Re: [rsyslog] DTLS Support with rsyslog

[Mariusz Kruk via rsyslog]

I know it can be implemented. I have it in constant use :-)
The pro of rsyslog vs F5 is that rsyslog operates on a per-event basis 
and understands syslog with its many quirks. F5 - yes, you get support. 
You can also buy support for rsyslog from the guys @Adiscon.

What SIEM are you sending it to if it's not a secret?

MK

On 3.08.2023 14:26, Redbourne,Michael wrote:
Rsyslog can implement load balancing via ruleset (Ex: 
https://community.microfocus.com/cyberres/arcsight/f/arcsight-discussions/334766/using-rsyslog-to-load-balance-all-connectors-across-a-logger-pool).
 Whether I complicate this with multiple rulesets in rsyslog, or complicate 
this with F5, it's sort of 50/50 on which is worse - in my opinion at least. We 
already have experience with F5, so we're just be looking at managing two 
additional VMs. Bonus, we get formal support for it (albeit, paid).

Ideally none of this would be necessary, we'd just have an external LB to 2 
nodes (HA, Act/Pas) running rsyslog with the other vendor software on the same 
server. Unfortunately, the SIEM vendor isn't quite there yet.

-----Original Message-----
From: rsyslog <rsyslog-boun...@lists.adiscon.com> On Behalf Of Mariusz Kruk via 
rsyslog
Sent: Thursday, August 3, 2023 10:06 PM
To: rsyslog@lists.adiscon.com
Cc: Mariusz Kruk <k...@epsilon.eu.org>
Subject: Re: [rsyslog] DTLS Support with rsyslog

CAUTION: The Sender is located Outside The Organization. Do not click links or 
open attachments unless you recognize the sender and know the content is safe.


And why can't you use rsyslog to load-balance multiple outputs?

As far as I remember rsyslog doesn't have an built-in LB functionality but it 
can be implemented in a ruleset.

MK

On 3.08.2023 13:53, Redbourne,Michael via rsyslog wrote:
Ah: Originally I'd seen this one:
https://data/
tracker.ietf.org%2Fdoc%2Fhtml%2Frfc6347&data=05%7C01%7Cmichael.redbour
ne%40bulletproofsi.com%7Cba26d2bbdb9949505ddb08db941a0cfa%7C9a63d13853
ea411bbe8458b7e2570747%7C1%7C0%7C638266611832589878%7CUnknown%7CTWFpbG
Zsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%
3D%7C3000%7C%7C%7C&sdata=%2BJuDKgA0D20BttUkyuDMmM6lX%2BnPU6C%2BUI3y0Tr
4hiw%3D&reserved=0

You're probably referring to this one though >
https://data/
tracker.ietf.org%2Fdoc%2Fhtml%2Frfc6012&data=05%7C01%7Cmichael.redbour
ne%40bulletproofsi.com%7Cba26d2bbdb9949505ddb08db941a0cfa%7C9a63d13853
ea411bbe8458b7e2570747%7C1%7C0%7C638266611832589878%7CUnknown%7CTWFpbG
Zsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%
3D%7C3000%7C%7C%7C&sdata=49OGZDkUaZfVkYk2uBmyF9r4GHSgYw62SYylr7iYF5A%3
D&reserved=0, written by you & Cisco of course 😊

Regardless, there's multiple issues with approaching DTLS Syslog. I sincerely 
doubt DTLS Syslog is supported by the 'server' (sender), and evidently, it's 
not supported by the client (rsyslog). I have a few other ideas on how to 
handle our use case without DTLS, it's just going to be a pain to implement, 
and might involve a variety of load balancers, or a lot more research with 
rsyslog.

At a very high level: We have a 'cloud device' (think: ZScaler, Cortex lake, 
FortiAnalzyer via Cloud, etc) that's sending an average of 50k EPS. There's a 
pool of 'backend' nodes that receive the data and forward it to a SIEM (Splunk, 
etc), but each node in the backend pool is rate limited by the vendor at 5,000 
EPS. (These numbers are just examples.) In an n build, we need 10 nodes in the 
pool. N+1 calls for 11 nodes, but realistically, we're probably looking at 13 
in this case, so we have redundancy and we're not running them full tilt. With 
TCP, anything that hits the external LB is going to be routed to the same 
server unless we can get the cloud service to open multiple streams. (This is 
the ideal solution... Something we're talking to that vendor about). If they 
can't do that, this gets far more complex, and is something I'm going to have 
to mock up in a dev environment.

