This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

RedHat OpenShift send syslog to sentinel , but could not be import

Hi All

    we has openshift plateform and want to use sentinel to collect event.

Openshift has send log and I could use tcpdump capture packages.

But Sentinel SCC still could not generate event source object and no event been process to be search.

Engineer say openshift refer RFC3164 to configue syslog parameter...

and same setting , the send log could be procedd by Ubuntu's rsyslog server.

Who has similar about tdpdump could catpure , but sentinel could not import experience ??

Thanks!!

wencheng

Tags:

  • 0  

    Have you checked with tcpdump on the sender side or on the Sentinel collector manager/server?

    Please post a sample UDP datagram captured on the Sentinel side.

    Do you have setup a Sentinel Syslog UDP Event Source Server on port 2222?

  • 0 in reply to   

    Hi  

         

    this is tcpdump sample log....I indeed create UDP 2222 on SCC and indeed run status -an|grep 2222 to check port has been open

      

  • 0   in reply to 

    I simulated your event in my lab with

    echo '<15> May 15 04:01:44 master.OCP: {"kind":"Event","apiVersion":"audit.k8s.io/v1"}' | socat -vu - udp-datagram:sentinel.example.com:1514

    and got the expected result:

    Do have any host-based firewall on the Sentinel server?