[rsyslog-notify] Forum Thread: BlueCoat SG and Rsyslog - (Mode 'post')
noreply at adiscon.com
noreply at adiscon.com
Wed Dec 30 21:43:24 CET 2015
User: jefair2
Forumlink: http://kb.monitorware.com/viewtopic.php?p=26253#p26253
Message:
----------
I have read through various topics that were posted throughout the years on
this, and all of them seem to end up getting nowhere or partially so. My
only hope is that I can provide the details well enough to get this issue
settled once and for all. Seriously, BlueCoat is like the most popular
Proxy solution and noone has figured out how to get it to work correctly
with Rsyslog? Hrmmm.
First off my current configuration (I have gone through multiple changes
here to get it to the current state I am stuck on):
[code:1a3aamf9]# rsyslog v5 configuration file
# For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html
# If you experience problems, see
http://www.rsyslog.com/doc/troubleshoot.html
#### MODULES ####
$ModLoad imuxsock # provides support for local system logging (e.g.
via logger command)
$ModLoad imklog # provides kernel logging support (previously done by
rklogd)
#$ModLoad immark # provides --MARK-- message capability
$ModLoad imudp
$ModLoad imtcp
#### GLOBAL DIRECTIVES ####
# Needed to allow proper permissions for creating files
$umask 0000
#Increased for BlueCoat
$MaxMessageSize 500000000
# Use default timestamp format
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
# File syncing capability is disabled by default. This feature is
usually not required,
# not useful and an extreme performance hit
#$ActionFileEnableSync on
# Include all config files in /etc/rsyslog.d/
$IncludeConfig /etc/rsyslog.d/*.conf
#### Templates ####
# log every host in its own directory
$template splunklog,
"/opt/log/%HOSTNAME%/%$year%-%$month%-%$day%-%$hour%-%PROGRAMNAME%.log"
$template splunkmsg, "%rawmsg%\n"
#bluecoats aren't cooperating at all with the above using this in the
meantime
$template bluecoatlog,
"/opt/log/%fromhost%/%$year%-%$month%-%$day%-%$hour%-syslog.log"
#ssl_vpn isn't giving up the programname right now for some reason, broke
during recent update
$template sslvpnlog,
"/opt/log/%HOSTNAME%/%$year%-%$month%-%$day%-%$hour%-syslog.log"
#### RULES ####
## Local Logging
$RuleSet local
# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.* /dev/console
# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none
/var/log/messages
# The authpriv file has restricted access.
authpriv.* /var/log/secure
# Log all the mail messages in one place.
mail.*
-/var/log/maillog
# Log cron stuff
cron.* /var/log/cron
# Everybody gets emergency messages
*.emerg *
# Save news errors of level crit and higher in a special file.
uucp,news.crit
/var/log/spooler
# Save boot messages also to boot.log
local7.*
/var/log/boot.log
# use the local RuleSet as default if not specified otherwise
$DefaultRuleset local
# ## Remote Ruleset ##
$RuleSet remote
# Force permissions to work with Splunk as files are created
$DirOwner root
$DirGroup splunk
$FileOwner root
$FileGroup splunk
# Directories need group execute
$DirCreateMode 0750
# Files need just group read
$FileCreateMode 0640
# Log everything coming in through the network (see above template)
*.* ?splunklog;splunkmsg
# ## End Remote Ruleset ##
# ## SSLVPN Ruleset ##
$RuleSet sslvpn
# Force permissions to work with Splunk as files are created
$DirOwner root
$DirGroup splunk
$FileOwner root
$FileGroup splunk
$DirCreateMode 0750
$FileCreateMode 0640
# Log everything coming in through the network (see above template)
*.* ?sslvpnlog;splunkmsg
# ## End SSLVPN Ruleset ##
# ## Bluecoat Ruleset ##
$RuleSet bluecoat
# Force permissions to work with Splunk as files are created
$DirOwner root
$DirGroup splunk
$FileOwner root
$FileGroup splunk
$DirCreateMode 0750
$FileCreateMode 0640
# Log everything coming in through the network (see above template)
*.* ?bluecoatlog;splunkmsg
# ## End Bluecoat Ruleset ##
# Provides UDP syslog reception
$InputUDPServerBindRuleset sslvpn
$UDPServerRun 514
# Provides TCP syslog reception
$InputTCPServerBindRuleset remote
$InputTCPServerRun 1514
$InputTCPServerRun 9514
# BlueCoat
$InputTCPServerBindRuleset bluecoat
$EscapeControlCharactersOnReceive off
$InputTCPServerAddtlFrameDelimiter 13
$InputTCPServerAddtlFrameDelimiter 10
$InputTCPServerRun 8514
[/code:1a3aamf9]
so, the big things here was getting the BlueCoat rulesets to stop messing
with the logs and parse them correctly. What I am still getting is errors
such as:
[quote:1a3aamf9]rsyslogd: Uncompression of a message failed with return
code -3 - enable debug logging if you need further information. Message
ignored.
rsyslogd: Framing Error in received TCP message: delimiter is not SP but
has ASCII value 37.
rsyslogd: Framing Error in received TCP message: delimiter is not SP but
has ASCII value 45.
rsyslogd: Framing Error in received TCP message: delimiter is not SP but
has ASCII value 70.
[/quote:1a3aamf9]
I realize what the compression one is complaining about (it is finding a
'z' character at the start of a message). But the others I think only
started happening after I turned of $EscapeControlCharactersOnReceive
Honestly what I need it to do is just take the log, line break
appropriately, and dump it out into a new log file. Even if I can't get it
to line break on those special characters (leaving the
$EscapeControlCharactersOnReceive will replace out \r\n with #015#012) I
can work with that because I could just handle that through Splunk (which
is actually going to be parsing my logs). What I can't have is it
truncating messages (hence why I upped the size to some ridiculous amount)
or getting confused by "compressed" messages. Any help here would be
appreciated.
I can provide sanitized data if it will help with troubleshooting.
More information about the rsyslog-notify
mailing list