Rsyslog Windows Clients With RELP

Forum for the RSyslog Windows Agent. Here you can ask all questions regarding installation, configuration or occuring problems.

Moderator: rgerhards

Google Ads


Rsyslog Windows Clients With RELP

Postby tarkan.erimer » Mon Oct 13, 2014 11:55 am

Hi,

I'm trying to configure Windows clients to forward their logs via RELP to a centralized Debian based Rsyslog Server. But, I had mixed success :

- When configured the client to utilize TCP/514, it creates the subfolder (e.g. /var/log/HOSTS/test01.abc.com) & forwards few logs. Then stops forwarding them, suddenly, without any apparent reason.

- When configured the client to utilize RELP/20514, in the other hand, creates event types (But not with hostname as supposed to be. e.g. Error, Server, Engine, Domain) as subfolders with relevant logs and keeps working without suddenly stopping as above. See example below :


root@syslog01<mailto:root@helsyslog01>:~# ls -al /var/log/HOSTS/
total 128
drwx------ 32 root root 4096 Oct 13 12:45 .
drwxr-xr-x 8 root root 4096 Oct 7 06:25 ..
drwx------ 3 root root 4096 Oct 13 12:37 A
drwx------ 3 root root 4096 Oct 13 12:20 Account
drwx------ 3 root root 4096 Oct 13 11:34 An
drwx------ 3 root root 4096 Oct 13 12:11 Attempting
drwx------ 3 root root 4096 Oct 13 11:34 BITS
drwx------ 3 root root 4096 Oct 13 12:38 Checking
drwx------ 3 root root 4096 Oct 13 12:43 Completed
drwx------ 3 root root 4096 Oct 13 12:19 Computer
drwx------ 3 root root 4096 Oct 13 12:37 Cryptographic
drwx------ 3 root root 4096 Oct 13 12:18 Domain
drwx------ 3 root root 4096 Oct 13 11:48 Engine
drwx------ 3 root root 4096 Oct 13 11:35 Error
drwx------ 3 root root 4096 Oct 13 12:35 Estimated
drwx------ 3 root root 4096 Oct 13 12:41 Finished
drwx------ 3 root root 4096 Oct 13 12:14 Group
drwx------ 3 root root 4096 Oct 6 15:47 test01.abc.com
drwx------ 3 root root 4096 Oct 13 12:36 Key
drwx------ 3 root root 4096 Oct 13 12:33 List
drwx------ 3 root root 4096 Oct 13 12:12 Making
drwx------ 3 root root 4096 Oct 13 12:45 Next
drwx------ 3 root root 4096 Oct 13 11:34 Provider
drwx------ 3 root root 4096 Oct 13 12:13 Retrieved
drwx------ 3 root root 4096 Oct 13 12:15 Retrieving
drwx------ 3 root root 4096 Oct 13 11:35 RSyslog
drwx------ 3 root root 4096 Oct 13 12:39 Service
drwx------ 3 root root 4096 Oct 13 11:37 Special
drwx------ 3 root root 4096 Oct 13 12:10 Starting
drwx------ 3 root root 4096 Oct 13 11:37 Task
drwx------ 3 root root 4096 Oct 13 11:35 The


- Also, all the Linux clients that configured to utilize RELP/20514, work fine as supposed to be : Subfolders create per host and separate logs per service.


Below is the Rsyslog server's configuration (/etc/rsyslog.conf) :

$ModLoad imrelp
$InputRELPServerRun 20514

$template DailyRemoteLogs,\
"/var/log/HOSTS/%HOSTNAME%/%$YEAR%/%$MONTH%/%$DAY%/%programname%.log"

:inputname, isequal, "imrelp" -?DailyRemoteLogs



In a nutshell, what else needs to be done (on the client and/or server side) in order to get these logs in host based subfolders (Just like Linux clients) instead of event type based ones ?

Thanks,


Tarkan
tarkan.erimer
New
 
Posts: 2
Joined: Mon Oct 13, 2014 11:53 am

Re: Rsyslog Windows Clients With RELP

Postby friedl » Mon Oct 13, 2014 1:57 pm

Hi Tarkan,

which version of rsyslog are you using currently?
Is the installed version on this particular system the same as on the other systems where it works as expected?

Florian
friedl
Adiscon Support
 
Posts: 67
Joined: Wed Sep 13, 2006 2:31 pm

Re: Rsyslog Windows Clients With RELP

Postby tarkan.erimer » Wed Oct 15, 2014 8:34 am

friedl wrote:Hi Tarkan,

which version of rsyslog are you using currently?
Is the installed version on this particular system the same as on the other systems where it works as expected?

Florian


Hi Florian,

Sorry for my late reply and thanks for your prompt response. I've recently managed to fix the problem via :

Templates --> Action Templates --> Send RELP

Change "MessageFormat" from :

%msg%

to

%source% %channel% %msg%


That fixed the issue and right now, all the Windows Servers forwarding their logs properly and in the same format as the Linux ones.

Just, I'm not sure why the default "MessageFormat" under "Send RELP" is only "%msg%" instead of "%source% %channel% %msg%". When it's "%msg%", it just messes up the rsyslog server as you can see in my previous post. May I suggest you to change this default behavior to "%source% %channel% %msg%" instead ? So that new comers like me will not scratch their heads (Because the existing "official" documents not explaining this part clearly!) like I did!

Cheers,


Tarkan
tarkan.erimer
New
 
Posts: 2
Joined: Mon Oct 13, 2014 11:53 am

Google Ads



Return to Windows Agent

Who is online

Users browsing this forum: No registered users and 0 guests

cron