Rsyslog can implement load balancing via ruleset (Ex: https://community.microfocus.com/cyberres/arcsight/f/arcsight-discussions/334766/using-rsyslog-to-load-balance-all-connectors-across-a-logger-pool). Whether I complicate this with multiple rulesets in rsyslog, or complicate this with F5, it's sort of 50/50 on which is worse - in my opinion at least. We already have experience with F5, so we're just be looking at managing two additional VMs. Bonus, we get formal support for it (albeit, paid).
Ideally none of this would be necessary, we'd just have an external LB to 2 nodes (HA, Act/Pas) running rsyslog with the other vendor software on the same server. Unfortunately, the SIEM vendor isn't quite there yet. -----Original Message----- From: rsyslog <rsyslog-boun...@lists.adiscon.com> On Behalf Of Mariusz Kruk via rsyslog Sent: Thursday, August 3, 2023 10:06 PM To: rsyslog@lists.adiscon.com Cc: Mariusz Kruk <k...@epsilon.eu.org> Subject: Re: [rsyslog] DTLS Support with rsyslog CAUTION: The Sender is located Outside The Organization. Do not click links or open attachments unless you recognize the sender and know the content is safe. And why can't you use rsyslog to load-balance multiple outputs? As far as I remember rsyslog doesn't have an built-in LB functionality but it can be implemented in a ruleset. MK On 3.08.2023 13:53, Redbourne,Michael via rsyslog wrote: > Ah: Originally I'd seen this one: > https://data/ > tracker.ietf.org%2Fdoc%2Fhtml%2Frfc6347&data=05%7C01%7Cmichael.redbour > ne%40bulletproofsi.com%7Cba26d2bbdb9949505ddb08db941a0cfa%7C9a63d13853 > ea411bbe8458b7e2570747%7C1%7C0%7C638266611832589878%7CUnknown%7CTWFpbG > Zsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0% > 3D%7C3000%7C%7C%7C&sdata=%2BJuDKgA0D20BttUkyuDMmM6lX%2BnPU6C%2BUI3y0Tr > 4hiw%3D&reserved=0 > > You're probably referring to this one though > > https://data/ > tracker.ietf.org%2Fdoc%2Fhtml%2Frfc6012&data=05%7C01%7Cmichael.redbour > ne%40bulletproofsi.com%7Cba26d2bbdb9949505ddb08db941a0cfa%7C9a63d13853 > ea411bbe8458b7e2570747%7C1%7C0%7C638266611832589878%7CUnknown%7CTWFpbG > Zsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0% > 3D%7C3000%7C%7C%7C&sdata=49OGZDkUaZfVkYk2uBmyF9r4GHSgYw62SYylr7iYF5A%3 > D&reserved=0, written by you & Cisco of course 😊 > > Regardless, there's multiple issues with approaching DTLS Syslog. I sincerely > doubt DTLS Syslog is supported by the 'server' (sender), and evidently, it's > not supported by the client (rsyslog). I have a few other ideas on how to > handle our use case without DTLS, it's just going to be a pain to implement, > and might involve a variety of load balancers, or a lot more research with > rsyslog. > > At a very high level: We have a 'cloud device' (think: ZScaler, Cortex lake, > FortiAnalzyer via Cloud, etc) that's sending an average of 50k EPS. There's a > pool of 'backend' nodes that receive the data and forward it to a SIEM > (Splunk, etc), but each node in the backend pool is rate limited by the > vendor at 5,000 EPS. (These numbers are just examples.) In an n build, we > need 10 nodes in the pool. N+1 calls for 11 nodes, but realistically, we're > probably looking at 13 in this case, so we have redundancy and we're not > running them full tilt. With TCP, anything that hits the external LB is going > to be routed to the same server unless we can get the cloud service to open > multiple streams. (This is the ideal solution... Something we're talking to > that vendor about). If they can't do that, this gets far more complex, and is > something I'm going to have to mock up in a dev environment. > > The other solution being: > > > / ---- TCP TLS RCV rsyslog 1 (act) UDP FWD ---- \ > Cloud Service ----> Ext Load Balancer -----VIP---> > ----> Int F5s on > K3605 ---> Backend Pool > > \ ---- TCP TLS RCV rsyslog 2 (pas) UDP FWD ---- / > > K3605 for context describes round-robin "per-packet" forwarding: > https://my.f5.com/manage/s/article/K3605. Useful for things like UDP-based > DNS, though in this case we're not expecting a response from syslog... > Anyways, I have some design work to do if the cloud service vendor tells me > they can't open multiple TCP streams to balance this out without the need for > external and internal NLBs. > > Thanks Rainer & David! > > -----Original Message----- > From: Rainer Gerhards <rgerha...