Rsyslog Ruleset - Not always working correctly

Question

I have a ubuntu 14.04 server with Rsyslog running. The ruleset in 50-default.conf:

ruleset(name="eventlog"){
    action(type="omfile" file="/var/log/eventlog.log")
}

ruleset(name="networklog"){
    action(type="omfile" file="/var/log/networklog.log")
}


input(type="imudp" port="10514" ruleset="eventlog")

input(type="imudp" port="11514" ruleset="networklog")

The problem:

While 90% of the traffic destined to port 10514 gets written to the 'eventlog' about 10% still gets written to syslog. The ruleset should write ALL traffic to the eventlog.log file that is received on udp port 10514, correct?

Thanks!

Update: tcpdump does show the traffic arriving on port 10514 not 514

Update #2: The version is 7.4.4 and those are the only two rulesets. Traffic that doesn't apply to the ruleset is written to syslog correctly.

Update #3: Upgraded to the latest stable rsyslog. Changed config to:

ruleset(name="eventlog"){
    *. * /var/log/eventlog.log
}

ruleset(name="networklog"){
    *.* /var/log/networklog.log
}


input(type="imudp" port="10514" ruleset="eventlog")

input(type="imudp" port="11514" ruleset="networklog")

It's still writing about 90% to eventlog.log and about 10% to syslog. The traffic is definitely coming in on the right port as there is no rhyme or reason what gets written to syslog for the 'eventlog' traffic. I think it just can't keep up.

You should put that in an edit to the question instead of in a comment. — Dan Lowe, Nov 06 '15 at 21:41
This particular config looks good to me, the only question is whether some other config interferes with it. Also, what' your rsyslog version? — Radu Gheorghe, Nov 09 '15 at 12:27

Rsyslog Ruleset - Not always working correctly

0 Answers0