The other solution being:

                                                                                
      / ---- TCP TLS RCV rsyslog 1 (act) UDP FWD ---- \
Cloud Service ----> Ext Load Balancer -----VIP--->                                    
                                                ----> Int F5s on K3605 ---> Backend 
Pool

\ ---- TCP TLS RCV rsyslog 2 (pas) UDP FWD ---- /

K3605 for context describes round-robin "per-packet" forwarding: 
https://my.f5.com/manage/s/article/K3605. Useful for things like UDP-based DNS, though in 
this case we're not expecting a response from syslog... Anyways, I have some design work 
to do if the cloud service vendor tells me they can't open multiple TCP streams to 
balance this out without the need for external and internal NLBs.

Thanks Rainer & David!

-----Original Message-----
From: Rainer Gerhards <rgerha...@hq.adiscon.com>
Sent: Thursday, August 3, 2023 9:11 PM
To: rsyslog-users <rsyslog@lists.adiscon.com>
Cc: David Lang <da...@lang.hm>; Redbourne,Michael
<michael.redbou...@bulletproofsi.com>
Subject: Re: [rsyslog] DTLS Support with rsyslog

CAUTION: The Sender is located Outside The Organization. Do not click links or 
open attachments unless you recognize the sender and know the content is safe.


actually, there is DTLS, which is "datagram tls" and there also is a RFC.

So far, we had no real demand to implement it. My impression is that DTLS 
syslog is largely unused.

Rainer

El jue, 3 ago 2023 a las 12:07, Redbourne,Michael via rsyslog
(<rsyslog@lists.adiscon.com>) escribió:
Yeah, unfortunately that's what I expected. Thanks David.

Cheers,
Mike
-----Original Message-----
From: David Lang <da...@lang.hm>
Sent: Thursday, August 3, 2023 8:03 PM
To: Redbourne,Michael via rsyslog <rsyslog@lists.adiscon.com>
Cc: Redbourne,Michael <michael.redbou...@bulletproofsi.com>
Subject: Re: [rsyslog] DTLS Support with rsyslog

CAUTION: The Sender is located Outside The Organization. Do not click links or 
open attachments unless you recognize the sender and know the content is safe.


On Thu, 3 Aug 2023, Redbourne,Michael via rsyslog wrote:

I know rsyslog is using gnutls (default) with a recommendation for openssl and 
has support for TLS-encrypted TCP connections. Does rsyslog support 
TLS-encrypted UDP connections (specifically, inbound)?
No, TLS requires a stream of packets as the encryption for each packet changes 
based on the prior packets., UDP syslog has each packet handled completely 
independently, and packets can get reordered or dropped on the network before 
they are processed, so TLS really can't work.

David Lang
________________________________________
This e-mail communication (including any or all attachments) is intended only 
for the use of the person or entity to which it is addressed and may contain 
confidential and/or privileged material. If you are not the intended recipient 
of this e-mail, any use, review, retransmission, distribution, dissemination, 
copying, printing, or other use of, or taking of any action in reliance upon 
this e-mail, is strictly prohibited. If you have received this e-mail in error, 
please contact the sender and delete the original and any copy of this e-mail 
and any printout thereof, immediately. If you have any questions or concerns, 
please contact our Customer Service Desk at 1-877-274-2349. Your co-operation 
is appreciated.

