Rsyslog collecting logs on secondary interface / ip address.

This is the place for you, if you got rsyslog up and running but wonder how to make it do what you want.

Moderator: rgerhards

Google Ads


Rsyslog collecting logs on secondary interface / ip address.

Postby thejester2112 » Wed Dec 06, 2017 4:05 pm

Hello,

I am trying to have Rsyslog collect logs the system receives on a secondary interface / IP address (ens33:0, 1.1.1.2) to better categorize the data as it come in from various source devices/types.

There were a few similar posts but there isn't any resolutions to them.
https://kb.monitorware.com/post4927.html?hilit=secondary%20ip#p4927
http://kb.monitorware.com/rsyslog-not-l ... 12688.html


System info / Version
OS is a VM running CentOS Linux release 7.3.1611
rsyslogd: version 8.26.0

[user@syslogsrver]$ netstat -nau | egrep 514
udp 0 0 0.0.0.0:514 0.0.0.0:*
udp 0 0 0.0.0.0:514 0.0.0.0:*
udp6 0 0 :::514 :::*
udp6 0 0 :::514 :::*


[user@syslogsrver]$ ifconfig
ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 1.1.1.1 netmask 255.255.255.0 broadcast 1.1.1.255
ether 00:50:56:8f:27:22 txqueuelen 1000 (Ethernet)
RX packets 57715147055 bytes 21087134877163 (19.1 TiB)
RX errors 0 dropped 3563390 overruns 0 frame 0
TX packets 86194582738 bytes 22106267369658 (20.1 TiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

ens33:0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 1.1.1.2 netmask 255.255.255.0 broadcast 1.1.1.255
ether 00:50:56:8f:27:22 txqueuelen 1000 (Ethernet)



Config has been attached. When we send syslog to the secondary IP address it does not get written to file. It seems that it just gets lost. Any thoughts?

Thanks!
Attachments
rsyslog.conf-test-secondary-ip.txt
Config File
(6.94 KiB) Downloaded 12 times
thejester2112
New
 
Posts: 9
Joined: Fri Mar 24, 2017 8:38 pm

Urgent Question?

  • Pulling out your Hair?
  • Wasting Time and Money?
  • Deadline Approaching?

Re: Rsyslog collecting logs on secondary interface / ip addr

Postby thejester2112 » Mon Jan 15, 2018 2:12 pm

I was able to work with our systems team and it appears to be due to the changes in the kernel with handling interfaces on the same subnet. The following changes have now fixed the issue in which each interface is responding to arp who-has with the correct MAC address.

# Controls source route verification
#net.ipv4.conf.default.rp_filter = 1
# prevent same subnet problems
net.ipv4.conf.default.rp_filter = 0
net.ipv4.conf.all.rp_filter = 0
net.ipv4.conf.ens33.rp_filter = 0
net.ipv4.conf.ens35.rp_filter = 0
net.ipv4.conf.all.arp_filter = 0
net.ipv4.conf.ens33.arp_filter = 0
net.ipv4.conf.ens35.arp_filter = 0
net.ipv4.conf.all.arp_ignore=1
net.ipv4.conf.all.arp_announce=2


The problem I have now is it seems that Rsyslog stops collecting logs for the ruleset on the second interface. I haven't figured out the time period in which it stops collecting. When it stops collecting a simple stop start of Rsyslog gets it to start collecting again.

Any thoughts?
thejester2112
New
 
Posts: 9
Joined: Fri Mar 24, 2017 8:38 pm

Google Ads



Return to Configuration

Who is online

Users browsing this forum: No registered users and 0 guests

cron