Hey! Has somebody using rsyslog to forward result ...
# fleetr
Rafael
02/03/2022, 3:03 PMHey! Has somebody using rsyslog to forward result logs to remote logging server? I’m using the following configuration in /etc/rsyslog.d/osquery.conf:
module(load=“imfile” mode=“inotify”)
input(type=“imfile”
File=“/var/log/osquery/result.log”
Tag=“fleet:”
PersistStateInterval=“300"
Severity=“info”
Facility=“local6"
)
if $programname == ‘fleet’ then @@ip_adress:518
The problem is that following configuration doesn’t work, however when I change protocol to udp (delete one @ symbol) everything works fine. Any ideas?
z
Zachary Winnerman
02/03/2022, 3:40 PMSorry for the kinda basic response, but are you sure the syslog reciever is listening on TCP? Considering that it works over UDP, this might be worth checking out.
Zachary Winnerman
02/03/2022, 3:46 PMIts quite common for syslog servers to listen on UDP instead of TCP.
r
Rafael
02/03/2022, 4:04 PM@Zachary Winnerman The rsyslog reciever is listening on TCP, and the port is open, i checked.
z
Zachary Winnerman
02/03/2022, 4:10 PMso curiously, is it listening on both TCP and UDP on the same port?
r
Rafael
02/03/2022, 4:13 PM@Zachary Winnerman no, I just checked that udp is working with tcpdump
z
Zachary Winnerman
02/03/2022, 4:15 PMAh, ok, so you will always see UDP packets transmitting regardless of if the other side is setup to receive them. Did you peek inside them to make sure that its sending the correct data curiously or just look at the headers?
Zachary Winnerman
02/03/2022, 4:18 PMConsidering that rsyslog is sending messages in UDP mode. It seems that rsyslog is configured correctly. I would look into the networking side next. Maybe a firewall is blocking traffic? This could be on either host with iptables or an appliance inbetween. I have no idea what your network looks like so sorry if this comes across as strange.
Zachary Winnerman
02/03/2022, 4:19 PMYou can get some additional information about whats going on by starting rsyslogd in your terminal with the
-d -n16 Views