We are trying to collect syslog from a RHEL 6.10 OS. It is an on-prem server. However, we don't see the correct logs in the tcpdump or in the osnix index.
The same syslog configuration works for AIX 5.3, AIX 6 and RHEL 8 as well.
Config file used for RHEL 6 and RHEL 8:
"audit log
imfile #Load the imfile input module
authpriv.* /var/log/secure
/var/log/audit/audit.log
tag_audit_log:
audit_log
info
local6
. @@receivinghostip:514"
Here's the tcpdump from the RHEL 6.10 server:
13:50:28.597040 IP (tos 0x0, ttl 60, id 27717, offset 0, flags [DF], proto TCP (6), length 60)
sendinghostname.44476 > receivinghostname.shell: Flags [S], cksum 0xd4bf (correct), seq 447763177, win 14600, options [mss 1460,sackOK,TS val 2717269676 ecr 0,nop,wscale 7], length 0
The raw data that was received initially for the rhel 6 server :
RAWMSG=\xff\xf4\xff\xfd
PRI=13
MESSAGE=\xff\xf4\xff\xfd
The syslog-ng (version 2.40.0) is configured on a Splunk Heavy Forwarder and the logs collected are sent over to Splunk Cloud indexers via HEC.
Is this a compatibility issue between the OS version and syslog-ng?
We are trying to collect syslog from a RHEL 6.10 OS. It is an on-prem server. However, we don't see the correct logs in the tcpdump or in the osnix index. The same syslog configuration works for AIX 5.3, AIX 6 and RHEL 8 as well.
Config file used for RHEL 6 and RHEL 8: "audit log imfile #Load the imfile input module authpriv.* /var/log/secure /var/log/audit/audit.log tag_audit_log: audit_log info local6
. @@receivinghostip:514"
Here's the tcpdump from the RHEL 6.10 server:
13:50:28.597040 IP (tos 0x0, ttl 60, id 27717, offset 0, flags [DF], proto TCP (6), length 60) sendinghostname.44476 > receivinghostname.shell: Flags [S], cksum 0xd4bf (correct), seq 447763177, win 14600, options [mss 1460,sackOK,TS val 2717269676 ecr 0,nop,wscale 7], length 0
The raw data that was received initially for the rhel 6 server : RAWMSG=\xff\xf4\xff\xfd PRI=13 MESSAGE=\xff\xf4\xff\xfd
The syslog-ng (version 2.40.0) is configured on a Splunk Heavy Forwarder and the logs collected are sent over to Splunk Cloud indexers via HEC.
Is this a compatibility issue between the OS version and syslog-ng?