MonitorWare Knowledge Base

Hello,

I've compiled and installed the latest stable build 3.20.4. I"ve even gone as far as creating an RPM installer based on a heavily modified SPEC from the v2.0.0-11 build that is in the current Cent OS repos. All this needs testing and validation before I can say it is safe to share.

At this point, ryslogd is running on two machines. Machine A is to be the remote machine that machine B sends it's logs to. On Machine A, I'm getting local information only and nothing from the remote box. I've tried UDP, TCP and RELP protocols. Nothing is working. Both machines are on the same subnet, so there's no firewall/router issues at this point. Here' s my setup for machine A:

[root@osiris log]# cat /etc/rsyslog.conf
$ModLoad immark
$ModLoad imudp
$ModLoad imtcp
$ModLoad imuxsock
$ModLoad imklog
$ModLoad imrelp
$InputRELPServerRun 20514

## Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.* /dev/console
# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none /var/log/messages
# The authpriv file has restricted access.
authpriv.* /var/log/secure
# Log all the mail messages in one place.
mail.* -/var/log/maillog
# Log cron stuff
cron.* /var/log/cron
# Everybody gets emergency messages
*.emerg *
# Save news errors of level crit and higher in a special file.
uucp,news.crit /var/log/spooler
# Save boot messages also to boot.log
local7.* /var/log/boot.log

***as you can see it's pretty vanilla, here's my proof that RELP is listening:
tcp 0 0 0.0.0.0:20514 0.0.0.0:* LISTEN
tcp 0 0 :::20514 :::* LISTEN

*** If anyone is interested or think it may help I can also post the configure and make logs as well.

• Custom written rsyslog.conf?
• Maintenance Contract?
• Installation support?

Can you post the client config that is sending the data to the server? Have you checked the local firewall on the machine itself? This may come in your way no matter if you are on the same network or not.

If that doesn't help, I probably need a debug log, preferrably with plain tcp or RELP enabled, from both sender and receiver.

Rainer

Client Config

$ModLoad immark
$ModLoad imudp
$ModLoad imtcp
$ModLoad imuxsock
$ModLoad imklog
$ModLoad imrelp
$InputRELPServerRun 20514

*.* mrelp:10.10.14.14:20514

NOTES**
iptables has been removed from both machines, so that isn't a factor in this equation.

Client has default /etc/sysconfig/rsyslog with -m 0 option only
Remote host /etc/sysconfig/rsyslog is running -r -m 0 options.

OK, then I need a debug log. start server first, then start client, send a message from client, stop client and server. I need the logs from both client and server.

do you want the debug info posted here or emailed?

email to rgerhards@gmail.com is good - always lengthy, I guess. Ping me in the forum when you have mailed, this is a secondary account I may not check for days...

PING!

thx, got it. reviewing...

re-ping I sent a question on the logs provided, looks like something was mixed up (just in case you also used a secondary mail address )

re-ping, I've responded to your email

what sort of debug log entry should I be looking for that shows the RELP forwarding rule?

sorry, I've been out of office until now, will have a look at debug log now and let you know the results...

ah, OK, I now see what you meant - there is no new log. For starters, you should at least see the word "omrelp" inside the debug log. That was not the case in the client log I received. Actually, the client log started a server, but had no forwarding loop. Thus I assumed that you have simply mixed up the logs.

HTH
Rainer