Gostaria de encaminhar ( rsyslog 8.4.2-1) todas as mensagens syslog para uma porta em 127.0.0.1. Para fazer isso, adicionei um arquivo em /etc/rsyslog.d/expose-42000.conf:
*.* @127.0.0.1:42000
Depois de reiniciar o rsyslog (sem mensagens de erro nos logs), tentei ouvir as mensagens recebidas:
netcat -u 127.0.0.1 42000
Não houve saída, apesar de ter mensagens aparecendo no formato /var/log/syslog.
Para ter certeza de que o arquivo está realmente incluído, executei rsyslogd no modo de depuração e vejo que a inclusão acontece:
# rsyslogd -dn
(...)
8836.556859167:main thread : requested to include config file '/etc/rsyslog.d/expose-42000.conf'
8836.556895084:main thread : config parser: pushed file /etc/rsyslog.d/expose-42000.conf on top of stack
Next token is token PRIFILT ()
Shifting token PRIFILT ()
Entering state 14
Reading a token: Next token is token LEGACY_ACTION ()
Shifting token LEGACY_ACTION ()
Entering state 12
Reducing stack by rule 35 (line 168):
$1 = token LEGACY_ACTION ()
8836.557893160:main thread : tried selector action for builtin:omfile: -2001
8836.557908388:main thread : tried selector action for builtin:ompipe: -2001
8836.557923233:main thread : tried selector action for builtin-shell: -2001
8836.558022055:main thread : tried selector action for builtin:omdiscard: -2001
8836.558038075:main thread : tried selector action for builtin:omfwd: 0
8836.558052488:main thread : Module builtin:omfwd processes this action.
8836.558136499:main thread : template: 'RSYSLOG_TraditionalForwardFormat' assigned
8836.558160039:main thread : action 1 queue: parameter dump:
8836.558174916:main thread : action 1 queue: queue.filename '[NONE]'
8836.558273542:main thread : action 1 queue: queue.size: 1000
8836.558288080:main thread : action 1 queue: queue.dequeuebatchsize: 16
8836.558302414:main thread : action 1 queue: queue.maxdiskspace: 0
8836.558368788:main thread : action 1 queue: queue.highwatermark: -1
8836.558384865:main thread : action 1 queue: queue.lowwatermark: -1
8836.558413762:main thread : action 1 queue: queue.fulldelaymark: -1
8836.558442666:main thread : action 1 queue: queue.lightdelaymark: -1
8836.558470770:main thread : action 1 queue: queue.discardmark: 980
8836.558552633:main thread : action 1 queue: queue.discardseverity: 8
8836.558594909:main thread : action 1 queue: queue.checkpointinterval: 0
8836.558608920:main thread : action 1 queue: queue.syncqueuefiles: 0
8836.558623042:main thread : action 1 queue: queue.type: 3 [Direct]
8836.558691335:main thread : action 1 queue: queue.workerthreads: 1
8836.558727077:main thread : action 1 queue: queue.timeoutshutdown: 0
8836.558741599:main thread : action 1 queue: queue.timeoutactioncompletion: 1000
8836.558827751:main thread : action 1 queue: queue.timeoutenqueue: 50
8836.558855694:main thread : action 1 queue: queue.timeoutworkerthreadshutdown: 60000
8836.558869846:main thread : action 1 queue: queue.workerthreadminimummessages: -1
8836.558884102:main thread : action 1 queue: queue.maxfilesize: 1048576
8836.558950182:main thread : action 1 queue: queue.saveonshutdown: 1
8836.558983020:main thread : action 1 queue: queue.dequeueslowdown: 0
8836.558997187:main thread : action 1 queue: queue.dequeuetimebegin: 0
8836.559011113:main thread : action 1 queue: queuedequeuetimend.: 25
8836.559025491:main thread : Action 0xb97a40: queue 0xb99120 created
-> $$ = nterm s_act ()
Stack now 0 1 14
Entering state 22
Reducing stack by rule 32 (line 164):
$1 = nterm s_act ()
-> $$ = nterm actlst ()
Stack now 0 1 14
Entering state 21
Reading a token: 8836.559386173:main thread : config parser: reached end of file /etc/rsyslog.d/expose-42000.conf
8836.559390418:main thread : config parser: resume parsing of file /etc/rsyslog.conf at line 51
(...)
Há algo que estou perdendo?
Acho que está tudo bem, mas seu uso do netcat.
Peguei sua alteração de configuração literalmente, executei syslogd -dn
Mas então eu corri isso:
E obtive os logs conforme o esperado.
-lé para ouvir. Seu comando estava tentando se conectar a uma porta UDP não aberta/de escuta.