Good morning,
I have merged the package definition for rsyslog-dtls which passed the testbench last night finally: https://github.com/rsyslog/rsyslog-pkg-rhel-centos/pull/150 Next time daily packages well be built, you should be able to install DTLS input/output modules by installing the rsyslog-dtls package. Best regards, Andre Lorbach -- Adiscon GmbH Mozartstr. 21 97950 Großrinderfeld, Germany Ph. +49-9349-9298530 Geschäftsführer/President: Rainer Gerhards Reg.-Gericht Mannheim, HRB 560610 Ust.-IDNr.: DE 81 22 04 622 Web: www.adiscon.com - Mail: [email protected] Informations regarding your data privacy policy can be found here: https://www.adiscon.com/data-privacy-policy/ This e-mail may contain confidential and/or privileged information. If you are not the intended recipient or have received this e-mail in error please notify the sender immediately and delete this e-mail. Any unauthorized copying, disclosure or distribution of the material in this e-mail is strictly forbidden. *From:* Singh, Radesh <[email protected]> *Sent:* Dienstag, 20. Mai 2025 13:40 *To:* [email protected]; Redbourne,Michael < [email protected]>; [email protected] *Subject:* Re: [E] Re: imdtls module not found? Andre, Thank you for doing this. I’ll keep an eye on the issue and once installed will let you know how it goes. Shawn Singh *From: *Andre Lorbach <[email protected]> *Date: *Tuesday, May 20, 2025 at 03:02 *To: *Singh, Radesh <[email protected]>, Redbourne,Michael < [email protected]>, [email protected] < [email protected]> *Subject: *RE: [E] Re: imdtls module not found? *This Message Is From an External Sender* This message came from outside your organization. Good morning, To be honest, *imdtls* and *omdtls* are relatively new modules, and package definitions for building a dedicated rsyslog-dtls package haven’t been added yet. That said, adding support for them should be straightforward on our end—especially now that there seems to be interest in it. 😉 I’ve created an issue to track the addition of packaging support for these modules here: *https://github.com/rsyslog/rsyslog-pkg-rhel-centos/issues/149 <https://github.com/rsyslog/rsyslog-pkg-rhel-centos/issues/149>* Once this is done, the daily RPM packages will start including these modules automatically. Best regards, Andre Lorbach -- Adiscon GmbH Mozartstr. 21 97950 Großrinderfeld, Germany Ph. +49-9349-9298530 Geschäftsführer/President: Rainer Gerhards Reg.-Gericht Mannheim, HRB 560610 Ust.-IDNr.: DE 81 22 04 622 Web: *www.adiscon.com <http://www.adiscon.com/>* - Mail: *[email protected] <[email protected]>* Informations regarding your data privacy policy can be found here: *https://www.adiscon.com/data-privacy-policy/ <https://www.adiscon.com/data-privacy-policy/>* This e-mail may contain confidential and/or privileged information. If you are not the intended recipient or have received this e-mail in error please notify the sender immediately and delete this e-mail. Any unauthorized copying, disclosure or distribution of the material in this e-mail is strictly forbidden. *From:* Singh, Radesh <*[email protected] <[email protected]>*> *Sent:* Montag, 19. Mai 2025 21:34 *To:* Redbourne,Michael <*[email protected] <[email protected]>*>; *[email protected] <[email protected]>*; *[email protected] <[email protected]>* *Subject:* Re: [E] Re: imdtls module not found? Michael, That’s a good question. I don’t know that DTLS is supported by AMA. I’ve been focused on the sender (client) -> receiver traffic being sent across a secure channel and wanted to install AMA such that it will listen on the receiver and just forward to Azure. We currently use this approach for unencrypted traffic. In this case, a new syslog server has been stood up by the Security Team. They want to configure Azure Monitor Agent on the syslog receiver to listening and have the AMA forward that traffic to Azure. If AMA doesn’t support the traffic not sure what will get sent across. They will be handling the set up of any DCRs they require. I just wanted to get the data over to them. Jumping back to imdtls not being installed with the rpm, any idea why it wasn’t installed? Or if there is another package I should have installed? Thanks, Shawn Singh *From: *Redbourne,Michael <*[email protected] <[email protected]>*> *Date: *Wednesday, May 14, 2025 at 19:54 *To: *Singh, Radesh <*[email protected] <[email protected]>*>, *[email protected] <[email protected]>* <*[email