I have a new Ubuntu server, and this is the rsyslog.conf. I cannot get the server to process the directives in /etc/rsyslog.d/ except for local processes. I use tcpdump to verify that there is a syslog flow coming into the server as well as loggen, but it only logs local events and I am baffled as to why.
D
ubuntu@syslog-server-vnic-primary:/etc/rsyslog.d$ sudo ss -plntu
Netid State Recv-Q Send-Q Local Address:Port Peer
Address:Port Process
udp UNCONN 0 0 127.0.0.53%lo:53 0.0.0.0:*
users:(("systemd-resolve",pid=811,fd=12))
udp UNCONN 0 0 10.30.0.18%ens3:68 0.0.0.0:*
users:(("systemd-network",pid=809,fd=15))
udp UNCONN 0 0 0.0.0.0:111 0.0.0.0:*
users:(("rpcbind",pid=756,fd=5),("systemd",pid=1,fd=41))
udp UNCONN 0 0 10.30.0.18:123 0.0.0.0:*
users:(("ntpd",pid=4875,fd=19))
udp UNCONN 0 0 127.0.0.1:123 0.0.0.0:*
users:(("ntpd",pid=4875,fd=18))
udp UNCONN 0 0 0.0.0.0:123 0.0.0.0:*
users:(("ntpd",pid=4875,fd=17))
udp UNCONN 0 0 0.0.0.0:514 0.0.0.0:*
users:(("rsyslogd",pid=247025,fd=5))
udp UNCONN 0 0 [::]:111 [::]:*
users:(("rpcbind",pid=756,fd=7),("systemd",pid=1,fd=43))
udp UNCONN 0 0 [fe80::17ff:fe00:9608]%ens3:123 [::]:*
users:(("ntpd",pid=4875,fd=21))
udp UNCONN 0 0 [::1]:123 [::]:*
users:(("ntpd",pid=4875,fd=20))
udp UNCONN 0 0 [::]:123 [::]:*
users:(("ntpd",pid=4875,fd=16))
udp UNCONN 0 0 [::]:514 [::]:*
users:(("rsyslogd",pid=247025,fd=6))
-----Original Message-----
From: rsyslog <[email protected]> On Behalf Of Ricardo Esteves
via rsyslog
Sent: Thursday, August 1, 2024 10:34 AM
To: [email protected]
Cc: Ricardo Esteves <[email protected]>
Subject: [rsyslog] rsyslog - imtcp - tls vs plaintext - too many tcp sessions
Hi,
We have several central syslog servers, and we are on the process of enabling
TLS for all syslog clients, we started in one of our less populated regions
with just QA hosts, and as soon as we enabled TLS for all QA hosts (350) we
started observing in the central syslog server this error:
rsyslogd: too many tcp sessions - dropping incoming request
[v8.2102.0-13.el8 try https://www.rsyslog.com/e/2079 ]
I then did some tests in our lab and see this behavior:
for syslog001 - imtcp (TLS)
from client1 i used loggen to simulate 1000 connections
loggen -U -P -r 1 -I 300 --active-connections=1000 syslog001 6514
and started to see right away the "too many tcp sessions" on the
syslog001
also watch -n5 "netstat -an | grep ip_client1 | wc -l" showed constantly 194
connections
for syslog002 - imtcp (plain text)
from client1 i used loggen to simulate 1000 connections
loggen -S -P -r 1 -I 300 --active-connections=1000 syslog002 514
no "too many tcp sessions" messages on the syslog002
and watch -n5 "netstat -an | grep ip_client1 | wc -l" showed constantly 1000
connections
Seems imtcp in TLS mode enforces the MaxSessions and in plaintext doesn't?
If i want to enable TLS in our most populated region which has +/- 13000 hosts,
do i need to set MaxSessions to a value bigger the 13000 ?
Best regards.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
rsyslog.conf
Description: rsyslog.conf
_______________________________________________ rsyslog mailing list https://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
