Hello,
I am getting this error in messages, when starting rsyslogd ver 8.24
liblogging-stdlog: error during config processing: STOP is followed by unreachable statements! [v8.24.0 try http://www.rsyslog.com/e/2207
I added those lines to rsyslog.conf to save all logs to dir structure by IP and host
$ModLoad imudp
$UDPServerRun 514
$InputUDPServerBindRuleset remote
$template RemoteLogs, «/LOGS/remote/%FROMHOST-IP%/%HOSTNAME%.%timegenerated:1:10:date-rfc3339%.log»
. ?RemoteLogs
& stop
The logging is working OK, but I think the configuration can be done better.
(error during config processing: STOP is followed by unreachable statements)
Environment
rsyslogd 8.24.0
«SUSE Linux Enterprise Server 12 SP3»
we would need to see the full config to see what’s happening, but you have an
unconditional stop, so the error message that statements after that point will
never be processed is correct. How much of a problem this depends on your config
David Lang
the conf is rather default one, just lines for remote logging were add.
grep -v ^# /etc/rsyslog.conf |grep -v ^$
$ModLoad immark.so
$MarkMessagePeriod 3600
$ModLoad imuxsock.so
$RepeatedMsgReduction on
$ModLoad imklog.so
$klogConsoleLogLevel 1
$ModLoad imudp
$UDPServerRun 514
$InputUDPServerBindRuleset remote
$template RemoteLogs, «/LOGS/remote/%FROMHOST-IP%/%HOSTNAME%.%timegenerated:1:10:date-rfc3339%.log»
. ?RemoteLogs
& stop
$IncludeConfig /run/rsyslog/additional-log-sockets.conf
$IncludeConfig /etc/rsyslog.d/.conf
$FileOwner root
$FileGroup root
$FileCreateMode 0640
$DirCreateMode 0750
$Umask 0022
if (
/ kernel up to warning except of firewall /
($syslogfacility-text == ‘kern’) and
($syslogseverity <= 4 / warning / ) and not
($msg contains ‘IN=’ and $msg contains ‘OUT=’)
) or (
/ up to errors except of facility authpriv /
($syslogseverity <= 3 / errors / ) and not
($syslogfacility-text == ‘authpriv’)
)
then {
/dev/tty10
|/dev/xconsole
}
.emerg :omusrmsg:
if ($syslogfacility-text == ‘kern’) and
($msg contains ‘IN=’ and $msg contains ‘OUT=’)
then {
-/var/log/firewall
stop
}
if ($programname == ‘acpid’ or $syslogtag == ‘[acpid]:’) and
($syslogseverity <= 5 / notice /)
then {
-/var/log/acpid
stop
}
if ($programname == ‘NetworkManager’) or
($programname startswith ‘nm-‘)
then {
-/var/log/NetworkManager
stop
}
mail. -/var/log/mail
mail.info -/var/log/mail.info
mail.warning -/var/log/mail.warn
mail.err /var/log/mail.err
news.crit -/var/log/news/news.crit
news.err -/var/log/news/news.err
news.notice -/var/log/news/news.notice
.=warning;.=err -/var/log/warn
.crit /var/log/warn
.;mail.none;news.none -/var/log/messages
local0.;local1.* -/var/log/localmessages
local2.;local3. -/var/log/localmessages
local4.;local5. -/var/log/localmessages
local6.;local7. -/var/log/localmessages
On Thu, 7 Feb 2019, meem6 wrote:
the conf is rather default one, just lines for remote logging were add.
yes, you say to write all logs to files using the remotelogs template, and then
to stop processing all logs, so nothing after that will be processed.
The warning message is telling you that you have a lot of config that isn’t
being processed because of the stop action.
what are you intending to happen?
grep -v ^# /etc/rsyslog.conf |grep -v ^$
$ModLoad immark.so
$MarkMessagePeriod 3600
$ModLoad imuxsock.so
$RepeatedMsgReduction on
$ModLoad imklog.so
$klogConsoleLogLevel 1
$ModLoad imudp
$UDPServerRun 514
$InputUDPServerBindRuleset remote
$template RemoteLogs, «/LOGS/remote/%FROMHOST-IP%/%HOSTNAME%.%timegenerated:1:10:date-rfc3339%.log»
*.* ?RemoteLogs
& stop
nothing after this is processed.
David Lang
…
$IncludeConfig /run/rsyslog/additional-log-sockets.conf
$IncludeConfig /etc/rsyslog.d/*.conf
$FileOwner root
$FileGroup root
$FileCreateMode 0640
$DirCreateMode 0750
$Umask 0022
if (
/* kernel up to warning except of firewall */
($syslogfacility-text == ‘kern’) and
($syslogseverity <= 4 /* warning */ ) and not
($msg contains ‘IN=’ and $msg contains ‘OUT=’)
) or (
/* up to errors except of facility authpriv */
($syslogseverity <= 3 /* errors */ ) and not
($syslogfacility-text == ‘authpriv’)
)
then {
/dev/tty10
|/dev/xconsole
}
*.emerg :omusrmsg:*
if ($syslogfacility-text == ‘kern’) and
($msg contains ‘IN=’ and $msg contains ‘OUT=’)
then {
-/var/log/firewall
stop
}
if ($programname == ‘acpid’ or $syslogtag == ‘[acpid]:’) and
($syslogseverity <= 5 /* notice */)
then {
-/var/log/acpid
stop
}
if ($programname == ‘NetworkManager’) or
($programname startswith ‘nm-‘)
then {
-/var/log/NetworkManager
stop
}
mail.* -/var/log/mail
mail.info -/var/log/mail.info
mail.warning -/var/log/mail.warn
mail.err /var/log/mail.err
news.crit -/var/log/news/news.crit
news.err -/var/log/news/news.err
news.notice -/var/log/news/news.notice
*.=warning;*.=err -/var/log/warn
*.crit /var/log/warn
*.*;mail.none;news.none -/var/log/messages
local0.*;local1.* -/var/log/localmessages
local2.*;local3.* -/var/log/localmessages
local4.*;local5.* -/var/log/localmessages
local6.*;local7.* -/var/log/localmessages
what I want seems to be working OK, maybe I could do some performance tuning for remote logging.