@hq.adiscon.com> > Sent: Thursday, August 3, 2023 9:11 PM > To: rsyslog-users <rsyslog@lists.adiscon.com> > Cc: David Lang <da...@lang.hm>; Redbourne,Michael > <michael.redbou...@bulletproofsi.com> > Subject: Re: [rsyslog] DTLS Support with rsyslog > > CAUTION: The Sender is located Outside The Organization. Do not click links > or open attachments unless you recognize the sender and know the content is > safe. > > > actually, there is DTLS, which is "datagram tls" and there also is a RFC. > > So far, we had no real demand to implement it. My impression is that DTLS > syslog is largely unused. > > Rainer > > El jue, 3 ago 2023 a las 12:07, Redbourne,Michael via rsyslog > (<rsyslog@lists.adiscon.com>) escribió: >> Yeah, unfortunately that's what I expected. Thanks David. >> >> Cheers, >> Mike >> -----Original Message----- >> From: David Lang <da...@lang.hm> >> Sent: Thursday, August 3, 2023 8:03 PM >> To: Redbourne,Michael via rsyslog <rsyslog@lists.adiscon.com> >> Cc: Redbourne,Michael <michael.redbou...@bulletproofsi.com> >> Subject: Re: [rsyslog] DTLS Support with rsyslog >> >> CAUTION: The Sender is located Outside The Organization. Do not click links >> or open attachments unless you recognize the sender and know the content is >> safe. >> >> >> On Thu, 3 Aug 2023, Redbourne,Michael via rsyslog wrote: >> >>> I know rsyslog is using gnutls (default) with a recommendation for openssl >>> and has support for TLS-encrypted TCP connections. Does rsyslog support >>> TLS-encrypted UDP connections (specifically, inbound)? >> No, TLS requires a stream of packets as the encryption for each packet >> changes based on the prior packets., UDP syslog has each packet handled >> completely independently, and packets can get reordered or dropped on the >> network before they are processed, so TLS really can't work. >> >> David Lang >> ________________________________________ >> This e-mail communication (including any or all attachments) is intended >> only for the use of the person or entity to which it is addressed and may >> contain confidential and/or privileged material. If you are not the intended >> recipient of this e-mail, any use, review, retransmission, distribution, >> dissemination, copying, printing, or other use of, or taking of any action >> in reliance upon this e-mail, is strictly prohibited. If you have received >> this e-mail in error, please contact the sender and delete the original and >> any copy of this e-mail and any printout thereof, immediately. If you have >> any questions or concerns, please contact our Customer Service Desk at >> 1-877-274-2349. Your co-operation is appreciated. >> >> Le présent courriel (y compris toute pièce jointe) s'adresse uniquement à >> son destinataire, qu'il soit une personne ou un organisme, et pourrait >> comporter des renseignements privilégiés ou confidentiels. Si vous n'êtes >> pas le destinataire du courriel, il est interdit d'utiliser, de revoir, de >> retransmettre, de distribuer, de disséminer, de copier ou d'imprimer ce >> courriel, d'agir en vous y fiant ou de vous en servir de toute autre façon. >> Si vous avez reçu le présent courriel par erreur, prière de communiquer avec >> l'expéditeur et d'éliminer l'original