Lang
Cc: John Chivian ,
rsyslog-users
Subject: RE: [rsyslog] Basic Rsyslog Troubleshooting
I can probably put some thoughts down...
I will admit that I was finally able to prove it wasn't rsyslog/OS by using a syslog
stress/testing tool called "loggen"... Used it to repl
yslog-users
, David Lang
Subject: RE: [rsyslog] Basic Rsyslog Troubleshooting
rsyslog documentation suffers from being written by people too close to it's
development (too many assumptions baked in), given the troubleshooting excercise
that you just went through, would it be reasonable for
help the next person?
David Lang
On Wed, 11 May 2022, Steven D wrote:
Date: Wed, 11 May 2022 22:56:38 +
From: Steven D
To: John Chivian ,
rsyslog-users
Cc: David Lang
Subject: RE: [rsyslog] Basic Rsyslog Troubleshooting
Wanted to circle back around to this topic for a closure update
, Steven D
Subject: Re: [rsyslog] Basic Rsyslog Troubleshooting
I second David's thought to switch to imptcp. It is designed for plain TCP
performance.
I would also like to say that I previously thought having rsyslog write to a
file for a SIEM’s agent ingestion was a bad idea. Genera
; To: Steven D
> Cc: David Lang ; rsyslog-users
> Subject: Re: [rsyslog] Basic Rsyslog Troubleshooting
>
> that looks pretty good to me, if it's still running slow, I would look at the
> threads in top to see what their utilization is, and try the imptcp vs imtcp
> and
&
hat
rabbithole.
From: David Lang
Sent: Tuesday, April 26, 2022 10:23 AM
To: Steven D
Cc: David Lang ; rsyslog-users
Subject: Re: [rsyslog] Basic Rsyslog Troubleshooting
that looks pretty good to me, if it's still running slow, I would look at the
threads in t
e running a separate rsyslog instance
for that input and ruleset)
David Lang
On Tue, 26 Apr 2022, Steven D wrote:
Date: Tue, 26 Apr 2022 14:12:36 +
From: Steven D
To: David Lang
Cc: rsyslog-users
Subject: Re: [rsyslog] Basic Rsyslog Troubleshooting
Good link thanks for that Lack
Steven D wrote:
> Date: Tue, 26 Apr 2022 11:00:16 +
> From: Steven D
> To: David Lang , rsyslog-users
> Subject: Re: [rsyslog] Basic Rsyslog Troubleshooting
>
> Here's most recent few rotations of pstats data, any additional input would
> be appreciated.
>
>
wrote:
Date: Tue, 26 Apr 2022 11:00:16 +
From: Steven D
To: David Lang , rsyslog-users
Subject: Re: [rsyslog] Basic Rsyslog Troubleshooting
Here's most recent few rotations of pstats data, any additional input would be
appreciated.
With the keepalives set, TCP connections don&#x
her ways.
Glad there are other SIEM jockeys on here... haha.
From: rsyslog on behalf of Mariusz Kruk via
rsyslog
Sent: Monday, April 25, 2022 9:08 AM
To: David Lang
Cc: Mariusz Kruk ; Mariusz Kruk via rsyslog
Subject: Re: [rsyslog] Basic Rsyslog Troub
e are other SIEM jockeys on here... haha.