all logs from remote servers (few 100s) and also the localhost, are sent to NAS «/LOGS/remote/%FROMHOST-IP%/%HOSTNAME%.%timegenerated:1:10:date-rfc3339%.log»
there is nothing in /var/log/messages (but I dont mind as the logs are on different location, same as the remote servers)
so the error is more like a warning, I have «strange» configuration, if I remove the «extra» lines then I will be ok.
Thank you David.
On Thu, 7 Feb 2019, meem6 wrote:
what I want seems to be working OK, maybe I could do some performance tuning for remote logging.
all logs from remote servers (few 100s) and also the localhost, are sent to NAS «/LOGS/remote/%FROMHOST-IP%/%HOSTNAME%.%timegenerated:1:10:date-rfc3339%.log»
there is nothing in /var/log/messages (but I dont mind as the logs are on different location, same as the remote servers)
that is because you have told rsyslog to throw away the log before getting to
the point that you would write to /var/log/messages.
so the error is more like a warning, I have «strange» configuration, if I remove the «extra» lines then I will be ok.
yes, if you remove all the actions after the stop, the warning will go away.
David Lang
This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.
1 similar comment
This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.
lock
bot
locked as resolved and limited conversation to collaborators
Jun 24, 2020
Содержание
- holybit / 1-run_rsyslog
- error 2207; liblogging-stdlog: error during config processing: STOP is followed by unreachable statements! #3457
- Comments
- Environment
- problem using ( & stop ) / STOP is followed by unreachable statements! #3668
- Comments
- Expected behavior
- Actual behavior
- Steps to reproduce the behavior
- Environment
- How to Configure Remote Logging with Rsyslog on Ubuntu 18.04
- Configure Remote Logging Server with Rsyslog on Ubuntu 18.04
- Install Rsyslog on Ubuntu 18.04
- Allow Rsyslog through Firewall
- Configure Ubuntu 18.04 as a Log Server
- Define Allowed Senders
- Configure Rsyslog Template
- Configure Remote Client
- Verify Remote Ports Connection
- How to Configure Remote Logging with Rsyslog on Ubuntu 18.04
- Configure Remote Logging Server with Rsyslog on Ubuntu 18.04
- Install Rsyslog on Ubuntu 18.04
- Allow Rsyslog through Firewall
- Configure Ubuntu 18.04 as a Log Server
- Define Allowed Senders
- Configure Rsyslog Template
- Configure Remote Client
- Verify Remote Ports Connection
holybit / 1-run_rsyslog
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode characters
| $ cat /etc/redhat-release |
| CentOS Linux release 7.2.1511 (Core) |
| $ /usr/sbin/rsyslogd -v |
| rsyslogd 7.4.7, compiled with: |
| FEATURE_REGEXP: Yes |
| FEATURE_LARGEFILE: No |
| GSSAPI Kerberos 5 support: Yes |
| FEATURE_DEBUG (debug build, slow code): No |
| 32bit Atomic operations supported: Yes |
| 64bit Atomic operations supported: Yes |
| Runtime Instrumentation (slow code): No |
| uuid support: Yes |
| See http://www.rsyslog.com for more information. |
| $ /usr/sbin/rsyslogd |
| rsyslogd: error during parsing file (null), on or before line 93: STOP is followed by unreachable statements! |
| [try http://www.rsyslog.com/e/2207 ] |
| # & stop in 4.conf below seems to be the issue |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode characters
Источник
error 2207; liblogging-stdlog: error during config processing: STOP is followed by unreachable statements! #3457
Hello,
I am getting this error in messages, when starting rsyslogd ver 8.24
liblogging-stdlog: error during config processing: STOP is followed by unreachable statements! [v8.24.0 try http://www.rsyslog.com/e/2207
I added those lines to rsyslog.conf to save all logs to dir structure by IP and host
$ModLoad imudp
$UDPServerRun 514
$InputUDPServerBindRuleset remote
$template RemoteLogs, «/LOGS/remote/%FROMHOST-IP%/%HOSTNAME%.%timegenerated:1:10:date-rfc3339%.log»
. ?RemoteLogs
& stop
The logging is working OK, but I think the configuration can be done better.
