Hi,
I try to write the log file of my modem-router to /var/log/router.log but the file remains empty.
There is no firewall problem. And traffic is coming via UDP on port 514.
Code:
[]$ tcpdump -i enp0 udp port 514 and host router
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on enp0, link-type EN10MB (Ethernet), capture size 262144 bytes
13:02:38.829972 IP router.64165 > somebody.syslog: SYSLOG local0.critical, length: 134
13:02:40.536516 IP router.64166 > somebody.syslog: SYSLOG local0.critical, length: 133
13:02:44.444502 IP router.64167 > somebody.syslog: SYSLOG local0.critical, length: 139
Syslog server is running in udp mode on port 514:
Code:
[]$ss -nlup | egrep rsyslog
UNCONN 0 0 *:514 *:* users:(("rsyslogd",pid=2256,fd=4))
UNCONN 0 0 *:514 *:* users:(("rsyslogd",pid=2256,fd=5))
And my config file looks like the following:
Code:
[]$ cat /etc/rsyslog.conf
module(load="imudp")
input(type="imudp" port="514" ruleset="udp_rule")
ruleset(name="udp_rule"
queue.type="fixedArray"
queue.size="1048576"
queue.highwatermark="10"
queue.workerThreads="2"){
action(type="omfile"
file="/var/log/router.log"
ioBufferSize="64k"
flushOnTXEnd="off"
asyncWriting="on")
if $fromhost-ip startswith '1.1.1.' then /var/log/router.log
& ~
}
But the file /var/log/router.log does not have any content. What am I doing wrong?
I tried both actions (the if-statement and the action definition) but nothing is writing the tcpdump logs to /var/log/router.log. Why?
There's also no error in the journal.