From: rsyslog on behalf of Mariusz Kruk via
rsyslog
Sent: Monday, April 25, 2022 9:08 AM
To: David Lang
Cc: Mariusz Kruk ; Mariusz Kruk via rsyslog
Subject: Re: [rsyslog] Basic Rsyslog Troubleshooting
On 25.04.2022
On 25.04.2022 15:04, David Lang wrote:
Sure. I work with them, I know ;-)
It's just that for some, you can do the same but using rsyslog to
process the message (even filter some events out or trim them or do
many other fancy stuff) an send them directly to SIEM (by means of
native SIEM API,
On Mon, 25 Apr 2022, Mariusz Kruk wrote:
On 25.04.2022 14:41, David Lang wrote:
On Mon, 25 Apr 2022, Mariusz Kruk via rsyslog wrote:
Sure. I work with them, I know ;-)
It's just that for some, you can do the same but using rsyslog to process
the message (even filter some events out or trim
On 25.04.2022 14:41, David Lang wrote:
On Mon, 25 Apr 2022, Mariusz Kruk via rsyslog wrote:
Sure. I work with them, I know ;-)
It's just that for some, you can do the same but using rsyslog to
process the message (even filter some events out or trim them or do
many other fancy stuff) an se
)
> > ruleset(name="firewall_rule") {
> > action(type="omfile"
> > FileCreateMode="0744"
> > DirCreateMode="0755"
> > FileOwner="loguser"
> > FileGroup="loguser"
> > DirOwner
On Mon, 25 Apr 2022, Mariusz Kruk via rsyslog wrote:
Sure. I work with them, I know ;-)
It's just that for some, you can do the same but using rsyslog to process the
message (even filter some events out or trim them or do many other fancy
stuff) an send them directly to SIEM (by means of nati
Sure. I work with them, I know ;-)
It's just that for some, you can do the same but using rsyslog to
process the message (even filter some events out or trim them or do many
other fancy stuff) an send them directly to SIEM (by means of native
SIEM API, not by syslog)
instead of killing the s
Also, since mose SIEM tools are rather pricy, and price based on the volume of
logs, sending the logs to a syslog server lets you have the option of saving all
the logs, but only ingesting a portion of the logs into the SIEM (but retaining
the ability to import them all if needed)
with the pri
needs, random app owner audit need, etc.
From: rsyslog on behalf of David Lang via
rsyslog
Sent: Monday, April 25, 2022 1:35 AM
To: Mariusz Kruk via rsyslog
Cc: David Lang
Subject: Re: [rsyslog] Basic Rsyslog Troubleshooting
On Mon, 25 Apr 2022, Mariusz Kruk via rs
On 25.04.2022 07:35, David Lang wrote:
On Mon, 25 Apr 2022, Mariusz Kruk via rsyslog wrote:
As a slightly unrelated side question - what is this SIEM you're
gonna read the files with and send the events to? Can't you use some
solution to send events directly to SIEM, without intermediate files
On Mon, 25 Apr 2022, Mariusz Kruk via rsyslog wrote:
As a slightly unrelated side question - what is this SIEM you're gonna read
the files with and send the events to? Can't you use some solution to send
events directly to SIEM, without intermediate files?
As surprising as it seems, a lot of
rom: David Lang
Date: 4/24/22 8:21 PM (GMT-05:00)
To: Steven D
Cc: David Lang , Steven D via rsyslog
Subject: Re: [rsyslog] Basic Rsyslog Troubleshooting
On Mon, 25 Apr 2022, Steven D wrote:
David,
Thanks for all your help today, I committed a few changed to our config today
and i'll keep an
ginal message
From: David Lang
Date: 4/24/22 8:21 PM (GMT-05:00)
To: Steven D
Cc: David Lang , Steven D via rsyslog
Subject: Re: [rsyslog] Basic Rsyslog Troubleshooting
On Mon, 25 Apr 2022, Steven D wrote:
> David,
>
> Thanks for all your help today, I committed a few changed
ot;loguser"
DirOwner="loguser"
DirGroup="loguser"
DynaFile="firewall_logs"
DynaFileCacheSize = "50")
hopefully this was 500 not 50 based on your prior comment (but the pstats will
be clear once you ge
rule") {
action(name="firewall_rule"
type="omfile"
FileCreateMode="0744"
DirCreateMode="0755"
FileOwner="loguser"
FileGroup="loguser"
DirOwner="logus
mall number
is fine, thousands is bad, hundreds of thousands very bad
David Lang
Regards,
Steven
From: David Lang
Sent: Sunday, April 24, 2022 11:37 AM
To: Steven D
Cc: David Lang ; Steven D via rsyslog
Subject: Re: [rsyslog] Basic Rsyslog Troubleshooting
yo
avid Lang
Sent: Sunday, April 24, 2022 11:37 AM
To: Steven D
Cc: David Lang ; Steven D via rsyslog
Subject: Re: [rsyslog] Basic Rsyslog Troubleshooting
you definantly need to increase the dynacachesize for the firewall logs
also, if you add name= to the action, the pstats lines will be named by t
even D via rsyslog
Subject: Re: [rsyslog] Basic Rsyslog Troubleshooting
On Sun, 24 Apr 2022, Steven D wrote:
Re: Load balancer - that makes sense to me as well.