(error during config processing: STOP is followed by unreachable statements)
Environment
rsyslogd 8.24.0
«SUSE Linux Enterprise Server 12 SP3»
The text was updated successfully, but these errors were encountered:
the conf is rather default one, just lines for remote logging were add.
grep -v ^# /etc/rsyslog.conf |grep -v ^$
$ModLoad immark.so
$MarkMessagePeriod 3600
$ModLoad imuxsock.so
$RepeatedMsgReduction on
$ModLoad imklog.so
$klogConsoleLogLevel 1
$ModLoad imudp
$UDPServerRun 514
$InputUDPServerBindRuleset remote
$template RemoteLogs, «/LOGS/remote/%FROMHOST-IP%/%HOSTNAME%.%timegenerated:1:10:date-rfc3339%.log»
. ?RemoteLogs
& stop
$IncludeConfig /run/rsyslog/additional-log-sockets.conf
$IncludeConfig /etc/rsyslog.d/.conf
$FileOwner root
$FileGroup root
$FileCreateMode 0640
$DirCreateMode 0750
$Umask 0022
if (
/ kernel up to warning except of firewall /
($syslogfacility-text == ‘kern’) and
($syslogseverity
what I want seems to be working OK, maybe I could do some performance tuning for remote logging.
all logs from remote servers (few 100s) and also the localhost, are sent to NAS «/LOGS/remote/%FROMHOST-IP%/%HOSTNAME%.%timegenerated:1:10:date-rfc3339%.log»
there is nothing in /var/log/messages (but I dont mind as the logs are on different location, same as the remote servers)
so the error is more like a warning, I have «strange» configuration, if I remove the «extra» lines then I will be ok.
Thank you David.
Источник
problem using ( & stop ) / STOP is followed by unreachable statements! #3668
Expected behavior
● rsyslog.service — System Logging Service
Loaded: loaded (/usr/lib/systemd/system/rsyslog.service; enabled; vendor preset: enabled)
Active: active (running) since Wed 2019-05-15 16:53:50 EDT; 15h ago .
May 15 16:53:50 syslog002.ny5.pragmafs.com systemd[1]: Stopped System Logging Service.
May 15 16:53:50 syslog002.ny5.pragmafs.com systemd[1]: Starting System Logging Service.
May 15 16:53:50 syslog002.ny5.pragmafs.com rsyslogd[20753]: [origin software=»rsyslogd» swVersion=»8.24.0-34.el7″ x-pid=»20753″ x-info=»http://www.rsyslog.com»] start
May 15 16:53:50 syslog002.ny5.pragmafs.com systemd[1]: Started System Logging Service.
Actual behavior
● rsyslog.service — System Logging Service
Loaded: loaded (/usr/lib/systemd/system/rsyslog.service; enabled; vendor preset: enabled)
Active: active (running) since Thu 2019-05-16 08:50:07 EDT; 5s ago .
May 16 08:50:07 syslog002.ny5.pragmafs.com rsyslogd[3604]: [origin software=»rsyslogd» swVersion=»8.24.0-34.el7″ x-pid=»3604″ x-info=»http://www.rsyslog.com»] start
May 16 08:50:07 syslog002.ny5.pragmafs.com rsyslogd[3604]: error during config processing: STOP is followed by unreachable statements! [v8.24.0-34.el7 try http://www.rsyslog.com/e/2207 ]
May 16 08:50:07 syslog002.ny5.pragmafs.com systemd[1]: Started System Logging Service.
Steps to reproduce the behavior
In the rsyslog.conf, to get the current behavior i put » & stop» and it just works when i don’t use it. I need to use that command to discard the log that matches the conditions
Environment
- rsyslog version: 8.24.0-34.el7.
- platform: CentOS Linux release 7.6.1810
- rsyslog.conf
The text was updated successfully, but these errors were encountered:
Источник
How to Configure Remote Logging with Rsyslog on Ubuntu 18.04
In this tutorial, we are going to learn how to configure remote logging with Rsyslog on Ubuntu 18.04
Log files are files that contain messages about the system, including the kernel, services, and applications running on it. There are different log files for different information. For example, there is a default system log file, a log file just for security messages, and a log file for cron tasks.
Please enable JavaScript
Log files are useful when troubleshooting a problem with the Linux system. For example looking for unauthorized login attempts to the system.
Some log files are controlled by rsyslogd daemon, an enhanced replacement for sysklogd. It provides extended filtering, encrypted message relay, various configuration options, input and output modules. It also supports TCP or UDP transportation protocols.
Rsyslog can be configured in a client/server model. When configured as a client, it sends logs to a remote server over the network via TCP/UDP protocols. As a server, it receives logs over the network from remote client on port 514 TCP/UDP.
Rsyslog filters syslog messages based on selected filters. You may want to check out our previous article on basic introduction to rsyslog filters.
Configure Remote Logging Server with Rsyslog on Ubuntu 18.04
Install Rsyslog on Ubuntu 18.04
Rsyslog is installed on Ubuntu 18.04 by default. You can verify this by checking the version of installed rsyslog.
If it is not installed, run the command below to install it.
apt install rsyslog -y
Once the installation is done, start and enable the rsyslog service.
Allow Rsyslog through Firewall
If firewall is running, open rsyslog through it.
