Hey Shawn, Right up my alley ??. The vast majority of my servers are syslog collectors for Microsoft Sentinel or their support servers.
The use case for dtls is limited generally to extreme throughput environments (eg: over 100k EPS) where other "load balancers" are not available (eg: Kafka, AMPQ, etc) but something like F5's LTM are and K3605 (myF5<https://my.f5.com/manage/s/article/K3605>) is available. As a general piece of information, industry support for DTLS is nearly* non-existent. That is the other reason that DTLS is so rare and niche to use. TLS encrypted TCP generally has much broader vendor support with some exceptions (Cisco Meraki comes to mind). If you need to load both, I'd highly suggest using imtcp (dpt 6514) for your encrypted logs and imptcp (dpt 514) for the unencrypted logs. TLS-encrypted Config ---------------------------------------------- global( DefaultNetstreamDriver="gtls" DefaultNetstreamDriverCAFile="/etc/ssl/root_ca.pem" DefaultNetstreamDriverCertFile="/etc/ssl/rsyslog.pem" DefaultNetstreamDriverKeyFile="/etc/ssl/rsyslog.key" ) # load TCP listener module( load="imtcp" StreamDriver.Name="gtls" StreamDriver.Mode="1" StreamDriver.Authmode="anon" ) # start up listener at port 6514 input( type="imtcp" port="6514" ) Unencrypted Config ---------------------------------------------- [...] module(load="imptcp") input(type="imptcp" port="514") [...] Cheers, Mike [cid:34ae90c1-01d5-4477-8a31-b64e1113e77b] Michael Redbourne (he/him) Senior Security Analyst Office: +1 (506) 606-0384 Cell: +61 04 2647 3071 SOC: 1-833-415-2424 www.bulletproofsi.com<http://www.bulletproofsi.com/> Book a Meeting<https://outlook.office365.com/owa/calendar/michaelredbou...@bulletproofsolutions.onmicrosoft.com/bookings/> [cid:42f238ad-5e0a-4d5f-ad37-d33cd71641da] Notes: Please be advised that I live in Sydney, Australia. My normal hours are 8AM-5PM (Australia/Sydney). I allow 24-hour calendar bookings, but bookings made outside of official working hours should be discussed with me prior to booking. ________________________________ From: Singh, Radesh <radesh_si...@csx.com> Sent: Wednesday, May 14, 2025 2:53 AM To: Redbourne,Michael <michael.redbou...@bulletproofsi.com>; rsyslog@lists.adiscon.com <rsyslog@lists.adiscon.com> Subject: Re: [E] Re: imdtls module not found? CAUTION: The Sender is located Outside The Organization. Do not click links or open attachments unless you recognize the sender and know the content is safe. Michael, Thank you for your feedback. The syslog server will be a centralized location where we’ll also have Azure Monitoring Agent also getting the logs and forwarding to a LogAnalytics workspace. The senders are going to be sending their logs over UDP. Since they’re using UDP, I think a quick google turned up this option as a means to make the traffic more secure. The syslog server will be owned by our Security Team. I’m just trying to test this out for them and see how well it works Shawn Singh From: Redbourne,Michael <michael.redbou...@bulletproofsi.com> Date: Tuesday, May 13, 2025 at 10:39 To: rsyslog@lists.adiscon.com <rsyslog@lists.adiscon.com> Cc: Singh, Radesh <radesh_si...@csx.com> Subject: [E] Re: imdtls module not found? You don't often get email from michael.redbou...@bulletproofsi.com. Learn why this is important<https://aka.ms/LearnAboutSenderIdentification> This Message Is From an External Sender This message came from outside your organization. Hey, The imdtls module is relatively new and far less tested than something like imtcp for example. Why are you attempting to use the imdtls module? It's use case is very niche, and I suspect there is probably a better solution for you. Cheers, MR ________________________________ From: rsyslog <rsyslog-boun...@lists.adiscon.com> on behalf of Singh, Radesh via rsyslog <rsyslog@lists.adiscon.com> Sent: Wednesday, May 14, 2025 12:23 AM To: rsyslog@lists.adiscon.com <rsyslog@lists.adiscon.com> Cc: Singh, Radesh <radesh_si...