Debian's rsyslogd & remote logging

rotten777 · May 16, 2011, 8:55pm

So I’ve got the daemon running on all IP’s of my debian server

udp        0      0 0.0.0.0:514             0.0.0.0:*

I have the remote logging setup

admin@dcomfap-rt01] /system logging> print
Flags: X - disabled, I - invalid 
 #   TOPICS                                                                                  ACTION                                                                                 PREFIX    
 0   info                                                                                    memory                                                                                           
 1   error                                                                                   memory                                                                                           
 2   warning                                                                                 memory                                                                                           
 3   critical                                                                                echo                                                                                             
 4   error                                                                                   remote                                                                                 dcomfap...
     warning                                                                                
     critical                                                                               
     manager                                                                                
     account

And the action setup on the /system logging action menu

[admin@dcomfap-rt01] /system logging action> print
Flags: * - default 
 #   NAME                                                                    TARGET REMOTE                                                                                                    
 0 * memory                                                                  memory
 1 * disk                                                                    disk  
 2 * echo                                                                    echo  
 3 * remote                                                                  remote 66.228.56.x

I’m not getting any traffic on the debian server and the logs are flying by entries locally.

Since they’ve moved to rsyslogd in debian, has anyone had any similar issues?

rotten777 · May 16, 2011, 9:02pm

having run tshark on the server, there is no traffic coming in from the routers so I’m 99% that the traffic isn’t being generated at the router side.

fewi · May 16, 2011, 9:08pm

What version are you running? Under 5.x I’ve found that I have to specify a src-address for the remote entry under “/system logging action” or it doesn’t send anything.

rotten777 · May 16, 2011, 9:11pm

yeah i’m 5.2

trying that now!

rotten777 · May 16, 2011, 9:12pm

 3 * name="remote" target=remote remote=66.228.56.x remote-port=514 src-address=173.12.150.x bsd-syslog=no syslog-facility=daemon syslog-severity=auto

that look about right?

rotten777 · May 16, 2011, 9:14pm

no dice

rotten777 · May 16, 2011, 9:18pm

I know the two communicate because SNMP polling is working fine. Ugh how frustrating.

fewi · May 16, 2011, 9:28pm

Can you please post the output of “/ip address print detail” and “/system logging export”? If that still looks good I guess it’s time for an official bug report.

rotten777 · May 16, 2011, 9:32pm

[admin@dcomfap-rt01] /system logging action> /ip address print detail
Flags: X - disabled, I - invalid, D - dynamic 
 0   ;;; default configuration
     address=172.30.7.1/24 network=172.30.7.0 interface=ether2-local-master actual-interface=ether2-local-master 

 1   address=173.12.150.x/30 network=173.12.150.x interface=ether1-gateway actual-interface=ether1-gateway 

 2 D address=172.16.1.2/32 network=172.16.1.1 interface=pptp-out1 actual-interface=pptp-out1

# may/16/2011 16:31:17 by RouterOS 5.2
# software id = C9GJ-1G3X
#
/system logging action
set memory memory-lines=100 memory-stop-on-full=no name=memory target=memory
set disk disk-file-count=2 disk-file-name=log disk-lines-per-file=100 disk-stop-on-full=no name=disk target=disk
set echo name=echo remember=yes target=echo
set remote bsd-syslog=no name=remote remote=66.228.56.x remote-port=514 src-address=173.12.150.x syslog-facility=daemon syslog-severity=auto target=remote
/system logging
add action=remote disabled=no prefix=dcomfap-rt01 topics=info,error,warning,critical,account

fewi · May 16, 2011, 9:37pm

Try making one entry per topic. Lists of topics are logical ANDs.

/system logging
remove [find]
add action=remote disabled=no prefix=dcomfap-rt01 topics=info
add action=remote disabled=no prefix=dcomfap-rt01 topics=error
add action=remote disabled=no prefix=dcomfap-rt01 topics=warning
add action=remote disabled=no prefix=dcomfap-rt01 topics=critical
add action=remote disabled=no prefix=dcomfap-rt01 topics=account

rotten777 · May 16, 2011, 9:41pm

that did it. thank you very much!

rotten777 · May 16, 2011, 9:43pm

was this bad practice at having a single rule for the remote or was that a bug?

fewi · May 16, 2011, 9:48pm

I think it has always been a logical AND, it’s not a bug.

Basically, many messages are subscribed to several topics at once. For example a lot of debug output is part of “debug” but also part of “packet”. The manual example is if you want detailed NTP debug output, but not too much, you can subscribe to “ntp,debug,!packet” - which means all log messages that are part of NTP and debug, but not on a packet level. So a list of topics isn’t really a list of all topics you’d like to see logged - it’s a list of topics a single log message must match in order to be logged to that target.

rotten777 · May 16, 2011, 10:01pm

gotcha! thanks