Rsyslog RELP forwarding and custom port number problems

The rsyslog mechanism is very powerful, and scattered logs can be aggregated to a log server for ease of viewing and debugging. Installation is very simple:

shell> cd /etc/yum.repos.d/shell> wget http://rpms.adiscon.com/v8-stable/rsyslog.reposhell> yum install rsyslog

The default version of centos6.5 is rsyslog7.x. The latest official version is provided here.

Record the strange problem when rsyslog is configured with imrelp/omrelp. During this period, many detours were taken for your reference. Most documents about rsyslog are similar in Chinese and many documents are outdated. Please note that it is best to read English directly. Although there are many documents, it can save a lot of trouble. Just look at the principle of Chinese.

However, according to the omrelp forwarding mechanism provided by the official website, logs cannot be received after Configuration:

CAT/etc/RedHat-release

Centos release 6.5 (final)

In this version, under these repo:

[[Email protected] rsyslog] # ll/etc/yum. Repos. d/
Total usage 52
-RW-r --. 1 Root 833 June 16 17:23 Atomic. Repo
-RW-r --. 1 Root 833 June 16 16:53 Atomic. Repo. rpmsave
-RW-r --. 1 Root 1926 December 1 2013 CentOS-Base.repo
-RW-r --. 1 Root 638 December 1 2013 CentOS-Debuginfo.repo
-RW-r --. 1 Root 630 December 1 2013 CentOS-Media.repo
-RW-r --. 1 Root 4528 December 1 2013 CentOS-Vault.repo
-RW-r --. 1 Root 4528 June 16 16:53 CentOS-Vault.repo.rpmsave
-RW-r --. 1 Root 165 June 16 16:53 haodf. Repo
-RW-r --. 1 Root 1250 January 23 06:03 puppetlabs. Repo
-RW-r --. 1 Root 397 June 16 16:53 puppet. Repo
-RW-r --. 1 Root 227 June 25 18:36 rsyslog. Repo

After Yum upgrade, rsyslog cannot be forwarded to RELP.

/Etc/rsyslog. conf on the client:

module(load="imuxsock") # provides support for local system logging (e.g. via logger command)module(load="imklog")   # provides kernel logging support (previously done by rklogd)$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat$IncludeConfig /etc/rsyslog.d/*.conf*.info;mail.none;authpriv.none;cron.none                /var/log/messagesauthpriv.*                                              /var/log/securemail.*                                                  /var/log/maillogcron.*                                                  /var/log/cron*.emerg                                                 :omusrmsg:*uucp,news.crit                                          /var/log/spoolerlocal7.*                                                /var/log/boot.log$WorkDirectory /var/lib/rsyslog # where to place spool files$ActionQueueFileName fwdRule1 # unique name prefix for spool files$ActionQueueMaxDiskSpace 1g   # 1gb space limit (use as much as possible)$ActionQueueSaveOnShutdown on # save messages to disk on shutdown$ActionQueueType LinkedList   # run asynchronously$ActionResumeRetryCount -1    # infinite retries if host is down$ModLoad omrelplocal1.*   :omrelp:192.168.1.104:40888

/Etc/rsyslog. conf on server:

module(load="imuxsock") # provides support for local system logging (e.g. via logger command)module(load="imklog")   # provides kernel logging support (previously done by rklogd)module(load="imrelp")input(type="imrelp" port=“40888")$umask 0000$DirCreateMode 0750$FileCreateMode 0750$template MySelf, "%fromhost-ip% %$now% %timereported:12:23:date-rfc3339% %pri-text% %msg%\n"$template DynaFile, "/home/avatar/logs/remote/%syslogtag:F,58:1%/%$YEAR%-%$MONTH%-%$DAY%.log"$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat$IncludeConfig /etc/rsyslog.d/*.conflocal1.*  -?DynaFile;MySelf*.info;mail.none;authpriv.none;cron.none                /var/log/messagesauthpriv.*                                              /var/log/securemail.*                                                  /var/log/maillogcron.*                                                  /var/log/cron*.emerg                                                 :omusrmsg:*uucp,news.crit                                          /var/log/spoolerlocal7.*                                                /var/log/boot.log

After restarting, test: logger-P Local1.info-T/a "A3"
The server does not respond.

Try to listen to the client port:/usr/sbin/tcpdump-I eth1-S 0-L-w-DST port 40888 | strings, check the client, there is no 40888 forwarding;

During this period, in the harsh environment where Google was attacked by the wall, various agents were used to check the information, take various detours, and read the various maillist discussed by our predecessors. We were reminded in one sentence: strafe is very helpful in finding the problem.

The strace was forgotten. The strace-TT-S 500-FP rsyslog process no.-O strace. log, the result is similar to: connect (6, {sa_family = af_inet, sin_port = htons (XXXX), sin_addr = inet_addr ("192.168.x.x")}, 16) =-1 eacces (permission denied)
This indicates that port forwarding has failed.

Continue with the eacces (permission denied) query: Http://help.papertrailapp.com/kb/configuration/troubleshooting-remote-syslog-reachability

• Install: Yum install policycoreutils-Python;
• Semanage port -- list lists all currently allowed ports and protocols, grep 40888, of course, no more;
• Semanage port-a-t syslogd_port_t-p tcp 40888
• Semanage port-list | grep 40888, you can see that syslogd_port_t TCP 40888 already exists;
• /Sbin/service rsyslog restart
• Logger-PLocal1.info-T/a "A3.

For details about rsyslog security, refer:Http://wiki.rsyslog.com/index.php/Security

Introduction to the principle of http://huoding.com/2014/05/09/347

Reference Level: http://wiki.gentoo.org/wiki/Rsyslog