[rsyslog-notify] Forum Thread: Remote logs aren't being written - (Mode 'edit_topic')
noreply at adiscon.com
noreply at adiscon.com
Tue Jun 21 01:52:59 CEST 2016
User: tcsteve
Forumlink: http://kb.monitorware.com/viewtopic.php?p=26635#p26635
Message:
----------
Hello,
I'm having a hard time diagnosing the problem or figuring out how to fix
it. I have a pfSense firewall that I'm trying to set up to send logs to a
cPanel server running rsyslog. I've used tcpdump on the cPanel server to
verify that traffic is coming in on UDP 514, but the log file I've
specificed in rsyslog.conf isn't being written to, and I'm not sure where
to go from here. This is my conf file, you can see some of the rules that
I've tried to get things to go to /var/log/pfsense.log. I've created that
file as root at 0644.
[code]# rsyslog configuration file
# For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html
# If you experience problems, see
http://www.rsyslog.com/doc/troubleshoot.html
#### MODULES ####
# The imjournal module bellow is now used as a message source instead of
imuxsock.
$ModLoad imuxsock # provides support for local system logging (e.g. via
logger command)
$ModLoad imjournal # provides access to the systemd journal
#$ModLoad imklog # reads kernel messages (the same are read from journald)
#$ModLoad immark # provides --MARK-- message capability
# Provides UDP syslog reception
$ModLoad imudp
$UDPServerRun 514
$UDPServerAddress 10.10.10.130
# Provides TCP syslog reception
#$ModLoad imtcp
#$InputTCPServerRun 514
#### GLOBAL DIRECTIVES ####
# Where to place auxiliary files
$WorkDirectory /var/lib/rsyslog
# Use default timestamp format
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
# File syncing capability is disabled by default. This feature is usually
not required,
# not useful and an extreme performance hit
#$ActionFileEnableSync on
# Include all config files in /etc/rsyslog.d/
$IncludeConfig /etc/rsyslog.d/*.conf
# Turn off message reception via local log socket;
# local messages are retrieved through imjournal now.
$OmitLocalLogging on
# File to store the position in the journal
$IMJournalStateFile imjournal.state
#### RULES ####
#if $fromhost-ip == '10.10.10.129' then /var/log/pfsense.log
if $inputname == 'imudp' then /var/log/pfsense.log
& stop
# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.* /dev/console
# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none /var/log/messages
# The authpriv file has restricted access.
authpriv.* /var/log/secure
# Log all the mail messages in one place.
mail.* -/var/log/maillog
# Log cron stuff
cron.* /var/log/cron
# Everybody gets emergency messages
*.emerg :omusrmsg:*
# Save news errors of level crit and higher in a special file.
uucp,news.crit /var/log/spooler
# Save boot messages also to boot.log
local7.* /var/log/boot.log
[/code]
More information about the rsyslog-notify
mailing list