topic Re: I have issue in rsyslog.conf file in UF server. in Getting Data In

I have issue in rsyslog.conf file in UF server.

aalhabbash1 — Sun, 26 May 2019 08:18:01 GMT

Hi Splunker;

The issue is from rsyslog.conf file and when I added new configuration (port) in rsyslog.conf
Then execute (netstat -plnt | grep rsyslog) command, the first port which added before removed, and when remove the new port added then execute (netstat -plnt | grep rsyslog) command the old port return appears, why that is occurred?

Best Regards;

Abdullah Al-Habbash

Re: I have issue in rsyslog.conf file in UF server.

koshyk — Sun, 26 May 2019 08:51:39 GMT

please put your rsyslog config to understand it better

Re: I have issue in rsyslog.conf file in UF server.

aalhabbash1 — Sun, 26 May 2019 09:02:16 GMT

Hi koshyk;

Kindly find the information below which contain content the rsyslog.conf file:

# rsyslog configuration file
# note that most of this config file uses old-style format,
# because it is well-known AND quite suitable for simple cases
# like we have with the default config. For more advanced 
# things, RainerScript configuration is suggested.

# For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html
# If you experience problems, see http://www.rsyslog.com/doc/troubleshoot.html

#### MODULES ####

module(load="imuxsock") # provides support for local system logging (e.g. via logger command)
module(load="imklog")   # provides kernel logging support (previously done by rklogd)
#module(load"immark")  # provides --MARK-- message capability

# Provides UDP syslog reception
# for parameters see http://www.rsyslog.com/doc/imudp.html
module(load="imudp") # needs to be done just once
input(type="imudp" port="514")

# Provides TCP syslog reception
# for parameters see http://www.rsyslog.com/doc/imtcp.html
module(load="imtcp") # needs to be done just once
input(type="imtcp" port="514")


#### GLOBAL DIRECTIVES ####

# Use default timestamp format
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat

# File syncing capability is disabled by default. This feature is usually not required,
# not useful and an extreme performance hit
#$ActionFileEnableSync on

# Include all config files in /etc/rsyslog.d/
$IncludeConfig /etc/rsyslog.d/*.conf


#### RULES ####

######################################################
### UDP 1514 (Palo Alto Syslog HQ)                 ###
######################################################

$RuleSet remoteudp1514
$RulesetCreateMainQueue on # create ruleset-specific queue

$template SyslogPaloAltoHQUDP1514,"/data/syslog/security/paloalto/hq/%fromhost-ip%/Kaspersky_syslog.log"
*.* -?SyslogPaloAltoHQUDP1514

$InputUDPServerBindRuleset remoteudp1514
$UDPServerRun 1514
$PrivDropToUser splunk

######################################################
### UDP 1515 (Kaspersky Antivirus Syslog HQ)       ###
######################################################

#$RuleSet remoteudp1515
#$RulesetCreateMainQueue on # create ruleset-specific queue

#$template SyslogKasperskyHQUDP1515,"/data/syslog/security/kaspersky/hq/%fromhos#t-ip%/Kaspersky_syslog.log"
#*.* -?SyslogKasperskyHQUDP1515

#$InputUDPServerBindRuleset remoteudp1515
#$UDPServerRun 1515
#$PrivDropToUser splunk

######################################################
### UDP 1516 (Websense Proxy Activity  Syslog HQ)  ###
######################################################

$RuleSet remoteudp1516
$RulesetCreateMainQueue on # create ruleset-specific queue

$template SyslogWebsenseHQUDP1516,"/data/syslog/security/websense/hq/%fromhost-ip%/Websense_syslog.log"
*.* -?SyslogWebsenseHQUDP1516

$InputUDPServerBindRuleset remoteudp1516
$UDPServerRun 1516
$PrivDropToUser splunk


######################################################
### UDP 1517 (F5  Syslog HQ)                       ###
######################################################

$RuleSet remoteudp1517
$RulesetCreateMainQueue on # create ruleset-specific queue

$template SyslogF5HQUDP1517,"/data/syslog/security/f5/hq/%fromhost-ip%/F5_syslog.log"
*.* -?SyslogF5HQUDP1517