du courriel, ainsi que toute copie >> électronique ou imprimée de celui-ci, immédiatement. Si vous avez des >> questions ou des préoccupations, veuillez contacter notre centre de service >> à la clientèle au 1-877-274-2349. Nous sommes reconnaissants de votre >> collaboration. >> ________________________________________ >> _______________________________________________ >> rsyslog mailing list >> https://list/ >> s.adiscon.net%2Fmailman%2Flistinfo%2Frsyslog&data=05%7C01%7Cmichael.r >> e >> dbourne%40bulletproofsi.com%7C4e06ad57bdb44f952ad808db9412629f%7C9a63 >> d >> 13853ea411bbe8458b7e2570747%7C1%7C0%7C638266578912416607%7CUnknown%7C >> T >> WFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVC >> I >> 6Mn0%3D%7C3000%7C%7C%7C&sdata=5q2IR4TFoaN2R4gNwwa5mIxDkC8PlFjlNSl89jh >> A >> IzQ%3D&reserved=0 >> http://www/. >> r%2F&data=05%7C01%7Cmichael.redbourne%40bulletproofsi.com%7Cba26d2bbd >> b9949505ddb08db941a0cfa%7C9a63d13853ea411bbe8458b7e2570747%7C1%7C0%7C >> 638266611832589878%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIj >> oiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=FGr9%2 >> FnnqkWdjgD8kSi%2F95myYAdEZfalRc2ewLRy15Ec%3D&reserved=0 >> syslog.com%2Fprofessional-services%2F&data=05%7C01%7Cmichael.redbourn >> e >> %40bulletproofsi.com%7C4e06ad57bdb44f952ad808db9412629f%7C9a63d13853e >> a >> 411bbe8458b7e2570747%7C1%7C0%7C638266578912416607%7CUnknown%7CTWFpbGZ >> s >> b3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3 >> D >> %7C3000%7C%7C%7C&sdata=OQvU6xVQoBpGaGmNbTydmWwVlajb7zU2dII3wSOYobQ%3D >> & >> reserved=0 What's up with rsyslog? Follow https://twit/ >> ter.com%2Frgerhards&data=05%7C01%7Cmichael.redbourne%40bulletproofsi. >> c >> om%7C4e06ad57bdb44f952ad808db9412629f%7C9a63d13853ea411bbe8458b7e2570 >> 7 >> 47%7C1%7C0%7C638266578912416607%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wL >> j >> AwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C& >> s >> data=ZUlgey8kGBpLZ0RVf%2BZ3mLoxFcoNjs8NCvy5P98Z1yI%3D&reserved=0 >> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of >> sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T >> LIKE THAT. > _______________________________________________ > rsyslog mailing list > https://list/ > s.adiscon.net%2Fmailman%2Flistinfo%2Frsyslog&data=05%7C01%7Cmichael.re > dbourne%40bulletproofsi.com%7Cba26d2bbdb9949505ddb08db941a0cfa%7C9a63d > 13853ea411bbe8458b7e2570747%7C1%7C0%7C638266611832589878%7CUnknown%7CT > WFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI > 6Mn0%3D%7C3000%7C%7C%7C&sdata=8UzQjuAVWr1D68MUb882fZj%2FM0lYRbcz2RxxUy > Fb5zM%3D&reserved=0 > http://www.r/ > syslog.com%2Fprofessional-services%2F&data=05%7C01%7Cmichael.redbourne > %40bulletproofsi.com%7Cba26d2bbdb9949505ddb08db941a0cfa%7C9a63d13853ea > 411bbe8458b7e2570747%7C1%7C0%7C638266611832589878%7CUnknown%7CTWFpbGZs > b3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D > %7C3000%7C%7C%7C&sdata=u1YULLOobor4Uo2LF9vyMxO%2BcpPc2O9JyFuPqe6NrU4%3 > D&reserved=0 What's up with rsyslog? Follow > https://twit/ > ter.com%2Frgerhards&data=05%7C01%7Cmichael.redbourne%40bulletproofsi.c > om%7Cba26d2bbdb9949505ddb08db941a0cfa%7C9a63d13853ea411bbe8458b7e25707 > 47%7C1%7C0%7C638266611832589878%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLj > AwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&s > data=24%2FSX0x%2FruL%2BoMZV6i4BER4qjcBBXPCX09fOdKpUqxg%3D&reserved=0 > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of > sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T > LIKE THAT. _______________________________________________ rsyslog mailing list https://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT. _______________________________________________ rsyslog mailing list https://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
