Why is rsyslog not working right in OMV7?

Hey there

i´ve just created a new 7.X RC VM with OMV. All is going quit nice, besides it does not send any Logs to the remote Log-Server (Graylog 4.4).

Environment: Proxmox => VM (192.168.0.10) => OMV 7 => Docker => Graylog (SYSLOG TCP Input on 192.168.0.10:5140)

What i´ve done:

1. I activated remote Logging in the new nice WebUI with the same IP Address (192.168.0.10) TCP at Port 5140.

2. Checked with tcpdump port 5140 => 0 Packets.

3. Checked the Conf File:

GNU nano 7.2                                                                                     openmediavault-remote.conf
# This file is auto-generated by openmediavault (https://www.openmediavault.org)
# WARNING: Do not edit this file, your changes will get lost.
*.* @@192.168.0.10:5140

4. Checked systemctl status rsyslog getting:

Feb 26 11:03:22 omv-studio-server systemd[1]: Starting rsyslog.service - System Logging Service...
Feb 26 11:03:22 omv-studio-server rsyslogd[620277]: imuxsock: Acquired UNIX socket '/run/systemd/journal/syslog' (fd 3) from systemd.  [v8.2302.0]
Feb 26 11:03:22 omv-studio-server systemd[1]: Started rsyslog.service - System Logging Service.
Feb 26 11:03:22 omv-studio-server rsyslogd[620277]: [origin software="rsyslogd" swVersion="8.2302.0" x-pid="620277" x-info="https://www.rsyslog.com"] start
Feb 26 11:03:22 omv-studio-server rsyslogd[620277]: cannot connect to 192.168.0.10:5140: Connection refused [v8.2302.0 try https://www.rsyslog.com/e/2027 ]

What am i missing?

Kind Regards

Arvid

Zitat von Krisbee

Debian 12 and so OMV 7 defaults to journald for logs so var/log/syslog does not exist. See for example: https://forums.debian.net/viewtopic.php?t=155049

Thanks for the link!

Does this corrolates to:

Feb 26 11:03:22 omv-studio-server rsyslogd[620277]: cannot connect to 192.168.0.10:5140: Connection refused [v8.2302.0 try https://www.rsyslog.com/e/2027 ]

?

I also debuged Rsyslog with the following result:

2447.008887958:main Q:Reg/w0  : rainerscript.c:     PROPFILT
2447.008971164:main Q:Reg/w0  : rainerscript.c:         Property.: 'msg'
2447.009066201:main Q:Reg/w0  : rainerscript.c:         Operation: 'regex'
2447.009183581:main Q:Reg/w0  : rainerscript.c:         Value....: 'pam_faillock(.*:auth): Consecutive login failures for user .* account temporarily locked'
2447.009283226:main Q:Reg/w0  : ruleset.c: Filter: check for property 'msg' (value ' cannot connect to 192.168.0.10:5140: Connection refused [v8.2302.0 try https://www.rsyslog.com/e/2027 ]') regex 'pam_faillock(.*:auth): Consecutive login failures for user .* account temporarily locked': FALSE
2447.009347184:main Q:Reg/w0  : ruleset.c: PROPFILT condition result is 0
2447.009383735:main Q:Reg/w0  : rainerscript.c:     ACTION 2 [builtin:omfwd:@@192.168.0.10:5140]
2447.009469616:main Q:Reg/w0  : ruleset.c: executing action 2

Zitat von Krisbee

You're right, I had my wires crossed. There should be nothing to do on OMV accept go to diagnostics/system-logs/remote and enter your details. But it looks like your docker graylog is on the same ip as the OMV host. Is this going to work without changing the /etc/rsyslog.conf file on OMV? Why not have graylog on a different ip?

I did´t assign one yet. And it gets a little complicated, so to say.

The host is OMV, Graylog is a Docker Container inside OMV. So the Graylog is in the host network with port binding at port 5140.

I thought about MacVlan or IP Aliases.. but thats all complicated stuff.

I think there should be an easy way?

Thank you very much for your help.

In the end it was not possible to find a solution, so i made up a new Docker-Compose file, with better matching versions of the toolset. And everything worked right out of the box. But i used port 1514. It worked right away over TCP with the OMV WebUi Config. Really nice.

But i disabled it, bc the stack is a really hardware intense one (+1.5G)

Now i´ll look at PLG-Stack

EDIT: PLG Stack worked out of the box. RSYSLOG Connection has to be in the right format. Like "RSYSLOG_SyslogProtocol23Format"

Maybe it will help someone with specific problems like i had:

(Processor without AVX => can´t use MongoDB 5 => can´t use Graylog)

Here is my working docker-compose.

services:
    # MongoDB: https://hub.docker.com/_/mongo/
    mongo:
      image: mongo:4.2
      networks:
        - graylog
      volumes:
        - mongo_data:/data/db        
    # Elasticsearch: https://www.elastic.co/guide/en/elasticsearch/reference/7.10/docker.html
    elasticsearch:
      image: docker.elastic.co/elasticsearch/elasticsearch-oss:7.10.2
      volumes:
        - es_data:/usr/share/elasticsearch/data      
      environment:
        - http.host=0.0.0.0
        - transport.host=localhost
        - network.host=0.0.0.0
        - "ES_JAVA_OPTS=-Dlog4j2.formatMsgNoLookups=true -Xms512m -Xmx512m"
      ulimits:
        memlock:
          soft: -1
          hard: -1
      deploy:
        resources:
          limits:
            memory: 1g
      networks:
        - graylog
    # Graylog: https://hub.docker.com/r/graylog/graylog/
    graylog:
      image: graylog/graylog:4.3.0
      volumes:
        - graylog_data:/usr/share/graylog/data      
      environment:
        # CHANGE ME (must be at least 16 characters)!
        - GRAYLOG_PASSWORD_SECRET=XXXXX
        # Password: admin
        - GRAYLOG_ROOT_PASSWORD_SHA2=XXXX
        - GRAYLOG_HTTP_EXTERNAL_URI=http://192.168.0.10:9000/
      entrypoint: /usr/bin/tini -- wait-for-it elasticsearch:9200 --  /docker-entrypoint.sh
      networks:
        - graylog
      restart: always
      depends_on:
        - mongo
        - elasticsearch
      ports:
        - 5044:5044
        - 5044:5044/udp
        # Graylog web interface and REST API
        - 9000:9000
        # Syslog TCP
        - 1514:1514
        # Syslog UDP
        - 1514:1514/udp
        # GELF TCP
        - 12201:12201
        # GELF UDP
        - 12201:12201/udp
networks:
    graylog:
      driver: bridge
volumes:
  mongo_data:
    driver: local
  es_data:
    driver: local
  graylog_data:
    driver: local