Well, are you also interested in configuring syslog/rsyslog on Solaris 11.4? Check the links below;
Want to use NXLog to forward logs? Check out our article by following the link below;
Configure Ubuntu 18.04 as a Log Server
Now that rsyslog is installed and running, you need to configure it to run in server mode. To do so, edit the /etc/rsyslog.conf configuration file and uncomment the lines for UDP syslog reception in the MODULES section as shown below;
Note that TCP syslog reception is way more reliable than UDP syslog and still pretty fast. The main reason is, that UDP might suffer of message loss. This happens when the syslog server must receive large bursts of messages. If the system buffer for UDP is full, all other messages will be dropped. With TCP, this will not happen. But sometimes it might be good to have a UDP server configured as well. That is, because some devices (like routers) are not able to send TCP syslog by design. In that case, you would need both syslog server types to have everything covered.
By default UDP syslog is received on port 514. TCP syslog may need a different port because often the RPC service is using this port as well.
To set rsyslog to run on a different TCP port, say TCP port, 50514, uncomment the TCP reception lines and change the port as shown below;
Verify that rsyslog is now listening on two ports;
You may notice that UDP port has no LISTEN state because it is connectionless and has no concept of “listening”, “established”, “closed”, or anything like that.
Open the new port on UFW;
Define Allowed Senders
You may also want to explicitly set the remote clients that are allowed to to send syslog messages to rsyslogd. To achieve this, you can set a global directive using the $AllowedSender directive.
Allowed sender lists can be defined for UDP and TCP senders separately. The syntax to specify them is:
$AllowedSender [UDP/TCP], ip[/bits], ip[/bits]
ip[/bits] is a machine or network ip address as in “192.0.2.0/24” or “192.0.2.10”. If the /bits part is omitted, a single host is assumed. “/0” is not allowed, because that would match any sending system.
Hostnames, with and without wildcards, may also be provided. If so, the result of revers DNS resolution is used for filtering. Multiple allowed senders can be specified in a comma-delimited list.
It is good to specify senders with high traffic volume before those with lower volume.
As much as allowing specific hosts via this directive, a good idea to impose allowed sender limitations via firewalling.
To allow specific hosts for either UDP or TCP logging, enter the following lines;
Configure Rsyslog Template
Templates are a key feature of rsyslog. Any output that is generated by rsyslog can be modified and formatted according to your needs with the use of templates. To create a template use the following syntax in /etc/rsyslog.conf:
Thus, we can create our template like;
Once you are done with configuration, you can now restart the rsyslog service by running the command below. Before you can restart rsyslogd, run a configuration check.
If all is well, proceed to restart rsyslog.
Rsyslogd is now ready to receive logs from remote hosts.
Configure Remote Client
Now it is time to configure the remote client to send syslog messages to the remote syslog server. Login and proceed as follows.
Verify Remote Ports Connection
To verify connectivity to remote rsyslog server TCP port 50514, run the command below;
Verify connectivity to UDP port 514. Since you cannot telnet to UDP port 514, use netcat command. On the server, run the command below;
On the client, run the command below, press ENTER and type anything. You should be able to see what you type on the server.
If all is good, edit the rsyslog configuration file as shown below;
To send authentication logs over port 514/UDP, add the following line at the end of the file.
To send all logs over port 50514/TCP, add the following line at the end of the file.
As a cushion just in case the remote rsyslog server goes down and your logs are so important you don’t want to loose, set the rsyslog disk queue for buffering in the rsyslog configuration file as shown below;
Restart the rsyslog service on the client.
You can now log out of the client and login again. The authentication logs should be available on rsyslog server.
Login to the server and verify the same.
In our case, we send only authentication logs to remote rsyslog server.
Well, that is all it takes to configure remote logging with rsyslog on Ubuntu 18.04. We hope this guide was helpful. Enjoy.
Источник
How to Configure Remote Logging with Rsyslog on Ubuntu 18.04
In this tutorial, we are going to learn how to configure remote logging with Rsyslog on Ubuntu 18.04
Log files are files that contain messages about the system, including the kernel, services, and applications running on it. There are different log files for different information. For example, there is a default system log file, a log file just for security messages, and a log file for cron tasks.
Please enable JavaScript
Log files are useful when troubleshooting a problem with the Linux system. For example looking for unauthorized login attempts to the system.
Some log files are controlled by rsyslogd daemon, an enhanced replacement for sysklogd. It provides extended filtering, encrypted message relay, various configuration options, input and output modules. It also supports TCP or UDP transportation protocols.
Rsyslog can be configured in a client/server model. When configured as a client, it sends logs to a remote server over the network via TCP/UDP protocols. As a server, it receives logs over the network from remote client on port 514 TCP/UDP.
Rsyslog filters syslog messages based on selected filters. You may want to check out our previous article on basic introduction to rsyslog filters.
Configure Remote Logging Server with Rsyslog on Ubuntu 18.04
Install Rsyslog on Ubuntu 18.04
Rsyslog is installed on Ubuntu 18.04 by default. You can verify this by checking the version of installed rsyslog.
If it is not installed, run the command below to install it.
apt install rsyslog -y
Once the installation is done, start and enable the rsyslog service.
Allow Rsyslog through Firewall
If firewall is running, open rsyslog through it.
