I have setup an rsyslog server (based on CentOS 6) that works fine with some remote hosts. But, when I added a Cisco ASA firewall, it does log its messages!
The rsyslog.conf is the following:
# rsyslog v5 configuration file
# For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html
# If you experience problems, see http://www.rsyslog.com/doc/troubleshoot.html
### MODULES ####
$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
$ModLoad imklog # provides kernel logging support (previously done by rklogd)
# Provides UDP syslog reception
$ModLoad imudp
$UDPServerRun 514
#### GLOBAL DIRECTIVES ####
# Use default timestamp format
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
# Include all config files in /etc/rsyslog.d/
$IncludeConfig /etc/rsyslog.d/*.conf
# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.* /dev/console
# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none /var/log/messages
# The authpriv file has restricted access.
authpriv.* /var/log/secure
# Log all the mail messages in one place.
mail.* -/var/log/maillog
# Log cron stuff
cron.* /var/log/cron
# Everybody gets emergency messages
*.emerg *
# Save news errors of level crit and higher in a special file.
uucp,news.crit /var/log/spooler
# Save boot messages also to boot.log
local7.* /var/log/boot.log
The configuration file is the following:
##RSYSLOG configuration file for Remote Logs
$FileCreateMode 0640
$template PerHostLog,"/var/log/remote/%HOSTNAME%.log"
if ($fromhost-ip startswith '10.1.5' or $fromhost-ip startswith '10.2.8') then -?PerHostLog
& ~
Is there anything wrong with those rules? TCPdumps show that messages from 10.2.8.1 host reach the server, but syslog chose to ignore them. Why??
I solved it. It was a routing(!) error. Server could not reach the message originator, thus, the message was not processed from rsyslog... Go figure...
I was having the same issue. Receiving logs from dozens of ASA devices but not from specific one. Tcpdump showed that the packets were arriving. My problem was that the kernel was filtering its packets. Solved by modifying these two keys in /etc/sysctl.conf:
I had to restart the server because sysctl -p was returning errors from a couple of keys that I didn't want to modify
I do believe I have your answer:
http://www.rsyslog.com/doc/rsconf1_allowedsender.html
After reading enough of the documentation, I'd confirm that the messages are in fact getting received and then refining the filters/match rules.
Please do let me know if/how you get this fixed; you've definitely piqued my curiosity.
Good Luck.
I was having this exact same issue. Even more confusing for myself because not only did I know the information was making it to the server port 514 via TCP (I used tcpdump to determine this) but I also telnetted to port 514 and typed text and would see that put in the appropriate log file as defined in /etc/rsyslog.conf. However, when the other machine on the network would communicate log file information to port 514, it would not show up.
I tried everything here mentioned above and still it would not work. I had TCP port 514 opened on the interface that these two machines communicate on. Just on a hunch I modified my firewall to allow UDP port 514 as well and boom, it started working immediately.
My assumption here is that regular text immediately gets dumped into the file, no question. Text/data formatted from a rsyslog client is recognized and processed differently than just text, and REQUIRES communication on port 514 UDP between the two machines on the network. This is not intuitive because the default (I'm using centos7) /etc/rsyslog.conf file has two sections, one for UDP and one for TCP, both commented out, suggesting you have your choice which to use. Apparently, both are required.
Just wanted to put this out there in case this trips up somebody else in the future. As stated above, it doesn't make sense that rsyslogd would have anything to communicate outbound to the host providing the log info to the server, but perhaps rsyslogd just makes sure the host is reachable and exists on the network via UDP before it processes a syslog-formatted string of data it just received.