$InputUDPServerBindRuleset remoteudp1517
$UDPServerRun 1517
$PrivDropToUser splunk

######################################################
##    UDP 1518 (Infoblox  Syslog HQ)               ###
######################################################
#
$RuleSet remoteudp1518
$RulesetCreateMainQueue on # create ruleset-specific queue

$template SyslogInfobloxHQUDP1518,"/data/syslog/security/infoblox/hq/%fromhost-ip%/infoblox_syslog.log"
*.* -?SyslogInfobloxHQUDP1518

$InputUDPServerBindRuleset remoteudp1518
$UDPServerRun 1518
$PrivDropToUser splunk

######################################################
##    UDP 1519 (Websense  Syslog HQ)               ###
######################################################

#$RuleSet remoteudp1519
#$RulesetCreateMainQueue on # create ruleset-specific queue

#$template SyslogWebsenseHQUDP1519,"/data/syslog/security/websense/hq/%fromhost-ip%/websense_syslog.log"
#*.* -?SyslogWebsenseHQUDP1519

#$InputUDPServerBindRuleset remoteudp1519
#$UDPServerRun 1519
#$PrivDropToUser splunk

######################################################
##    UDP 1520 (Mailgatway  Syslog HQ)               ###
######################################################

#$RuleSet remoteudp1520
#$RulesetCreateMainQueue on # create ruleset-specific queue

#$template SyslogMailGetwayHQUDP1520,"/data/syslog/security/mailg/hq/%fromhost-ip%/mail_syslog.log"
#*.* -?SyslogMailGetwayHQUDP1520

#$InputUDPServerBindRuleset remoteudp1520
#$UDPServerRun 1520
#$PrivDropToUser splunk

######################################################
##    UDP 1521 (WAF F5  Syslog HQ)               ###
######################################################

#$RuleSet remoteudp1521
#$RulesetCreateMainQueue on # create ruleset-specific queue

#$template SyslogWAFF5HQUDP1521,"/data/syslog/security/waff5/hq/%fromhost-ip%/waf_f5.log"
#*.* -?SyslogWAFF5HQUDP1521

#$InputUDPServerBindRuleset remoteudp1521
#$UDPServerRun 1521
#$PrivDropToUser splunk

######################################################
##    UDP 1522 (ATA  Syslog HQ)               ###
######################################################

#$RuleSet remoteudp1522
#$RulesetCreateMainQueue on # create ruleset-specific queue

#$template SyslogATAHQUDP1522,"/data/syslog/security/ata/hq/%fromhost-ip%/ata_.log"
#*.* -?SyslogATAHQUDP1522

#$InputUDPServerBindRuleset remoteudp1522
#$UDPServerRun 1522
#$PrivDropToUser splunk

######################################################
##   UDP 514 (Network  Syslog)                     ###
######################################################

$RuleSet remoteudp514
$RulesetCreateMainQueue on # create ruleset-specific queue

$template SyslogMiscUDP514,"/data/syslog/network/misc/%fromhost-ip%/misc_syslog.log"
*.* -?SyslogMiscUDP514

$InputUDPServerBindRuleset remoteudp514
$UDPServerRun 514
$PrivDropToUser splunk


#################################################################
### TCP 1514 (Palo Alto Firewall/Trap Syslog HQ               ###
#################################################################

$RuleSet remotetcp1514
$RulesetCreateMainQueue on # create ruleset-specific queue

$template SyslogPaloAltoHQTCP1514,"/data/syslog/security/paloalto/hq/%fromhost-ip%/PA_syslog.log"
*.* -?SyslogPaloAltoHQTCP1514

$InputTCPServerBindRuleset remotetcp1514
$InputTCPServerRun 1514
$PrivDropToUser splunk

#################################################################
### TCP 1515 (Kaspersky Antivirus Syslog HQ                   ###
#################################################################

$RuleSet remotetcp1515
$RulesetCreateMainQueue on # create ruleset-specific queue