Well, are you also interested in configuring syslog/rsyslog on Solaris 11.4? Check the links below;
Want to use NXLog to forward logs? Check out our article by following the link below;
Configure Ubuntu 18.04 as a Log Server
Now that rsyslog is installed and running, you need to configure it to run in server mode. To do so, edit the /etc/rsyslog.conf configuration file and uncomment the lines for UDP syslog reception in the MODULES section as shown below;
Note that TCP syslog reception is way more reliable than UDP syslog and still pretty fast. The main reason is, that UDP might suffer of message loss. This happens when the syslog server must receive large bursts of messages. If the system buffer for UDP is full, all other messages will be dropped. With TCP, this will not happen. But sometimes it might be good to have a UDP server configured as well. That is, because some devices (like routers) are not able to send TCP syslog by design. In that case, you would need both syslog server types to have everything covered.
By default UDP syslog is received on port 514. TCP syslog may need a different port because often the RPC service is using this port as well.
To set rsyslog to run on a different TCP port, say TCP port, 50514, uncomment the TCP reception lines and change the port as shown below;
Verify that rsyslog is now listening on two ports;
You may notice that UDP port has no LISTEN state because it is connectionless and has no concept of “listening”, “established”, “closed”, or anything like that.
Open the new port on UFW;
Define Allowed Senders
You may also want to explicitly set the remote clients that are allowed to to send syslog messages to rsyslogd. To achieve this, you can set a global directive using the $AllowedSender directive.
Allowed sender lists can be defined for UDP and TCP senders separately. The syntax to specify them is:
$AllowedSender [UDP/TCP], ip[/bits], ip[/bits]
ip[/bits] is a machine or network ip address as in “192.0.2.0/24” or “192.0.2.10”. If the /bits part is omitted, a single host is assumed. “/0” is not allowed, because that would match any sending system.
Hostnames, with and without wildcards, may also be provided. If so, the result of revers DNS resolution is used for filtering. Multiple allowed senders can be specified in a comma-delimited list.
It is good to specify senders with high traffic volume before those with lower volume.
As much as allowing specific hosts via this directive, a good idea to impose allowed sender limitations via firewalling.
To allow specific hosts for either UDP or TCP logging, enter the following lines;
Configure Rsyslog Template
Templates are a key feature of rsyslog. Any output that is generated by rsyslog can be modified and formatted according to your needs with the use of templates. To create a template use the following syntax in /etc/rsyslog.conf:
Thus, we can create our template like;
Once you are done with configuration, you can now restart the rsyslog service by running the command below. Before you can restart rsyslogd, run a configuration check.
If all is well, proceed to restart rsyslog.
Rsyslogd is now ready to receive logs from remote hosts.
Configure Remote Client
Now it is time to configure the remote client to send syslog messages to the remote syslog server. Login and proceed as follows.
Verify Remote Ports Connection
To verify connectivity to remote rsyslog server TCP port 50514, run the command below;
Verify connectivity to UDP port 514. Since you cannot telnet to UDP port 514, use netcat command. On the server, run the command below;
On the client, run the command below, press ENTER and type anything. You should be able to see what you type on the server.
If all is good, edit the rsyslog configuration file as shown below;
To send authentication logs over port 514/UDP, add the following line at the end of the file.
To send all logs over port 50514/TCP, add the following line at the end of the file.
As a cushion just in case the remote rsyslog server goes down and your logs are so important you don’t want to loose, set the rsyslog disk queue for buffering in the rsyslog configuration file as shown below;
Restart the rsyslog service on the client.
You can now log out of the client and login again. The authentication logs should be available on rsyslog server.
Login to the server and verify the same.
In our case, we send only authentication logs to remote rsyslog server.
Well, that is all it takes to configure remote logging with rsyslog on Ubuntu 18.04. We hope this guide was helpful. Enjoy.
Источник
I am trying to structure logs from my D-Link DAP-2310 in a rsyslog server. It has a non-standard log format and my idea is to fix that with regex in a rsyslog template. When I parse the rsyslog.conf with rsyslogd -N1 the result is really depressing.
The msg data item looks like AA:BB:CC:DD:EE] [app-name] log message
The first part is a mac address where the first part “[00:” is placed in another data item, don’t ask why. Part two “[app-name]” is the application/instance sending the message. Last part “log message” is the logged action.
The interesting parts are i) app-name and ii) log message.
I have validated following regular expression at http://www.rsyslog.com/regex/ and both of them works like a charm.
- [(.+)]
- [.+](.+)
The full template declaration look like:
template(name=”AP_tmpl” type=”list”) {
property(name=”timestamp”)
constant(value=” “)
property(name=”hostname”)
constant(value=” “)
property(name=”msg”
regex.type=”ERE”
regex.submatch=”1”
regex.expression=”[(.+)]--end”
regex.nomatchmode=”BLANK”
)
constant(value=” “)
property(name=”msg”
regex.type=”ERE”
regex.submatch=”1”
regex.expression=”[.+](.+)$--end”
regex.nomatchmode=”BLANK”
)
constant(value=”n“)
}
When I parse the conf file it complain about escape characters.
