rsyslog and named pipes?

[James Lertora]

I am using rsyslog on a RHEL 6.5 server.
 
The server is the central location for all network and system syslogs.

I have rsyslog setup currently using sec.

The current setup (sniplets) from rsyslog.conf is as follows:

module (load="omprog")                #Output module for named pipes.
module(load="imudp")                   #udp module
input(type="imudp" port="514")      #udp port listening on for receiving syslogs

-----
#### Additions 2014 to enable log gathering of network nodes####
#Log to /varlog/remote for each device. Added 1/16/2014
#Call omprog to run sec.sh in order to grab remote syslog messages from pipes.

$template PerHostLog,"/varlog/remote/%$YEAR%/%$MONTH%/%$DAY%/%HOSTNAME%.log"
syslog action(type="omprog"
           binary="/usr/local/bin/sec.sh"
           template="RSYSLOG_TraditionalFileFormat")
if $fromhost-ip startswith 'xxx.xxx.' then -?PerHostLog
&~

The above works very well, no problems, but I thought I would share in the event that it matters to SAGAN and to show anyone else that would need a hand with using rsyslog  as I am.


###Configuration for sagan
$template sagan,"%fromhost-ip%|%syslogfacility-text%|%syslogpriority-text%|%syslogseverity-text%|%syslogtag%|%timegenerated:1:10:date-rfc3339%|%timegenerated:12:19:date-rfc3339%|%programname%|%msg%\n"
&~

### FIFO/named pipe location.
*.* |/var/run/sagan.fifo;sagan

The sagan configuration additions also seem to be working, but the only logs showing up with 'cat /var/run/sagan.fifo' are local logs. How can I get sagan to tap in the same as sec ?
Or is sagan getting the stream? If so how can I verify?


Thanks,

James

[James Lertora]

I figured out that if I put the sagan pieces above my existing output statements that sagan would then get the syslog stream. So, sagan is getting everything, creating .u2 files and even getting alerts  in the alert file.

Now it looks like there is some sort of formatting problem I am running into.

[W] [03/04/2014 09:22:51] - Sagan received a malformed 'message' [Syslog Host: 192.168.5.254]
[W] [03/04/2014 09:22:51] - Sagan received a malformed 'message' [Syslog Host: 192.168.5.254]
[W] [03/04/2014 09:22:51] - Sagan received a malformed 'message' [Syslog Host: 192.168.5.254]
[W] [03/04/2014 09:22:51] - Sagan received a malformed 'message' [Syslog Host: 192.168.5.254]
[W] [03/04/2014 09:22:51] - Sagan received a malformed 'message' [Syslog Host: 192.168.5.50]
[W] [03/04/2014 09:22:51] - Sagan received a malformed 'message' [Syslog Host: 192.168.5.78]
[W] [03/04/2014 09:22:51] - Sagan received a malformed 'message' [Syslog Host: 192.168.5.254]
[W] [03/04/2014 09:22:51] - Sagan received a malformed 'message' [Syslog Host: 192.168.5.254]
[W] [03/04/2014 09:22:51] - Sagan received a malformed 'message' [Syslog Host: 192.168.5.254]
[W] [03/04/2014 09:22:51] - Sagan received a malformed 'message' [Syslog Host: 192.168.5.254]
[W] [03/04/2014 09:22:51] - Sagan received a malformed 'message' [Syslog Host: 192.168.5.254]
[W] [03/04/2014 09:22:52] - Sagan received a malformed 'message' [Syslog Host: 192.168.5.40]
[W] [03/04/2014 09:22:52] - Sagan received a malformed 'message' [Syslog Host: 192.168.5.11]
[W] [03/04/2014 09:22:52] - Sagan received a malformed 'message' [Syslog Host: 192.168.5.254]
[W] [03/04/2014 09:22:52] - Sagan received a malformed 'message' [Syslog Host: 192.168.5.254]
[W] [03/04/2014 09:22:52] - Sagan received a malformed 'message' [Syslog Host: 192.168.5.254]
[W] [03/04/2014 09:22:52] - Sagan received a malformed 'message' [Syslog Host: 192.168.5.254]
[W] [03/04/2014 09:22:52] - Sagan received a malformed 'message' [Syslog Host: 192.168.5.254]

I have played around with the template a bit, but all I get is that different hosts that show up as malformed.

Here is a sample being sent to 192.168.5.254.

192.168.5.254|local7|info|info|45279235:|2014-03-04|09:35:18| Mar  4 09:35:18.195 EST: %SEC-6-IPACCESSLOGP: list ACL-IN denied udp x.x.x.x(24924) -> x.x.x.x(23609), 1 packet
192.168.5.254|local7|info|info|45279236:|2014-03-04|09:35:18| Mar  4 09:35:18.259 EST: %SEC-6-IPACCESSLOGP: list ACL-IN denied udp x.x.x.x(41254) -> x.x.x.x(33510), 1 packet
192.168.5.254|local7|info|info|45279237:|2014-03-04|09:35:18| Mar  4 09:35:18.299 EST: %SEC-6-IPACCESSLOGP: list ACL-IN denied udp x.x.x.x(16117) -> x.x.x.x(23609), 1 packet
192.168.5.254|local7|info|info|45279238:|2014-03-04|09:35:18| Mar  4 09:35:18.307 EST: %SEC-6-IPACCESSLOGP: list ACL-IN denied udp x.x.x.x(17216) -> x.x.x.x(23609), 1 packet

Any help will be appreciated.

-James


Here is the new rsyslog configuration:

#### GLOBAL DIRECTIVES ####

## Custom log format 3.3.14
$template sagan,"%fromhost-ip%|%syslogfacility-text%|%syslogpriority-text%|%syslogseverity-text%|%syslogtag%|%timegenerated:1:10:date-rfc3339%|%timegenerated:12:19:date-rfc3339%|%msg%\n"

# Use default timestamp format
# $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
$ActionFileDefaultTemplate sagan

# File syncing capability is disabled by default. This feature is usually not required,
# not useful and an extreme performance hit
#$ActionFileEnableSync on

# Include all config files in /etc/rsyslog.d/
$IncludeConfig /etc/rsyslog.d/*.conf

### FIFO/named pipe location.
*.*   |/var/run/sagan.fifo;sagan

#### Additions 2014 to enable log gathering of network nodes####
#Log to /varlog/remote for each device. Added 1/16/2014
#Call omprog to run sec.sh in order to grab remote syslog messages from pipes.
$template PerHostLog,"/varlog/remote/%$YEAR%/%$MONTH%/%$DAY%/%HOSTNAME%.log"
syslog action(type="omprog"
           binary="/usr/local/bin/sec.sh"

           template="sagan")
if $fromhost-ip startswith '192.168.' then -?PerHostLog
&~
















$template sagan,"%fromhost-ip%|%