$template SyslogKasperskyHQTCP1515,"/data/syslog/security/kaspersky/hq/%fromhost-ip%/Kaspersky_syslog.log"
*.* -?SyslogKasperskyHQTCP1515

$InputTCPServerBindRuleset remotetcp1515
$InputTCPServerRun 1515
$PrivDropToUser splunk

#################################################################
### TCP 1516 (Websense Proxy Activity  Syslog HQ)             ###
#################################################################

$RuleSet remotetcp1516
$RulesetCreateMainQueue on # create ruleset-specific queue

$template SyslogWebsenseHQTCP1516,"/data/syslog/security/websense/hq/%fromhost-ip%/Websense_syslog.log"
*.* -?SyslogWebsenseHQTCP1516

$InputTCPServerBindRuleset remotetcp1516
$InputTCPServerRun 1516
$PrivDropToUser splunk

################################################################
## TCP 1517 (F5  Syslog HQ)                                  ###
################################################################

$RuleSet remotetcp1517
$RulesetCreateMainQueue on # create ruleset-specific queue

$template SyslogF5HQTCP1517,"/data/syslog/security/f5/hq/%fromhost-ip%/F5_syslog.log"
*.* -?SyslogF5HQTCP1517

$InputTCPServerBindRuleset remotetcp1517
$InputTCPServerRun 1517
$PrivDropToUser splunk

######################################################
##    TCP 1518 (Infoblox  Syslog HQ)               ###
######################################################

$RuleSet remotetcp1518
$RulesetCreateMainQueue on # create ruleset-specific queue

$template SyslogInfobloxHQTCP1518,"/data/syslog/security/infoblox/hq/%fromhost-ip%/infoblox_syslog.log"
*.* -?SyslogInfobloxHQTCP1518

$InputTCPServerBindRuleset remotetcp1518
$InputTCPServerRun 1518
$PrivDropToUser splunk

######################################################
##    TCP 1519 (Websense  Syslog HQ)               ###
######################################################

$RuleSet remotetcp1519
$RulesetCreateMainQueue on # create ruleset-specific queue

$template SyslogWebsenseHQTCP1519,"/data/syslog/security/websense/hq/%fromhost-ip%/websense_syslog.log"
*.* -?SyslogWebsenseHQTCP1519

$InputTCPServerBindRuleset remotetcp1519
$InputTCPServerRun 1519
$PrivDropToUser splunk

######################################################
##    TCP 1520 (MailGetway  Syslog HQ)               ###
######################################################

$RuleSet remotetcp1520
$RulesetCreateMainQueue on # create ruleset-specific queue

$template SyslogMailGetwayHQTCP1520,"/data/syslog/security/mailg/hq/%fromhost-ip%/mailg_syslog.log"
*.* -?SyslogMailGetwayHQTCP1520

$InputTCPServerBindRuleset remotetcp1520
$InputTCPServerRun 1520
$PrivDropToUser splunk

######################################################
##    TCP 1521 (WAF_F5  Syslog HQ)               ###
######################################################

$RuleSet remotetcp1521
$RulesetCreateMainQueue on # create ruleset-specific queue

$template SyslogWAFF5HQTCP1521,"/data/syslog/security/waff5/hq/%fromhost-ip%/waf_f5.log"
*.* -?SyslogWAFF5HQTCP1521

$InputTCPServerBindRuleset remotetcp1521
$InputTCPServerRun 1521
$PrivDropToUser splunk

######################################################
##    TCP 1522 (ATA  Syslog HQ)               ###
######################################################

$RuleSet remotetcp1522
$RulesetCreateMainQueue on # create ruleset-specific queue

$template SyslogATATCP1522,"/data/syslog/security/ata/hq/%fromhost-ip%/ata.log"
*.* -?SyslogATATCP1522

$InputTCPServerBindRuleset remotetcp1522
$InputTCPServerRun 1522
$PrivDropToUser splunk

######################################################
##    TCP 1523 (dlp Syslog HQ)               ###
######################################################

$RuleSet remotetcp1523
$RulesetCreateMainQueue on # create ruleset-specific queue

