[rsyslog] Problem to receive TCP event

Rainer Gerhards rgerhards at hq.adiscon.com
Thu Sep 9 10:28:18 CEST 2010


May it be that you do the framing wrong? There is no RFC, but industry
standard is to use octet-stuffing, with LF being used as a frame delimiter
(in other words: there must be a \n between syslog messages). I don't see any
other reason why the message does not show up in the catchall log.

Rainer 

> -----Original Message-----
> From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog-
> bounces at lists.adiscon.com] On Behalf Of Laurent Pinsivy
> Sent: Thursday, September 09, 2010 10:22 AM
> To: rsyslog-users
> Subject: Re: [rsyslog] Problem to receive TCP event
> 
> Thank you for your answer.
> 
> Complete rsyslog configuration is:
> 
> $ModLoad ommysql
> $ModLoad imtcp.so
> $InputTCPServerRun 514
> $ModLoad imudp.so
> $UDPServerRun 514
> $ModLoad immark.so
> $ModLoad imklog.so
> $ModLoad imuxsock.so
> 
> *.info;mail.none;authpriv.none;cron.none
> /var/log/messages
> authpriv.*                                              /var/log/secure
> mail.*                                                  -
> /var/log/maillog
> cron.*                                                  /var/log/cron
> *.emerg                                                 *
> uucp,news.crit
> /var/log/spooler
> local7.*
> /var/log/boot.log
> *.*
> /var/log/catchall;RSYSLOG_DebugFormat
> 
> $EscapeControlCharactersOnReceive off
> 
> $template sysMysql,"INSERT INTO logs (host,facility,
> priority,level,tag,datetime,program,msg)
> VALUES('%HOSTNAME%','%syslogfacility-text%','%syslogpriority-
> text%','%syslogseverity%','%syslogtag%','%timereported:::date-
> mysql%','%programname%',
> '%msg:::space-cc%')", SQL
> 
> if $programname == 'snmpd' and $syslogseverity > '4' then ~
> if $syslogseverity == '7' then ~
> *.* >127.0.0.1,syslog,syslogadmin,syslogpass;sysMysql
> 
> And file "/etc/sysconfig/rsyslog" contain:
> 
> SYSLOGD_OPTIONS="-c3"
> KLOGD_OPTIONS="-x"
> 
> I change syslog format to add date and wireshark receive:
> 
> 251.121928 192.168.1.14 -> 192.168.2.170 TCP 58000 > shell [SYN] Seq=0
> Win=8192 Len=0 MSS=1260 WS=2
> 251.122250 192.168.1.14 -> 192.168.2.170 TCP 58000 > shell [ACK] Seq=1
> Ack=1
> Win=66780 Len=0
> 251.122502 192.168.1.14 -> 192.168.2.170 RSH <132>Sep  9 10:13:01
> E6400-Laurent EventCreate Type: Warning, Category: (0), Event ID: 7,
> User:
> E6400-Laurent\Laurent, Description: test
> 251.124991 192.168.1.14 -> 192.168.2.170 TCP 58000 > shell [FIN, ACK]
> Seq=137 Ack=1 Win=66780 Len=0
> 251.125256 192.168.1.14 -> 192.168.2.170 TCP 58000 > shell [ACK]
> Seq=138
> Ack=2 Win=66780 Len=0
> 
> This event don't appear in file /var/log/catchall.
> 
> But if I send the same event by UDP wireshark receive:
> 
> 370.297874 192.168.1.14 -> 192.168.2.170 Syslog LOCAL0.WARNING:
> E6400-Laurent EventCreate Type: Warning, Category: (0), Event ID: 7,
> User:
> E6400-Laurent\Laurent, Description: test
> 
> And in file /var/log/catchall I can find:
> 
> Debug line with all properties:
> FROMHOST: 'lpinsivy.merethis.net', fromhost-ip: '192.168.1.14',
> HOSTNAME:
> 'E6400-Laurent', PRI: 132,
> syslogtag 'EventCreate', programname: 'EventCreate', APP-NAME:
> 'EventCreate', PROCID: '-', MSGID: '-',
> TIMESTAMP: 'Sep  9 10:15:19', STRUCTURED-DATA: '-',
> msg: ' Type: Warning, Category: (0), Event ID: 7, User:
> E6400-Laurent\Laurent, Description: test'
> escaped msg: ' Type: Warning, Category: (0), Event ID: 7, User:
> E6400-Laurent\Laurent, Description: test'
> rawmsg: '<132>E6400-Laurent EventCreate Type: Warning, Category: (0),
> Event
> ID: 7, User: E6400-Laurent\Laurent, Description: test'
> 
> 
> 2010/9/8 Rainer Gerhards <rgerhards at hq.adiscon.com>
> 
> >
> >
> > > -----Original Message-----
> > > From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog-
> > > bounces at lists.adiscon.com] On Behalf Of Laurent Pinsivy
> > > Sent: Wednesday, September 08, 2010 4:54 PM
> > > To: rsyslog at lists.adiscon.com
> > > Subject: [rsyslog] Problem to receive TCP event
