On 31.03.2021 16:11, Mariusz Kruk via rsyslog wrote:
While debugging completely different issue I noticed something strange
on one of my rsyslog installations.
It mostly receives data on RELP connection then sends it with omhttp
with TLS to HEC splunk input.
And everything seems to be working great but...
But after tcpdumping the traffic I noticed that sending from the
rsyslog to splunk works like that:
- SYN from rsyslog to splunk and typical 3-way handshake
- TLS negotiation with mutual authentication
- encrypted data from rsyslog (I assume that it's the HTTP request
with batch output action)
- some short burst of data from splunkĀ (I assume that's the server's
HTTP response)
- and here I'm getting a completely unexpected RST _from rsyslog's side_.
It's most peculiar because you'd typically expect either a keep-alive
and another HTTP transaction or a normally ACK/FIN-ished connection.
I will of course be digging into it myself. Will have to try to
recreate the setup in the lab since the production environment is way
too heavily used to turn on debugging. But has anyone encountered
something like that before? Or has any idea what can cause this?
Forgot to include the basic info :-)
The version in question is 8.2010 and the underlying OS is CentOS7 on
both sides of the connection.
Neither side reports any errors in logs.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