$template SyslogdlpTCP1523,"/data/syslog/security/dlp/hq/%fromhost-ip%/dlp.log"
*.* -?SyslogdlpTCP1523

$InputTCPServerBindRuleset remotetcp1523
$InputTCPServerRun 1523
$PrivDropToUser splunk

######################################################
##    TCP 1524 (AlienVault  Syslog HQ)               ###
######################################################

$RuleSet remotetcp1524
$RulesetCreateMainQueue on # create ruleset-specific queue

$template SyslogalienvaultTCP1524,"/data/syslog/security/alienvault/hq/%fromhost-ip%/alienvault.log"
*.* -?SyslogalienvaultTCP1524

$InputTCPServerBindRuleset remotetcp1524
$InputTCPServerRun 1524
$PrivDropToUser splunk

#################################################################
### TCP 1525 (Palo Alto Firewall/Trap Syslog HQ               ###
#################################################################

$RuleSet remotetcp1525
$RulesetCreateMainQueue on # create ruleset-specific queue

$template SyslogPaloAltoHQTCP1525,"/data/syslog/security/paloalto/hq/%fromhost-ip%/PA_syslog.log"
*.* -?SyslogPaloAltoHQTCP1525

$InputTCPServerBindRuleset remotetcp1525
$InputTCPServerRun 1525
$PrivDropToUser splunk


# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.*                                                 /dev/console

# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none                /var/log/messages

# The authpriv file has restricted access.
authpriv.*                                              /var/log/secure

# Log all the mail messages in one place.
mail.*                                                  /var/log/maillog


# Log cron stuff
cron.*                                                  /var/log/cron

# Everybody gets emergency messages
*.emerg                                                 :omusrmsg:*

# Save news errors of level crit and higher in a special file.
uucp,news.crit                                          /var/log/spooler

# Save boot messages also to boot.log
local7.*                                                /var/log/boot.log


# ### begin forwarding rule ###
# The statement between the begin ... end define a SINGLE forwarding
# rule. They belong together, do NOT split them. If you create multiple
# forwarding rules, duplicate the whole block!
# Remote Logging (we use TCP for reliable delivery)
#
# An on-disk queue is created for this action. If the remote host is
# down, messages are spooled to disk and sent when it is up again.
#$WorkDirectory /var/lib/rsyslog # where to place spool files
#$ActionQueueFileName fwdRule1 # unique name prefix for spool files
#$ActionQueueMaxDiskSpace 1g   # 1gb space limit (use as much as possible)
#$ActionQueueSaveOnShutdown on # save messages to disk on shutdown
#$ActionQueueType LinkedList   # run asynchronously
#$ActionResumeRetryCount -1    # infinite retries if host is down
# remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional
#*.* @@remote-host:514
# ### end of the forwarding rule ###

Re: I have issue in rsyslog.conf file in UF server.

aalhabbash1 — Sun, 26 May 2019 09:35:47 GMT

Hi koshyk;
The rsyslog.conf is normal as any other rsyslog.conf, but my question is there limitation port for rsyslog.conf file or not, and why that is occurred?

Thank you.

Re: I have issue in rsyslog.conf file in UF server.

DavidHourani — Sun, 26 May 2019 11:56:55 GMT

Hi @aalhabbash1,

Seems like you're changing the entire configuration file and removing the default 514 port. Make a configuration file in /etc/rsyslog.d/ instead to be sure you don't remove the original config.

Cheers,
David

Re: I have issue in rsyslog.conf file in UF server.

aalhabbash1 — Sun, 26 May 2019 12:58:08 GMT

Hi @DavidHourani

No, I didn't changing any original configuration, I took backup from original rsyslog.conf, then I took copy and paste and modified on this file (add new configuration), Now I have 10 configuration port on rsyslog.conf, if I add new port removed one old port existing before?

Best Regards;
Abdullah Al-Habbash.

Re: I have issue in rsyslog.conf file in UF server.

DavidHourani — Sun, 26 May 2019 13:19:25 GMT

Hi @aalhabbash1,

I think the default limit is 20 ports not 10, so there should be no issues when you add more ports after 10. You can change that parameter by modifying the MaxListeners setting.