tobias@ubuntutest:~$ sudo rsyslogd -N1
rsyslogd: version 7.4.4, config validation run (level 1), master config /etc/rsyslog.conf
rsyslogd: error during parsing file /etc/rsyslog.d/41-AP.conf, on or before line 20: invalid character '"' in object definition - is there an invalid escape sequence somewhere? [try http://www.rsyslog.com/e/2207 ]
rsyslogd: error during parsing file /etc/rsyslog.d/41-AP.conf, on or before line 20: invalid character '' in object definition - is there an invalid escape sequence somewhere? [try http://www.rsyslog.com/e/2207 ]
rsyslogd: error during parsing file /etc/rsyslog.d/41-AP.conf, on or before line 20: invalid character '.' in object definition - is there an invalid escape sequence somewhere? [try http://www.rsyslog.com/e/2207 ]
rsyslogd: error during parsing file /etc/rsyslog.d/41-AP.conf, on or before line 20: invalid character '*' in object definition - is there an invalid escape sequence somewhere? [try http://www.rsyslog.com/e/2207 ]
rsyslogd: error during parsing file /etc/rsyslog.d/41-AP.conf, on or before line 20: invalid character '' in object definition - is there an invalid escape sequence somewhere? [try http://www.rsyslog.com/e/2207 ]
rsyslogd: error during parsing file /etc/rsyslog.d/41-AP.conf, on or before line 20: syntax error on token ']' [try http://www.rsyslog.com/e/2207 ]
rsyslogd: CONFIG ERROR: could not interpret master config file '/etc/rsyslog.conf'. [try http://www.rsyslog.com/e/2207 ]
rsyslogd: run failed with error -2207 (see rsyslog.h or try http://www.rsyslog.com/e/2207 to learn what that number means)
I can’t figure out why, the regular expressions are validated without any errors. http://www.rsyslog.com/e/2207 gives nothing. Any ideas?
41 Replies
-
dbeato
This person is a verified professional.
Verify your account
to enable IT peers to see that you are a professional.pure capsaicin
-
OP
dhoff
This person is a verified professional.
Verify your account
to enable IT peers to see that you are a professional.serrano
Windows Agent PDF — WOW! All those extra programs?
Seems a bit much, so I am hesitant to install on my AD servers. Do you have these running on domain controllers?
Was this post helpful?
thumb_up
thumb_down
-
dbeato
This person is a verified professional.
Verify your account
to enable IT peers to see that you are a professional.pure capsaicin
It is actually an agent and not a bunh of programs.
Was this post helpful?
thumb_up
thumb_down
-
OP
dhoff
This person is a verified professional.
Verify your account
to enable IT peers to see that you are a professional.serrano
Maybe this isn’t clear to me then…Should l start with step 1, or am I skipping to step 6?
1)
Download & Install WinPcap 3.02)
Download & Install Snort 2.3.2
3)
Download & Install Python
4)
Download & Install mySQL
QL-python.exe-1.2.0.win32-
my4.0-py2.3.exe?download
5)
Download & Install ossim.tar.gz from the official w
eb site:
Was this post helpful?
thumb_up
thumb_down
-
dbeato
This person is a verified professional.
Verify your account
to enable IT peers to see that you are a professional.pure capsaicin
-
dbeato
This person is a verified professional.
Verify your account
to enable IT peers to see that you are a professional.pure capsaicin
-
OP
dhoff
This person is a verified professional.
Verify your account
to enable IT peers to see that you are a professional.serrano
Getting closer I think — and I thank you very much for that.
On my Windows server: I edited the OSSEC config. Unable to start.
States : Unable to start agent (check config)
My config:
<ossec_config>
<client>
<server-ip>OSSIM_IP</server-ip>
</client>
</ossec_config>
Was this post helpful?
thumb_up
thumb_down
-
OP
dhoff
This person is a verified professional.
Verify your account
to enable IT peers to see that you are a professional.serrano
Hold the phone!
I may have something…
I now have 1 event = Agent loaded.
Was this post helpful?
thumb_up
thumb_down
-
OP
dhoff
This person is a verified professional.
Verify your account
to enable IT peers to see that you are a professional.serrano
Should I still have the HIDS deployed?
Was this post helpful?
thumb_up
thumb_down
-
dbeato
This person is a verified professional.
Verify your account
to enable IT peers to see that you are a professional.pure capsaicin
Yes, you should still have the HIDS deployed but if not just install them manually.
Was this post helpful?
thumb_up
thumb_down
-
OP
dhoff
This person is a verified professional.
Verify your account
to enable IT peers to see that you are a professional.serrano
Thank you so much — I am now getting Windows data!
Was this post helpful?
thumb_up
thumb_down
-
OP
dhoff
This person is a verified professional.
Verify your account
to enable IT peers to see that you are a professional.serrano
Anything special for the Fortigate? I saw that webpage doc before and re-followed it today and still not much is happening.
I have a total of 9 events, all windows network login, which I believe is from my SSO setup of the firewall.
Was this post helpful?
thumb_up
thumb_down
-
dbeato
This person is a verified professional.
Verify your account
to enable IT peers to see that you are a professional.pure capsaicin
OKay, try checking if port 514 is open on the OSSIM appliance and check that the firewall logging level is correct.
Was this post helpful?
thumb_up
thumb_down
-
OP
dhoff
This person is a verified professional.
Verify your account
to enable IT peers to see that you are a professional.serrano
If I am setting the port on the Firewall which:
set port 514Wouldn’t it be easier to set the correct one here? — or does it not work like that?
Was this post helpful?
thumb_up
thumb_down
-
dbeato
This person is a verified professional.
