• We had to restore from a backup today after a failed software update. Backup was from 0000 EDT and restored it at 0800 EDT so we lost about 8hrs. Today is 07/20/2024. More info here.

Rsyslog not writing messages from Cisco switch

Blinky

New Member
Joined
Jun 21, 2023
Messages
1
Reaction score
0
Credits
15
Evening all,

Wondering if anyone could help with an rsyslog issue I am having, I have rsyslog installed onto an Ubuntu server, it is running and the UFW is allowing both udp and tcp ports 514. The UFW is showing traffic on port 514/udp from the firewall and allowing it through.

ufw.log
Code:
Jun 20 22:00:10 repperio kernel: [2437512.518818] [UFW ALLOW] IN=enp2s0 OUT= MAC=d0:17:c2:0f:e4:d7:90:eb:50:b5:92:85:08:00 SRC=10.0.0.1 DST=10.0.0.51 LEN=141 TOS=0x00 PREC=0x00 TTL=255 ID=60649 PROTO=UDP SPT=514 DPT=514 LEN=121
Jun 20 22:00:30 repperio kernel: [2437532.603473] [UFW ALLOW] IN=enp2s0 OUT= MAC=d0:17:c2:0f:e4:d7:90:eb:50:b5:92:85:08:00 SRC=10.0.0.1 DST=10.0.0.51 LEN=212 TOS=0x00 PREC=0x00 TTL=255 ID=62614 PROTO=UDP SPT=514 DPT=514 LEN=192
Jun 20 22:00:50 repperio kernel: [2437552.727716] [UFW ALLOW] IN=enp2s0 OUT= MAC=d0:17:c2:0f:e4:d7:90:eb:50:b5:92:85:08:00 SRC=10.0.0.1 DST=10.0.0.51 LEN=187 TOS=0x00 PREC=0x00 TTL=255 ID=53539 PROTO=UDP SPT=514 DPT=514 LEN=167
Jun 20 22:01:10 repperio kernel: [2437572.591261] [UFW ALLOW] IN=enp2s0 OUT= MAC=d0:17:c2:0f:e4:d7:90:eb:50:b5:92:85:08:00 SRC=10.0.0.1 DST=10.0.0.51 LEN=141 TOS=0x00 PREC=0x00 TTL=255 ID=35882 PROTO=UDP SPT=514 DPT=514 LEN=121
Jun 20 22:01:30 repperio kernel: [2437592.594044] [UFW ALLOW] IN=enp2s0 OUT= MAC=d0:17:c2:0f:e4:d7:90:eb:50:b5:92:85:08:00 SRC=10.0.0.1 DST=10.0.0.51 LEN=191 TOS=0x00 PREC=0x00 TTL=255 ID=46922 PROTO=UDP SPT=514 DPT=514 LEN=171

Running "tcpdump -A src 10.0.0.1" ( firewall being 10.0.0.1 ) shows the following:
Code:
20:08:59.638156 IP 10.0.0.1.syslog > 10.0.0.51.syslog: SYSLOG local0.info, length: 139
E..........*
...
..3........<134>Jun 21 2023 21:08:59: %ASA-6-302021: Teardown ICMP connection for faddr 10.0.0.51/0 gaddr 10.0.0.1/0 laddr 10.0.0.1/0 type 3 code 13

20:08:59.724609 IP 10.0.0.1.syslog > 10.0.0.51.syslog: SYSLOG local0.debug, length: 113
E...........
...
..3.....y..<135>Jun 21 2023 21:08:59: %ASA-7-710005: UDP request discarded from 10.0.0.97/5353 to inside_2:224.0.0.251/5353

20:08:59.800245 IP 10.0.0.1.syslog > 10.0.0.51.syslog: SYSLOG local0.info, length: 159
E..........d
...
..3......-a<134>Jun 21 2023 21:08:59: %ASA-6-302016: Teardown UDP connection 3425664 for outside:185.125.190.57/123 to inside_2:10.0.0.60/53874 duration 0:02:01 bytes 96

20:08:59.818538 IP 10.0.0.1.syslog > 10.0.0.51.syslog: SYSLOG local0.info, length: 158
E.........!x
...
..3........<134>Jun 21 2023 21:08:59: %ASA-6-302016: Teardown UDP connection 3425653 for outside:91.189.91.157/123 to inside_2:10.0.0.60/56531 duration 0:02:01 bytes 96

20:08:59.818538 IP 10.0.0.1.syslog > 10.0.0.51.syslog: SYSLOG local0.info, length: 159
E..........I
...
..3......(e<134>Jun 21 2023 21:08:59: %ASA-6-302016: Teardown UDP connection 3425654 for outside:185.125.190.56/123 to inside_2:10.0.0.60/46299 duration 0:02:01 bytes 96

20:08:59.818538 IP 10.0.0.1.syslog > 10.0.0.51.syslog: SYSLOG local0.info, length: 159
E..........!
...
..3....../]<134>Jun 21 2023 21:08:59: %ASA-6-302016: Teardown UDP connection 3425657 for outside:185.125.190.58/123 to inside_2:10.0.0.60/54818 duration 0:02:01 bytes 96

From what I can tell the syslog message from the firewall are making it into the server.

This is the content of /etc/rsyslog.conf:
Code:
module(load="imuxsock") # provides support for local system logging
#module(load="immark")  # provides --MARK-- message capability

# provides UDP syslog reception
module(load="imudp")
input(type="imudp" port="514")

#$AllowedSender UDP, 10.0.0.1
#$UDPServerRun 514


# provides kernel logging support and enable non-kernel klog messages
module(load="imklog" permitnonkernelfacility="on")

$template RemoteLogs,"/var/log/remotelogs/%HOSTNAME%/%PROGRAMNAME%.log"
*.* ?RemoteLogs
& ~


###########################
#### GLOBAL DIRECTIVES ####
#
# Use traditional timestamp format.
# To enable high precision timestamps, comment out the following line.
#
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat

# Filter duplicated messages
$RepeatedMsgReduction on

#
# Set the default permissions for all log files.
#
$FileOwner syslog
$FileGroup adm
$FileCreateMode 0640
$DirCreateMode 0755
$Umask 0022
$PrivDropToUser syslog
$PrivDropToGroup syslog
The /var/log/remotelogs directory is owned by syslog:syslog. Can anyone tell me why the firewall syslog message are not being written to a file?

Thanks in advance all.
 

Staff online

Members online


Top