Le présent courriel (y compris toute pièce jointe) s'adresse uniquement à son 
destinataire, qu'il soit une personne ou un organisme, et pourrait comporter 
des renseignements privilégiés ou confidentiels. Si vous n'êtes pas le 
destinataire du courriel, il est interdit d'utiliser, de revoir, de 
retransmettre, de distribuer, de disséminer, de copier ou d'imprimer ce 
courriel, d'agir en vous y fiant ou de vous en servir de toute autre façon. Si 
vous avez reçu le présent courriel par erreur, prière de communiquer avec 
l'expéditeur et d'éliminer l'original du courriel, ainsi que toute copie 
électronique ou imprimée de celui-ci, immédiatement. Si vous avez des questions 
ou des préoccupations, veuillez contacter notre centre de service à la 
clientèle au 1-877-274-2349. Nous sommes reconnaissants de votre collaboration.
________________________________________
_______________________________________________
rsyslog mailing list
https://list/
s.adiscon.net%2Fmailman%2Flistinfo%2Frsyslog&data=05%7C01%7Cmichael.r
e
dbourne%40bulletproofsi.com%7C4e06ad57bdb44f952ad808db9412629f%7C9a63
d
13853ea411bbe8458b7e2570747%7C1%7C0%7C638266578912416607%7CUnknown%7C
T
WFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVC
I
6Mn0%3D%7C3000%7C%7C%7C&sdata=5q2IR4TFoaN2R4gNwwa5mIxDkC8PlFjlNSl89jh
A
IzQ%3D&reserved=0
http://www/.
r%2F&data=05%7C01%7Cmichael.redbourne%40bulletproofsi.com%7Cba26d2bbd
b9949505ddb08db941a0cfa%7C9a63d13853ea411bbe8458b7e2570747%7C1%7C0%7C
638266611832589878%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIj
oiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=FGr9%2
FnnqkWdjgD8kSi%2F95myYAdEZfalRc2ewLRy15Ec%3D&reserved=0
syslog.com%2Fprofessional-services%2F&data=05%7C01%7Cmichael.redbourn
e
%40bulletproofsi.com%7C4e06ad57bdb44f952ad808db9412629f%7C9a63d13853e
a
411bbe8458b7e2570747%7C1%7C0%7C638266578912416607%7CUnknown%7CTWFpbGZ
s
b3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3
D
%7C3000%7C%7C%7C&sdata=OQvU6xVQoBpGaGmNbTydmWwVlajb7zU2dII3wSOYobQ%3D
&
reserved=0 What's up with rsyslog? Follow https://twit/
ter.com%2Frgerhards&data=05%7C01%7Cmichael.redbourne%40bulletproofsi.
c
om%7C4e06ad57bdb44f952ad808db9412629f%7C9a63d13853ea411bbe8458b7e2570
7
47%7C1%7C0%7C638266578912416607%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wL
j
AwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&
s
data=ZUlgey8kGBpLZ0RVf%2BZ3mLoxFcoNjs8NCvy5P98Z1yI%3D&reserved=0
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.
_______________________________________________
rsyslog mailing list
https://list/
s.adiscon.net%2Fmailman%2Flistinfo%2Frsyslog&data=05%7C01%7Cmichael.re
dbourne%40bulletproofsi.com%7Cba26d2bbdb9949505ddb08db941a0cfa%7C9a63d
13853ea411bbe8458b7e2570747%7C1%7C0%7C638266611832589878%7CUnknown%7CT
WFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI
6Mn0%3D%7C3000%7C%7C%7C&sdata=8UzQjuAVWr1D68MUb882fZj%2FM0lYRbcz2RxxUy
Fb5zM%3D&reserved=0
http://www.r/
syslog.com%2Fprofessional-services%2F&data=05%7C01%7Cmichael.redbourne
%40bulletproofsi.com%7Cba26d2bbdb9949505ddb08db941a0cfa%7C9a63d13853ea
411bbe8458b7e2570747%7C1%7C0%7C638266611832589878%7CUnknown%7CTWFpbGZs
b3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D
%7C3000%7C%7C%7C&sdata=u1YULLOobor4Uo2LF9vyMxO%2BcpPc2O9JyFuPqe6NrU4%3
D&reserved=0 What's up with rsyslog? Follow
https://twit/
ter.com%2Frgerhards&data=05%7C01%7Cmichael.redbourne%40bulletproofsi.c
om%7Cba26d2bbdb9949505ddb08db941a0cfa%7C9a63d13853ea411bbe8458b7e25707
47%7C1%7C0%7C638266611832589878%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLj
AwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&s
data=24%2FSX0x%2FruL%2BoMZV6i4BER4qjcBBXPCX09fOdKpUqxg%3D&reserved=0
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.