Bug 701579

Summary: rsyslog refuses to forward messages to the remote rsyslog server via UDP
Product: Red Hat Enterprise Linux 6 Reporter: Ondrej Valousek <ondrejv>
Component: rsyslogAssignee: Tomas Heinrich <theinric>
Status: CLOSED NOTABUG QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 6.0CC: pvrabec
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-05-04 07:59:09 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Ondrej Valousek 2011-05-03 09:26:32 UTC 
Simple configuration on the client:
*.* @loghost
produces on the server (loghost) only one single message:

2011-05-03T11:17:52+02:00 data rsyslogd: [origin software="rsyslogd" swVersion="4.6.2" x-pid="2292" x-info="http://www.rsyslog.com"] (re)start

No other syslog messages are forwarded to the server. If I run the client in the debug mode I can see that it does not even try to send anything.

Client (data) - RHEL-6
Server  (loghost) - RHEL-5.5
Comment 2 Tomas Heinrich 2011-05-03 15:42:51 UTC 
(In reply to comment #0)

UDP forwarding seems to work for me.

Please note that if the configuration on the client really consist only of that one line, rsyslog doesn't have any source of messagess. You need to load some input modules for the daemon to do anything useful, e.g.:
$ModLoad imuxsock.so # userspace logging
$ModLoad imklog.so # kernel logging

If that is not the whole configuration, can you please provide your rsyslog.conf files and the debug mode output?

In the debug mode, you should see lines like:
  7453.924901200:7f727b51f710: Called action, logging to builtin-fwd
  7453.924909973:7f727b51f710:  10.1.2.3:514/udp

You can try running tcpdump to see if the messages actually get sent:
  tcpdump -i <if> udp and host <loghost>

Be aware that the forwarded messages still retain their original facility, so they may end up in a different file than /var/log/messages. Therefore you would only see the startup message.
Comment 3 Ondrej Valousek 2011-05-04 07:31:14 UTC 
Ooops - my bad. I have forgotten about the modules. Works fine with those two.
Sorry for wasting your time - please close this one...
Ondrej