protected] <[email protected]>*>, *[email protected] <[email protected]>* <*[email protected] <[email protected]>*> *Subject: *Re: [E] Re: imdtls module not found? *This Message Is From an External Sender* This message came from outside your organization. Hey, I mean, check with the vendor if they'll support DTLS. If they do then it shouldn't be an issue. As for imdtls missing, that I have no idea. Are you using RHEL? It's possible RHEL (or derivatives) have not yet backported the imdtls module from the public repos. Then again, I tried installing the latest version directly from Adiscon's repo site and that didn't work either. @Andre: Do you know where Singh can find that imdtls module? ------------------------------ *From:* Singh, Radesh <*[email protected] <[email protected]>*> *Sent:* Thursday, May 15, 2025 3:31 AM *To:* Redbourne,Michael <*[email protected] <[email protected]>*>; *[email protected] <[email protected]>* <*[email protected] <[email protected]>*> *Subject:* Re: [E] Re: imdtls module not found? CAUTION: The Sender is located Outside The Organization. Do not click links or open attachments unless you recognize the sender and know the content is safe. Yes sir, the application is very sensitive to any type of latency so when they log, they fire and forget. This UDP requirement is what made the DTLS option appealing. Shawn Singh *From: *Redbourne,Michael <*[email protected] <[email protected]>*> *Date: *Wednesday, May 14, 2025 at 10:21 *To: *Singh, Radesh <*[email protected] <[email protected]>*>, *[email protected] <[email protected]>* <*[email protected] <[email protected]>*> *Subject: *Re: [E] Re: imdtls module not found? *This Message Is From an External Sender* This message came from outside your organization. Yes. However, most vendors with some limited exceptions (Cisco Meraki comes to mind) generally support TCP. Is there a specific reason they want to use UDP? It's a lossy protocol and won't support encryption over UDP for pretty much any log source supported by MS Sentinel. ------------------------------ *From:* Singh, Radesh <*[email protected] <[email protected]>*> *Sent:* Thursday, May 15, 2025 12:16 AM *To:* Redbourne,Michael <*[email protected] <[email protected]>*>; *[email protected] <[email protected]>* <*[email protected] <[email protected]>*> *Subject:* Re: [E] Re: imdtls module not found? CAUTION: The Sender is located Outside The Organization. Do not click links or open attachments unless you recognize the sender and know the content is safe. Small world! Thank you for the information. Let me ask you this, the senders want to send over UDP, won’t imtcp/imptcp require the traffic to be TCP? Shawn Singh *From: *Redbourne,Michael <*[email protected] <[email protected]>*> *Date: *Tuesday, May 13, 2025 at 17:59 *To: *Singh, Radesh <*[email protected] <[email protected]>*>, *[email protected] <[email protected]>* <*[email protected] <[email protected]>*> *Subject: *Re: [E] Re: imdtls module not found? You don't often get email from *[email protected] <[email protected]>*. *Learn why this is important <https://aka.ms/LearnAboutSenderIdentification>* *This Message Is From an External Sender* This message came from outside your organization. Hey Shawn, Right up my alley 😋. The vast majority of my servers are syslog collectors for Microsoft Sentinel or their support servers. The use case for dtls is limited generally to extreme throughput environments (eg: over 100k EPS) where other "load balancers" are not available (eg: Kafka, AMPQ, etc) but something like F5's LTM are and K3605 (*myF5 <https://my.f5.com/manage/s/article/K3605>*) is available. As a general piece of information, industry support for DTLS is nearly* non-existent. That is the other reason that DTLS is so rare and niche to use. TLS encrypted TCP generally has much broader vendor support with some exceptions (Cisco Meraki comes to mind). If you need to load both, I'd highly suggest using imtcp (dpt 6514) for your encrypted logs and imptcp (dpt 514) for the unencrypted logs. TLS-encrypted Config ---------------------------------------------- global( DefaultNetstreamDriver="gtls" DefaultNetstreamDriverCAFile="/etc/ssl/root_ca.pem" DefaultNetstreamDriverCertFile="/etc/ssl/rsyslog.pem" DefaultNetstreamDriverKeyFile="/etc/ssl/rsyslog.key" ) # load TCP listener module( load="imtcp" StreamDriver.Name="gtls" StreamDriver.Mode="1" StreamDriver.Authmode="anon" ) # start