[rsyslog-notify] Forum Thread: help with omudpspoof - (Mode 'post')

noreply at adiscon.com noreply at adiscon.com
Tue Apr 22 07:21:09 CEST 2014 

User: ebailey 
Forumlink: http://kb.monitorware.com/viewtopic.php?p=24568#p24568

Message: 
----------
We have all of our switches and firewalls logging to a rsyslog server that
logs all the data to the file system for processing. I now need to send
certain events to a network management appliance that requires that the
events arrive as if the data came from the original device and not the
rsyslog server. This is where the omudpspoof module will hopefully help me
solve this requirement. We have hundreds of network devices and it would be
much easier to make this change on the rsyslog server than change 100's of
device configs. My first attempt was a sad failure. Any suggestions are
much appreciated.

Thanks!

Package versions

[xxxxxxxxxxxxx at xxxxxxxxxxxxx ~]$ rpm -qa | grep rsyslog
rsyslog-7.6.3-1.el6.x86_64
rsyslog-5.8.10-6.el6.x86_64
rsyslog-udpspoof-7.6.3-1.el6.x86_64

Failed first attempt

#### MODULES ####
$ModLoad imuxsock # local system logging (e.g. via logger command)
$ModLoad imklog   # kernel logging (previously done by rklogd)
$ModLoad imudp    # UDP syslog reception
$ModLoad omudpspoof #
# $ModLoad imtcp  # TCP syslog reception; current commented.
#--- End modules

#### GLOBAL DIRECTIVES ####
# Use default timestamp format
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat

# File syncing capability is disabled by default. 
# This feature is usually not required, not useful and an 
# extreme performance hit
# $ActionFileEnableSync on

$ActionOMUDPSpoofTargetHost xxxxxxxxx
$ActionOMUDPSpoofTargetPort 514

#--- End global directives

#### RULES ####

#--- local ruleset
$RuleSet local

# Log all information coming from uxauthd to /var/log/caac.log, 
# then discard the log so it doesn't pollute the other logs.
:programname, contains, "uxauthd"           /var/log/caac.log
:programname, contains, "uxauthd"           ~

# The authpriv file has restricted access.
authpriv.*                                  /var/log/secure

# Log all the mail messages in one place.  Do not sync file after
# every logging attempt.
mail.*                                      -/var/log/maillog

# Log cron stuff
cron.*                                      /var/log/cron

# Everybody gets emergency messages
*.emerg                                     *

# Save boot messages also to boot.log
local7.*                                    /var/log/boot.log

# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none;auth.none /var/log/messages

# Fwd info and above to all_logs.  Do not sync file after logging attempt.
*.info;mail.none;                           -/opt/logs/all_logs


$WorkDirectory /var/lib/rsyslog # where to place spool files
# Set default rule set:
$DefaultRuleset local
#--- End local ruleset

#--- remote ruleset
$RuleSet remote
# Forward the below events
:msg, contains, "5-111010"  :omudpspoof:
:msg, contains, "5-111008"  :omudpspoof:
:msg, contains, "SEC-6-1"   :omudpspoof:
*.*                                      -/opt/logs/all_logs
#--- End remote ruleset
#--- End rules

#### LISTENERS ####

# Provides UDP syslog reception and binds the remote rulset to
# any logs received via port 514
$InputUDPServerBindRuleset remote
$UDPServerRun 514

More information about the rsyslog-notify mailing list