 
> 4783.101672000:imtcp.c: --------<NSDSEL_PTCP> calling select, active
> fds
> (max 5): 4 5
> 4793.005236000:imtcp.c: New connect on NSD 0x165e6530.
> 4793.006433000:imtcp.c: --------<NSDSEL_PTCP> calling select, active
> fds
> (max 16): 4 5 16
> 4793.006450000:imtcp.c: netstream 0x16602f40 with new data
> 4793.006463000:imtcp.c: --------<NSDSEL_PTCP> calling select, active
> fds
> (max 16): 4 5 16
> 4793.007708000:imtcp.c: netstream 0x16602f40 with new data
> 4793.007748000:imtcp.c: --------<NSDSEL_PTCP> calling select, active
> fds
> (max 5): 4 5

This looks like you snipped parts oft he log?

Rainer

> 
> Function to send UDP or TCP message is the same expected transport. I
> try to
> encode the message using ANSI or ASCII but nothing appear.
> 
> Do you have any solution+?
> 
> Best regards,
> 
> Laurent Pinsivy
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com



More information about the rsyslog mailing list