Verify your account
to enable IT peers to see that you are a professional.pure capsaicin
OSSIM needs to be the one that has port 514 open, not the firewall.
Was this post helpful?
thumb_up
thumb_down
-
OP
dhoff
This person is a verified professional.
Verify your account
to enable IT peers to see that you are a professional.serrano
I’m not clear on how to do this:
My /etc/rsyslog.conf shows:
$MaxMessageSize 64k
$ModLoad imuxsock # provides support for local system logging
$ModLoad imklog # provides kernel logging support
#$ModLoad immark # provides —MARK— message capability# provides UDP syslog reception
$ModLoad imudp
$UDPServerRun 514# provides TCP syslog reception
$ModLoad imtcp
$InputTCPServerRun 514###########################
#### GLOBAL DIRECTIVES ####
###########################
Was this post helpful?
thumb_up
thumb_down
-
OP
dhoff
This person is a verified professional.
Verify your account
to enable IT peers to see that you are a professional.serrano
ok — found an article that says to add a line in the /etc/ossim/firewall_includes
-A INPUT -p tcp -m state –state NEW -m tcp –dport 514 -j ACCEPT
Added this and ran ossim-reconfig [article said this as well]
I’m not getting firewall logs other then the windows login — shouldn’t I be seeing firewall traffic?
Was this post helpful?
thumb_up
thumb_down
-
dbeato
This person is a verified professional.
Verify your account
to enable IT peers to see that you are a professional.pure capsaicin
strange, can you restart OSSIM and check again?
Was this post helpful?
thumb_up
thumb_down
-
OP
dhoff
This person is a verified professional.
Verify your account
to enable IT peers to see that you are a professional.serrano
did — no changes yet.
It is strange as I am only getting HIDS events and the HIDS states it is not conencted:
2017-04-17 02:16:36AlienVault HIDS: : Windows Network Logon
Nothing but Windows logon events.
Was this post helpful?
thumb_up
thumb_down
-
OP
dhoff
This person is a verified professional.
Verify your account
to enable IT peers to see that you are a professional.serrano
Might I not have the right plugin loaded? I have the fortinet plugin loaded
Was this post helpful?
thumb_up
thumb_down
-
dbeato
This person is a verified professional.
Verify your account
to enable IT peers to see that you are a professional.pure capsaicin
You usually do not need to have the Fortigate plugin. I usually add it as a syslog device.
Was this post helpful?
thumb_up
thumb_down
-
OP
dhoff
This person is a verified professional.
Verify your account
to enable IT peers to see that you are a professional.serrano
I ran a sniffer from the firewall and it states that udp port 514 is unreachable
So I must not have opened 514 properly.
Was this post helpful?
thumb_up
thumb_down
-
dbeato
This person is a verified professional.
Verify your account
to enable IT peers to see that you are a professional.pure capsaicin
-
OP
dhoff
This person is a verified professional.
Verify your account
to enable IT peers to see that you are a professional.serrano
getting closer — the firewall shows 514 is now open.
Was this post helpful?
thumb_up
thumb_down
-
OP
dhoff
This person is a verified professional.
Verify your account
to enable IT peers to see that you are a professional.serrano
When I add the new agent on the OSSIM, I get a key but I see no options or agent to add the key to the Fortigate.
Should I not have added the Fortigate agent to the OSSIM?
Was this post helpful?
thumb_up
thumb_down
-
dbeato
This person is a verified professional.
Verify your account
to enable IT peers to see that you are a professional.pure capsaicin
There is no need to add the key to the Fortigate. You should be able to send syslog directly to the OSSIM appliance/vm.
Was this post helpful?
thumb_up
thumb_down
-
OP
dhoff
This person is a verified professional.
Verify your account
to enable IT peers to see that you are a professional.serrano
Followed the troubleshooting steps.
2 things:
The tcpdump shows me a counting Got ##. I am not clear if this is telling me I have traffic or not.
and when I go to restart the rsyslog service — I get: error 2207. The rsyslog link states an error with the config file, but I don;t know what I’m looking at to know what might be wrong. So I can;t restart that service — but I have been rebooting
I did notice that in rsyslog.conf the UDPServerRun 514 was commented out. I uncommented it, rebooted, but still no logs.
[section]
# provides TCP syslog reception
$ModLoad imtcp
InputTCPServerRun 514
Was this post helpful?
thumb_up
thumb_down
-
dbeato
This person is a verified professional.
Verify your account
to enable IT peers to see that you are a professional.pure capsaicin
-
OP
dhoff
This person is a verified professional.
Verify your account
to enable IT peers to see that you are a professional.serrano
This looks like good info — THANKS!
netstat -tulpen | grep rsyslog – check if its listening on the right ports – 514?
Netstat doesn’t return any syslog or 514.
I do see under Analysis / Real-Time that the alientvault sensor is reporting on port 514
SOURCEIP = alientvault:514
Was this post helpful?
thumb_up
thumb_down
-
dbeato
This person is a verified professional.
Verify your account
to enable IT peers to see that you are a professional.pure capsaicin
I am going to look back to my OSSIM as I don’t have it available but my sonicwalls were reporting to it without any problems.
Was this post helpful?
thumb_up
thumb_down
-
OP
dhoff
This person is a verified professional.