up listener at port 6514 input( type="imtcp" port="6514" ) Unencrypted Config ---------------------------------------------- [...] module(load="imptcp") input(type="imptcp" port="514") [...] Cheers, Mike *Michael Redbourne (he/him)* *Senior Security Analyst* *Office:* +1 (506) 606-0384 *Cell*: +61 04 2647 3071 *SOC**:* 1-833-415-2424 *www.bulletproofsi.com <http://www.bulletproofsi.com/>* *Book a Meeting <https://outlook.office365.com/owa/calendar/[email protected]/bookings/>* *Notes: Please be advised that I live in Sydney, Australia. My normal hours are 8AM-5PM (Australia/Sydney). I allow 24-hour calendar bookings, but bookings made outside of official working hours should be discussed with me prior to booking.* ------------------------------ *From:* Singh, Radesh <*[email protected] <[email protected]>*> *Sent:* Wednesday, May 14, 2025 2:53 AM *To:* Redbourne,Michael <*[email protected] <[email protected]>*>; *[email protected] <[email protected]>* <*[email protected] <[email protected]>*> *Subject:* Re: [E] Re: imdtls module not found? CAUTION: The Sender is located Outside The Organization. Do not click links or open attachments unless you recognize the sender and know the content is safe. Michael, Thank you for your feedback. The syslog server will be a centralized location where we’ll also have Azure Monitoring Agent also getting the logs and forwarding to a LogAnalytics workspace. The senders are going to be sending their logs over UDP. Since they’re using UDP, I think a quick google turned up this option as a means to make the traffic more secure. The syslog server will be owned by our Security Team. I’m just trying to test this out for them and see how well it works Shawn Singh *From: *Redbourne,Michael <*[email protected] <[email protected]>*> *Date: *Tuesday, May 13, 2025 at 10:39 *To: **[email protected] <[email protected]>* <*[email protected] <[email protected]>*> *Cc: *Singh, Radesh <*[email protected] <[email protected]>*> *Subject: *[E] Re: imdtls module not found? You don't often get email from *[email protected] <[email protected]>*. *Learn why this is important <https://aka.ms/LearnAboutSenderIdentification>* *This Message Is From an External Sender* This message came from outside your organization. Hey, The imdtls module is relatively new and far less tested than something like imtcp for example. Why are you attempting to use the imdtls module? It's use case is very niche, and I suspect there is probably a better solution for you. Cheers, MR ------------------------------ *From:* rsyslog <*[email protected] <[email protected]>*> on behalf of Singh, Radesh via rsyslog <*[email protected] <[email protected]>*> *Sent:* Wednesday, May 14, 2025 12:23 AM *To:* *[email protected] <[email protected]>* <*[email protected] <[email protected]>*> *Cc:* Singh, Radesh <*[email protected] <[email protected]>*> *Subject:* Re: [rsyslog] imdtls module not found? CAUTION: The Sender is located Outside The Organization. Do not click links or open attachments unless you recognize the sender and know the content is safe. _______________________________________________ rsyslog mailing list *https://can01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.adiscon.net%2Fmailman%2Flistinfo%2Frsyslog&data=05%7C02%7Cmichael.redbourne%40bulletproofsi.com%7C749a75efbd974dde030708dd9229c414%7C9a63d13853ea411bbe8458b7e2570747%7C1%7C1%7C638827430317694591%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C40000%7C%7C%7C&sdata=GxzwaHcCbvaSIZh%2FSVfS1CB0erlO2U7oumWG0uFHrWc%3D&reserved=0 <https://lists.adiscon.net/mailman/listinfo/rsyslog>* *https://can01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.rsyslog.com%2Fprofessional-services%2F&data=05%7C02%7Cmichael.redbourne%40bulletproofsi.com%7C749a75efbd974dde030708dd9229c414%7C9a63d13853ea411bbe8458b7e2570747%7C1%7C1%7C638827430317738019%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C40000%7C%7C%7C&sdata=3fgF071KBwUpUcc0X1jW7aP%2FlBZiewDpdCzS9MwvsXs%3D&reserved=0 <http://www.rsyslog.com/professional-services/>* What's up with rsyslog? Follow *https://can01.