I've added this line to our config, does it seem appropriate for pstats?
Our Linux team keeps a tight grip on rights, so i'
H now to get a feel on resource usage, but at first glance
nothing is really about 1~2%
what does wait time look like?
David Lang
From: David Lang
Sent: Sunday, April 24, 2022 10:39 AM
To: Steven D
Cc: David Lang ; Steven D via rsyslog
Subject: Re: [rsyslog
ot;0744"
FileOwner="loguser"
FileGroup="loguser")
}
Running Top + H now to get a feel on resource usage, but at first glance
nothing is really about 1~2%
From: David Lang
Sent: Sunday, April 24, 2022 10:39 AM
To: Steven D
Cc
On Sun, 24 Apr 2022, Steven D wrote:
Would setting the KeepAlives in the rsyslog config on the server-side help to
manage the (zombie?) TCP connections.?
* The load balancer being in the middle feels like it's the cause of
repeated ESTABLISHED connections, but to keep HA/redundancy it's ki
ueues developing)
David Lang
On Sun, 24 Apr
2022, Steven D wrote:
Date: Sun, 24 Apr 2022 14:12:13 +
From: Steven D
To: David Lang ,
Steven D via rsyslog
Subject: Re: [rsyslog] Basic Rsyslog Troubleshooting
No sir, no encryption is in play. Just plain ol TCP syslog. We're runnin
guser"
DirGroup="loguser"
DynaFile="firewall_logs")
}
.
.
.
[snip]
Thank again, really appreciate the insight.
From: rsyslog on behalf of Steven D via rsyslog
Sent: Sunday, April 24, 2022 8:57 AM
To: David Lang ; Steven D via rsys
guser"
> DirOwner="loguser"
> DirGroup="loguser"
> DynaFile="firewall_logs")
> }
> .
> .
> .
> [snip]
>
> Thank again, really appreciate the insight.
>
> From: rsyslog on behalf
type="omfile"
FileCreateMode="0744"
DirCreateMode="0755"
FileOwner="loguser"
FileGroup="loguser"
DirOwner="loguser"
DirGroup="loguser"
DynaFile="firewall_logs")
}
.
.
.
[snip]
Thank
o be an issue in any case.
David Lang
On Sun, 24 Apr 2022, Steven D wrote:
Date: Sun, 24 Apr 2022 12:57:43 +
From: Steven D
To: David Lang ,
Steven D via rsyslog
Subject: RE: [rsyslog] Basic Rsyslog Troubleshooting
David
Thanks for the depth of this reply. Let me feed back in
/24/22 8:27 AM (GMT-05:00)
To: Steven D via rsyslog
Cc: Steven D
Subject: Re: [rsyslog] Basic Rsyslog Troubleshooting
One problem with TCP load balancing of syslog messages is that the load
balancers do not understand the syslog protocol, so they can't rebalance at a
message boundry.
A
load balancer, crash
on the receiving machine, etc) the data will be lost and the sending software
has no way of learning about it.
David Lang
On Sun, 24 Apr 2022, Steven D via rsyslog wrote:
Date: Sun, 24 Apr 2022 12:14:35 +
From: Steven D via rsyslog
To: "rsyslog@lists.adiscon
Greetings list
New to rsyslog list, not new to logging. We're experiencing an odd issue where
TCP syslog messages are being dropped at seemingly random intervals...hoping to
get some input.
The TLDR on our architecture is we have set up a couple rsyslog receivers
behind a Netscaler Load balanc
39 matches
Mail list logo