Verify your account
to enable IT peers to see that you are a professional.serrano
Not sure if this helps, but:
1. From the Fortigate, a packet sniffer shows data sending to Alientvault port 514
2. From AlienVault, the tcpdump shows counts from Fortigate and port 514
3. My /etc/rsyslog.d/fortigate.conf states to forward to /var/log/fortigate.log
4. There is NO DATA in the fortigate.log file
Was this post helpful?
thumb_up
thumb_down
-
OP
dhoff
This person is a verified professional.
Verify your account
to enable IT peers to see that you are a professional.serrano
Now 514 from the Firewall is unreachable again
Was this post helpful?
thumb_up
thumb_down
-
OP
dhoff
This person is a verified professional.
Verify your account
to enable IT peers to see that you are a professional.serrano
Now 514 from the Firewall is unreachable again
My fault — I ran the wrong command — my FW is sending out to AV server to port 514
Was this post helpful?
thumb_up
thumb_down
-
dbeato
This person is a verified professional.
Verify your account
to enable IT peers to see that you are a professional.pure capsaicin
Once changed it should be good then
Was this post helpful?
thumb_up
thumb_down
-
OP
dhoff
This person is a verified professional.
Verify your account
to enable IT peers to see that you are a professional.serrano
Nope. Basically I think my data is coming in but not being sent where it should be going.
I most likely have some config somewhere incorrect.
Was this post helpful?
thumb_up
thumb_down
-
dbeato
This person is a verified professional.
Verify your account
to enable IT peers to see that you are a professional.pure capsaicin
-
OP
dhoff
This person is a verified professional.
Verify your account
to enable IT peers to see that you are a professional.serrano
Thanks. I bit the bullet and reloaded my OSSIM server.
Good news is I see logs, but they are reporting now as too large:
Non standard syslog message (size too large)
Looking into this error now
Was this post helpful?
thumb_up
thumb_down
-
OP
dhoff
This person is a verified professional.
Verify your account
to enable IT peers to see that you are a professional.serrano
-
dbeato
This person is a verified professional.
Verify your account
to enable IT peers to see that you are a professional.pure capsaicin
Awesome!! Glad that it is working now.
Was this post helpful?
thumb_up
thumb_down
-
OP
dhoff
This person is a verified professional.
Verify your account
to enable IT peers to see that you are a professional.serrano
Yes — thank you very much for all your assistance!
Was this post helpful?
thumb_up
thumb_down
-
dbeato
This person is a verified professional.
Verify your account
to enable IT peers to see that you are a professional.pure capsaicin
Glad to help!
Was this post helpful?
thumb_up
thumb_down
Hi all,
I can’t figure it out how to forward the logs of my Apache server through rsyslog to be stored in /var/log/httpd.err
My specs and configuration files:
Code: Select all
[root@ ~]# hostnamectl status
Static hostname: server2.example.com
Icon name: computer-vm
Chassis: vm
Machine ID: 73f72f1b4804441aae84e467521bc645
Boot ID: 33965ae5922240c0977e9b4febf7eec8
Virtualization: kvm
Operating System: CentOS Linux 7 (Core)
CPE OS Name: cpe:/o:centos:centos:7
Kernel: Linux 3.10.0-514.16.1.el7.x86_64
Architecture: x86-64
httpd.conf:
Code: Select all
[root@ ~]# grep "ErrorLog" /etc/httpd/conf/httpd.conf
# ErrorLog: The location of the error log file.
# If you do not specify an ErrorLog directive within a <VirtualHost>
#ErrorLog "logs/error_log"
ErrorLog syslog:local1
rsyslog.conf rule:
Code: Select all
[root@ log]# grep "local1.err" /etc/rsyslog.conf
local1.error /var/log/httpd.err
Apparently I’m doing something wrong because I cant get local1 forward content to httpd.err
I’ve changed in rsyslog.con the line for «local1:error» and I get:
Code: Select all
May 9 12:10:07 server2 rsyslogd: [origin software="rsyslogd" swVersion="7.4.7" x-pid="6017" x-info="http://www.rsyslog.com"] start
May 9 12:10:07 server2 rsyslogd-2184: action 'local1' treated as ':omusrmsg:local1' - please change syntax, 'local1' will not be supported in the future [try http://www.rsyslog.com/e/2184 ]
May 9 12:10:07 server2 rsyslogd-2207: error during parsing file /etc/rsyslog.conf, on or before line 75: invalid character ':' - is there an invalid escape sequence somewhere? [try http://www.rsyslog.com/e/2207 ]
May 9 12:10:07 server2 rsyslogd-2184: action 'error' treated as ':omusrmsg:error' - please change syntax, 'error' will not be supported in the future [try http://www.rsyslog.com/e/2184 ]
So I went back to «local1.error» because of line 75
I also updated rsyslog to:
Code: Select all
[root@ log]# yum list installed | grep rsyslog
libgt.x86_64 0.3.11-1.el7 @rsyslog_v7
liblogging.x86_64 1.0.4-1.el7 @rsyslog_v7
rsyslog.x86_64 7.6.7-1.el7 @rsyslog_v7
And I finally even tried changing httpd.err log file permissions to g+rw,o+rw but nothing gets logged!!!
I tested with «http://localhost/nowhere» in my browser!!!
Any help will be appreciated.
Thanks!!!!