That's described here if you need more info :
https://www.rsyslog.com/doc/v8-stable/configuration/modules/imtcp.html

Make sure you're using port number >1024 to avoid conflicts.

Cheers,
David

Re: I have issue in rsyslog.conf file in UF server.

ashutoshab — Sun, 26 May 2019 21:36:11 GMT

Your question is unclear. can you elaborate a little more?

Re: I have issue in rsyslog.conf file in UF server.

koshyk — Sun, 26 May 2019 23:23:55 GMT

Thanks for the details.
First of all, you need to split your rsyslog.conf as
rsyslog.conf => Don't add anything in this file. Just add a single line that to load configs from /etc/rsyslog.d/*.conf

and in your /etc/rsyslog.d/, you should put a template modular. Let's say the templates start with MY-.conf (eg MY-514.conf, MY-10518.conf etc..)

So please find example. Add below line into your original rsyslog.conf file. Revert back to original version and add below line before the default rules, if its not there

# Include all config files in /etc/rsyslog.d/
$IncludeConfig /etc/rsyslog.d/*.conf

Then in /etc/rsyslog.d/ , put your configurations within MY-1520.conf for example

######################################################
 ##    TCP 1520 (MailGetway  Syslog HQ)               ###
 ######################################################

  $template SyslogMailGetwayHQTCP1520,"/data/syslog/security/mailg/hq/%fromhost-ip%/mailg_syslog.log"

 $RuleSet remotetcp1520
 $RulesetCreateMainQueue on # create ruleset-specific queue
 *.*      ?SyslogMailGetwayHQTCP1520

 # end of rules 
 &                                            ~

 $InputPTCPServerBindRuleset remotetcp1520
 $InputPTCPServerRun 1520

 ######################################################

Please see if the above rule works. Just put only this rule and restart rsyslogd

I've changed few things like
- added PTCP (as it is better performance for rsyslog5 on linux)
- put a & ~ line for ending the rule
- Made the rules start after the template definition

Please ensure your do ONLY for one port before you load all configurations. Load one by one to see how it goes

Re: I have issue in rsyslog.conf file in UF server.

koshyk — Sun, 26 May 2019 23:24:08 GMT

Updated answer below

Re: I have issue in rsyslog.conf file in UF server.

aalhabbash1 — Mon, 27 May 2019 08:54:35 GMT

Hi @DavidHourani,

You mean must put ($InputTCPMaxListeners) for each port configuration before ( $InputTCPServerRun 1514) as the following:

### TCP 1514 (Palo Alto Firewall/Trap Syslog HQ ###
#################################################################

$RuleSet remotetcp1514
$RulesetCreateMainQueue on # create ruleset-specific queue

$template SyslogPaloAltoHQTCP1514,"/data/syslog/security/paloalto/hq/%fromhost-ip%/PA_syslog.log"
. -?SyslogPaloAltoHQTCP1514

$InputTCPServerBindRuleset remotetcp1514
$InputTCPMaxSessions 30
$InputTCPServerRun 1514
$PrivDropToUser splunk

#################################################################
### TCP 1515 (Kaspersky Antivirus Syslog HQ ###
#################################################################

$RuleSet remotetcp1515
$RulesetCreateMainQueue on # create ruleset-specific queue

$template SyslogKasperskyHQTCP1515,"/data/syslog/security/kaspersky/hq/%fromhost-ip%/Kaspersky_syslog.log"
. -?SyslogKasperskyHQTCP1515

$InputTCPServerBindRuleset remotetcp1515
$InputTCPMaxSessions 30
$InputTCPServerRun 1515
$PrivDropToUser splunk

Thank you for your interesting.

Best Regards;

Re: I have issue in rsyslog.conf file in UF server.

DavidHourani — Mon, 27 May 2019 09:14:32 GMT

Hi @aalhabbash1,

$InputTCPMaxListeners is a global parameter, so you only need to define it once. I would recommend you don't touch the rsyslog.conf, and use configs only in /etc/rsyslog.d/ first configure a single port there and then add more and more and see when you hit the limit.