> > >
> > > Hello,
> > >
> > > I try to receive TCP event from windows machine using Centreon-E2S
> > > (which I
> > > developed) on Rsyslog 3.22.1
> > >
> > > Rsyslog listen on TCP/514 and UDP/514:
> > >
> > > # netstat -ano | grep 514
> > > tcp        0      0 0.0.0.0:514                 0.0.0.0:*
> > > LISTEN      off (0.00/0/0)
> > > tcp        0      0 :::514                      :::*
> > > LISTEN      off (0.00/0/0)
> > > udp        0      0 0.0.0.0:514                 0.0.0.0:*
> > > off (0.00/0/0)
> > > udp        0      0 :::514
> > > :::*                                    off (0.00/0/0)
> > >
> > > If I insert breakpoint in my program, I can see:
> > >
> > > tcp        0      0 192.168.2.170:514           192.168.1.14:62637
> > > ESTABLISHED off (0.00/0/0)
> > >
> > > With wireshark, i can see message of event:
> > >
> > > 108.097297 192.168.1.14 -> 192.168.2.170 TCP 56390 > shell [SYN]
> Seq=0
> > > Win=8192 Len=0 MSS=1260 WS=2
> > > 108.097655 192.168.1.14 -> 192.168.2.170 TCP 56390 > shell [ACK]
> Seq=1
> > > Ack=1
> > > Win=66780 Len=0
> > > 108.097790 192.168.1.14 -> 192.168.2.170 RSH <131>E6400-Laurent
> > > EventCreate
> > > Type: Error, Category: (0), Event ID: 7, User: E6400-
> Laurent\Laurent,
> > > Description: test
> >
> > The message is not well-formed, so some properties are probably not
> > correctly
> > populated.
> >
> > > 108.099833 192.168.1.14 -> 192.168.2.170 TCP 56390 > shell [FIN,
> ACK]
> > > Seq=119 Ack=1 Win=66780 Len=0
> > > 108.100104 192.168.1.14 -> 192.168.2.170 TCP 56390 > shell [ACK]
> > > Seq=120
> > > Ack=2 Win=66780 Len=0
> > >
> > > But rsyslog don't insert it into a database or on a file
> > > /var/log/messages
> > >
> > > Rsyslog configuration is:
> > >
> > > $ModLoad imtcp.so
> > > $InputTCPServerRun 514
> > > $ModLoad imudp.so
> > > $UDPServerRun 514
> > >
> >
> > That's not the full config, it has no actions ;)
> >
> > Can you use
> >
> > *.* /path/to/catchall;RSYSLOG_DebugFormat
> >
> > And let us know if something arrives there (and if so, what)
> >
> > > UDP/514 messages are working well and are inserted into a database
> and
> > > a
> > > file /var/log/messages:
> > >
> > > 2010-09-08T14:44:20.144648+02:00 E6400-Laurent EventCreate Type:
> Error,
> > > Category: (0), Event ID: 7, User: E6400-Laurent\Laurent,
> Description:
> > > test
> > >
> > > I try to use the rsyslog debug but I don't understand the result:
> > >
> > > 4783.101672000:imtcp.c: --------<NSDSEL_PTCP> calling select,
> active
> > > fds
> > > (max 5): 4 5
> > > 4793.005236000:imtcp.c: New connect on NSD 0x165e6530.
> > > 4793.006433000:imtcp.c: --------<NSDSEL_PTCP> calling select,
> active
> > > fds
> > > (max 16): 4 5 16
> > > 4793.006450000:imtcp.c: netstream 0x16602f40 with new data
> > > 4793.006463000:imtcp.c: --------<NSDSEL_PTCP> calling select,
> active
> > > fds
> > > (max 16): 4 5 16
> > > 4793.007708000:imtcp.c: netstream 0x16602f40 with new data
> > > 4793.007748000:imtcp.c: --------<NSDSEL_PTCP> calling select,
> active
> > > fds
> > > (max 5): 4 5
> >
> > This looks like you snipped parts oft he log?
> >
> > Rainer
> >
> > >
> > > Function to send UDP or TCP message is the same expected transport.
> I
> > > try to
> > > encode the message using ANSI or ASCII but nothing appear.
> > >
> > > Do you have any solution+?
> > >
> > > Best regards,
> > >
> > > Laurent Pinsivy
> > > _______________________________________________
> > > rsyslog mailing list
> > > http://lists.adiscon.net/mailman/listinfo/rsyslog
> > > http://www.rsyslog.com
> > _______________________________________________
> > rsyslog mailing list
> > http://lists.adiscon.net/mailman/listinfo/rsyslog
> > http://www.rsyslog.com
> >
> 
> 
> 
> --
> Laurent Pinsivy | Ingénieur Logiciel
> 
> Tel.   +33 (0)1 49 69 97 12
> Mob. +33 (0)6 23 20 81 96
> Fax   +33 (0)1 78 12 00 28
> 
> MERETHIS est éditeur du logiciel Centreon.
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com



More information about the rsyslog mailing list