While debugging completely different issue I noticed something strange
on one of my rsyslog installations.
It mostly receives data on RELP connection then sends it with omhttp
with TLS to HEC splunk input.
And everything seems to be working great but...
But after tcpdumping the traffic I noticed that sending from the rsyslog
to splunk works like that:
- SYN from rsyslog to splunk and typical 3-way handshake
- TLS negotiation with mutual authentication
- encrypted data from rsyslog (I assume that it's the HTTP request with
batch output action)
- some short burst of data from splunkĀ (I assume that's the server's
HTTP response)
- and here I'm getting a completely unexpected RST _from rsyslog's side_.
It's most peculiar because you'd typically expect either a keep-alive
and another HTTP transaction or a normally ACK/FIN-ished connection.
I will of course be digging into it myself. Will have to try to recreate
the setup in the lab since the production environment is way too heavily
used to turn on debugging. But has anyone encountered something like
that before? Or has any idea what can cause this?
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
on one of my rsyslog installations.
It mostly receives data on RELP connection then sends it with omhttp
with TLS to HEC splunk input.
And everything seems to be working great but...
But after tcpdumping the traffic I noticed that sending from the rsyslog
to splunk works like that:
- SYN from rsyslog to splunk and typical 3-way handshake
- TLS negotiation with mutual authentication
- encrypted data from rsyslog (I assume that it's the HTTP request with
batch output action)
- some short burst of data from splunkĀ (I assume that's the server's
HTTP response)
- and here I'm getting a completely unexpected RST _from rsyslog's side_.
It's most peculiar because you'd typically expect either a keep-alive
and another HTTP transaction or a normally ACK/FIN-ished connection.
I will of course be digging into it myself. Will have to try to recreate
the setup in the lab since the production environment is way too heavily
used to turn on debugging. But has anyone encountered something like
that before? Or has any idea what can cause this?
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.