@csx.com> Subject: Re: [rsyslog] imdtls module not found? CAUTION: The Sender is located Outside The Organization. Do not click links or open attachments unless you recognize the sender and know the content is safe. _______________________________________________ rsyslog mailing list https://can01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.adiscon.net%2Fmailman%2Flistinfo%2Frsyslog&data=05%7C02%7Cmichael.redbourne%40bulletproofsi.com%7C749a75efbd974dde030708dd9229c414%7C9a63d13853ea411bbe8458b7e2570747%7C1%7C1%7C638827430317694591%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C40000%7C%7C%7C&sdata=GxzwaHcCbvaSIZh%2FSVfS1CB0erlO2U7oumWG0uFHrWc%3D&reserved=0<https://lists.adiscon.net/mailman/listinfo/rsyslog> https://can01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.rsyslog.com%2Fprofessional-services%2F&data=05%7C02%7Cmichael.redbourne%40bulletproofsi.com%7C749a75efbd974dde030708dd9229c414%7C9a63d13853ea411bbe8458b7e2570747%7C1%7C1%7C638827430317738019%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C40000%7C%7C%7C&sdata=3fgF071KBwUpUcc0X1jW7aP%2FlBZiewDpdCzS9MwvsXs%3D&reserved=0<http://www.rsyslog.com/professional-services/> What's up with rsyslog? Follow https://can01.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftwitter.com%2Frgerhards&data=05%7C02%7Cmichael.redbourne%40bulletproofsi.com%7C749a75efbd974dde030708dd9229c414%7C9a63d13853ea411bbe8458b7e2570747%7C1%7C1%7C638827430317762293%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C40000%7C%7C%7C&sdata=ftt35ivOQzhEGZWXEIVZXlH9FAuLwXbtdTLihyuEuEA%3D&reserved=0<https://twitter.com/rgerhards> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT. ________________________________________ This e-mail communication (including any or all attachments) is intended only for the use of the person or entity to which it is addressed and may contain confidential and/or privileged material. If you are not the intended recipient of this e-mail, any use, review, retransmission, distribution, dissemination, copying, printing, or other use of, or taking of any action in reliance upon this e-mail, is strictly prohibited. If you have received this e-mail in error, please contact the sender and delete the original and any copy of this e-mail and any printout thereof, immediately. If you have any questions or concerns, please contact our Customer Service Desk at 1-877-274-2349. Your co-operation is appreciated. Le présent courriel (y compris toute pièce jointe) s'adresse uniquement à son destinataire, qu'il soit une personne ou un organisme, et pourrait comporter des renseignements privilégiés ou confidentiels. Si vous n'êtes pas le destinataire du courriel, il est interdit d'utiliser, de revoir, de retransmettre, de distribuer, de disséminer, de copier ou d'imprimer ce courriel, d'agir en vous y fiant ou de vous en servir de toute autre façon. Si vous avez reçu le présent courriel par erreur, prière de communiquer avec l'expéditeur et d'éliminer l'original du courriel, ainsi que toute copie électronique ou imprimée de celui-ci, immédiatement. Si vous avez des questions ou des préoccupations, veuillez contacter notre centre de service à la clientèle au 1-877-274-2349. Nous sommes reconnaissants de votre collaboration. ________________________________________ This email transmission and any accompanying attachments may contain CSX privileged and confidential or business proprietary information intended only for the use of the intended addressee. Any dissemination, distribution, forwarding, copying, or action taken in reliance on the contents of this email by anyone other than the intended recipient is strictly prohibited. If you have received this email in error please immediately delete it, destroy all copies, and notify the sender at the above CSX email address.
_______________________________________________ rsyslog mailing list https://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
