From 55256ac96815d6e13fc9df7206d50ef7dcaca4fe Mon Sep 17 00:00:00 2001 From: Rainer Gerhards Date: Tue, 10 Aug 2010 14:51:43 +0200 Subject: added imptcp imptcp is a simplified, Linux-specific and potentielly fast syslog plain tcp input plugin (NOT supporting TLS!) --- doc/imptcp.html | 84 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 84 insertions(+) create mode 100644 doc/imptcp.html (limited to 'doc/imptcp.html') diff --git a/doc/imptcp.html b/doc/imptcp.html new file mode 100644 index 00000000..913563a5 --- /dev/null +++ b/doc/imptcp.html @@ -0,0 +1,84 @@ + + + +Plain TCP Syslog Input Module (imptcp) + +back + +

Plain TCP Syslog Input Module

Module Name: imptcp

Available since: 4.7.3+, 5.5.8+? +

Author: Rainer Gerhards +<rgerhards@adiscon.com>

Description:

Provides the ability to receive syslog messages via plain TCP syslog. +This is a specialised input plugin tailored for high performance on Linux. It will +probably not run on any other platform. Also, it does no provide TLS services. +Encryption can be provided by using stunnel. +

This module has no limit on the number of listeners and sessions that can be used. +

Multiple receivers may be configured by +specifying $InputPTCPServerRun multiple times. +

Configuration Directives:

This plugin has config directives similar named as imtcp, but they all have PTCP in +their name instead of just TCP. Note that only a subset of the parameters are supported. +

$InputPTCPServerAddtlFrameDelimiter <Delimiter>
+CURRENTLY DISABLED
+This directive permits to specify an additional frame delimiter for plain tcp syslog. +The industry-standard specifies using the LF character as frame delimiter. Some vendors, +notable Juniper in their NetScreen products, use an invalid frame delimiter, in Juniper's +case the NUL character. This directive permits to specify the ASCII value of the delimiter +in question. Please note that this does not guarantee that all wrong implementations can +be cured with this directive. It is not even a sure fix with all versions of NetScreen, +as I suggest the NUL character is the effect of a (common) coding error and thus will +probably go away at some time in the future. But for the time being, the value 0 can +probably be used to make rsyslog handle NetScreen's invalid syslog/tcp framing. +For additional information, see this +forum thread. +
If this doesn't work for you, please do not blame the rsyslog team. Instead file +a bug report with Juniper! +
Note that a similar, but worse, issue exists with Cisco's IOS implementation. They do +not use any framing at all. This is confirmed from Cisco's side, but there seems to be +very limited interest in fixing this issue. This directive can not fix the Cisco bug. +That would require much more code changes, which I was unable to do so far. Full details +can be found at the Cisco tcp syslog anomaly +page. +
$InputPTCPServerNotifyOnConnectionClose [on/off]
+CURRENTLY DISABLED
+instructs imptcp to emit a message if the remote peer closes a connection.
+Important: This directive is global to all listeners and must be given right +after loading imptcp, otherwise it may have no effect.
$InputPTCPServerRun <port>
+Starts a TCP server on selected port
$InputPTCPServerInputName <name>
+Sets a name for the inputname property. If no name is set "imptcp" is used by default. Setting a +name is not strictly necessary, but can be useful to apply filtering based on which input +the message was received from. +
$InputPTCPServerBindRuleset <name>
+Binds specified ruleset to next server defined. +
$InputPTCPServerListenIP <name>
+On multi-homed machines, specifies to which local address the next listerner should +be bound. +

+Caveats/Known Bugs: +

module always binds to all interfaces

Sample:

This sets up a TCP server on port 514:
+

+ +

[rsyslog.conf overview] +[manual index] [rsyslog site]

This documentation is part of the +rsyslog +project.
+Copyright © 2010 by Rainer +Gerhards and +Adiscon. +Released under the GNU GPL version 3 or higher.

+ -- cgit From e7d4ec890b42ceb0ab9bb4ee5ecc9a9e489c7388 Mon Sep 17 00:00:00 2001 From: Rainer Gerhards Date: Wed, 11 Aug 2010 14:38:21 +0200 Subject: imptcp: added $InputPTCPServerNotifyOnConnectionClose directive plus some minor cleanup --- doc/imptcp.html | 3 --- 1 file changed, 3 deletions(-) (limited to 'doc/imptcp.html') diff --git a/doc/imptcp.html b/doc/imptcp.html index 913563a5..c63ddc34 100644 --- a/doc/imptcp.html +++ b/doc/imptcp.html @@ -45,10 +45,7 @@ That would require much more code changes, which I was unable to do so far. Full can be found at the Cisco tcp syslog anomaly page.

$InputPTCPServerNotifyOnConnectionClose [on/off]
-CURRENTLY DISABLED
instructs imptcp to emit a message if the remote peer closes a connection.
-Important: This directive is global to all listeners and must be given right -after loading imptcp, otherwise it may have no effect.

$InputPTCPServerRun <port>
Starts a TCP server on selected port

$InputPTCPServerInputName <name>
-- cgit From 809ed1768b83bc0c5392f943f4820523494e8285 Mon Sep 17 00:00:00 2001 From: Rainer Gerhards Date: Wed, 11 Aug 2010 15:06:50 +0200 Subject: imptcp: added $InputPTCPServerAddtlFrameDelimiter directive also improved testbench --- doc/imptcp.html | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) (limited to 'doc/imptcp.html') diff --git a/doc/imptcp.html b/doc/imptcp.html index c63ddc34..d4228185 100644 --- a/doc/imptcp.html +++ b/doc/imptcp.html @@ -7,7 +7,7 @@

Plain TCP Syslog Input Module

Module Name: imptcp

Available since: 4.7.3+, 5.5.8+? +

Available since: 4.7.3+, 5.5.8+

Author: Rainer Gerhards <rgerhards@adiscon.com>

Description:

@@ -24,7 +24,6 @@ specifying $InputPTCPServerRun multiple times. their name instead of just TCP. Note that only a subset of the parameters are supported.

$InputPTCPServerAddtlFrameDelimiter <Delimiter>
-CURRENTLY DISABLED
This directive permits to specify an additional frame delimiter for plain tcp syslog. The industry-standard specifies using the LF character as frame delimiter. Some vendors, notable Juniper in their NetScreen products, use an invalid frame delimiter, in Juniper's -- cgit