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftwitter.com%2Frgerhards&data=05%7C02%7Cmichael.redbourne%40bulletproofsi.com%7C749a75efbd974dde030708dd9229c414%7C9a63d13853ea411bbe8458b7e2570747%7C1%7C1%7C638827430317762293%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C40000%7C%7C%7C&sdata=ftt35ivOQzhEGZWXEIVZXlH9FAuLwXbtdTLihyuEuEA%3D&reserved=0 <https://twitter.com/rgerhards>* NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT. ________________________________________ This e-mail communication (including any or all attachments) is intended only for the use of the person or entity to which it is addressed and may contain confidential and/or privileged material. If you are not the intended recipient of this e-mail, any use, review, retransmission, distribution, dissemination, copying, printing, or other use of, or taking of any action in reliance upon this e-mail, is strictly prohibited. If you have received this e-mail in error, please contact the sender and delete the original and any copy of this e-mail and any printout thereof, immediately. If you have any questions or concerns, please contact our Customer Service Desk at 1-877-274-2349. Your co-operation is appreciated. Le présent courriel (y compris toute pièce jointe) s'adresse uniquement à son destinataire, qu'il soit une personne ou un organisme, et pourrait comporter des renseignements privilégiés ou confidentiels. Si vous n'êtes pas le destinataire du courriel, il est interdit d'utiliser, de revoir, de retransmettre, de distribuer, de disséminer, de copier ou d'imprimer ce courriel, d'agir en vous y fiant ou de vous en servir de toute autre façon. Si vous avez reçu le présent courriel par erreur, prière de communiquer avec l'expéditeur et d'éliminer l'original du courriel, ainsi que toute copie électronique ou imprimée de celui-ci, immédiatement. Si vous avez des questions ou des préoccupations, veuillez contacter notre centre de service à la clientèle au 1-877-274-2349. Nous sommes reconnaissants de votre collaboration. ________________________________________ This email transmission and any accompanying attachments may contain CSX privileged and confidential or business proprietary information intended only for the use of the intended addressee. Any dissemination, distribution, forwarding, copying, or action taken in reliance on the contents of this email by anyone other than the intended recipient is strictly prohibited. If you have received this email in error please immediately delete it, destroy all copies, and notify the sender at the above CSX email address. This email transmission and any accompanying attachments may contain CSX privileged and confidential or business proprietary information intended only for the use of the intended addressee. Any dissemination, distribution, forwarding, copying, or action taken in reliance on the contents of this email by anyone other than the intended recipient is strictly prohibited. If you have received this email in error please immediately delete it, destroy all copies, and notify the sender at the above CSX email address. This email transmission and any accompanying attachments may contain CSX privileged and confidential or business proprietary information intended only for the use of the intended addressee. Any dissemination, distribution, forwarding, copying, or action taken in reliance on the contents of this email by anyone other than the intended recipient is strictly prohibited. If you have received this email in error please immediately delete it, destroy all copies, and notify the sender at the above CSX email address. This email transmission and any accompanying attachments may contain CSX privileged and confidential or business proprietary information intended only for the use of the intended addressee. Any dissemination, distribution, forwarding, copying, or action taken in reliance on the contents of this email by anyone other than the intended recipient is strictly prohibited. If you have received this email in error please immediately delete it, destroy all copies, and notify the sender at the above CSX email address. This email transmission and any accompanying attachments may contain CSX privileged and confidential or business proprietary information intended only for the use of the intended addressee. Any dissemination, distribution, forwarding, copying, or action taken in reliance on the contents of this email by anyone other than the intended recipient is strictly prohibited. If you have received this email in error please immediately delete it, destroy all copies, and notify the sender at the above CSX email address.
_______________________________________________ rsyslog mailing list https://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
