Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. RSyslog>
  3. users
omhttp RSTs
rsyslog at lists
Mar 31, 2021, 7:11 AM
Post #1 of 4 (475 views)
Permalink
While debugging completely different issue I noticed something strange
on one of my rsyslog installations.

It mostly receives data on RELP connection then sends it with omhttp
with TLS to HEC splunk input.

And everything seems to be working great but...

But after tcpdumping the traffic I noticed that sending from the rsyslog
to splunk works like that:

- SYN from rsyslog to splunk and typical 3-way handshake

- TLS negotiation with mutual authentication

- encrypted data from rsyslog (I assume that it's the HTTP request with
batch output action)

- some short burst of data from splunkĀ  (I assume that's the server's
HTTP response)

- and here I'm getting a completely unexpected RST _from rsyslog's side_.

It's most peculiar because you'd typically expect either a keep-alive
and another HTTP transaction or a normally ACK/FIN-ished connection.

I will of course be digging into it myself. Will have to try to recreate
the setup in the lab since the production environment is way too heavily
used to turn on debugging. But has anyone encountered something like
that before? Or has any idea what can cause this?

_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: omhttp RSTs [ In reply to ]
rsyslog at lists
Mar 31, 2021, 7:18 AM
Post #2 of 4 (475 views)
Permalink
On 31.03.2021 16:11, Mariusz Kruk via rsyslog wrote:
> While debugging completely different issue I noticed something strange
> on one of my rsyslog installations.
>
> It mostly receives data on RELP connection then sends it with omhttp
> with TLS to HEC splunk input.
>
> And everything seems to be working great but...
>
> But after tcpdumping the traffic I noticed that sending from the
> rsyslog to splunk works like that:
>
> - SYN from rsyslog to splunk and typical 3-way handshake
>
> - TLS negotiation with mutual authentication
>
> - encrypted data from rsyslog (I assume that it's the HTTP request
> with batch output action)
>
> - some short burst of data from splunkĀ  (I assume that's the server's
> HTTP response)
>
> - and here I'm getting a completely unexpected RST _from rsyslog's side_.
>
> It's most peculiar because you'd typically expect either a keep-alive
> and another HTTP transaction or a normally ACK/FIN-ished connection.
>
> I will of course be digging into it myself. Will have to try to
> recreate the setup in the lab since the production environment is way
> too heavily used to turn on debugging. But has anyone encountered
> something like that before? Or has any idea what can cause this?
>

Forgot to include the basic info :-)

The version in question is 8.2010 and the underlying OS is CentOS7 on
both sides of the connection.

Neither side reports any errors in logs.

_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: omhttp RSTs [ In reply to ]
rsyslog at lists
Apr 1, 2021, 1:06 AM
Post #3 of 4 (475 views)
Permalink
OK. I dug a bit deeper into this and it seems that it's not an issue
with rsyslog as such because... posting events to HEC endpoint with
simple curl ends the same way - normal TCP connection and then RST from
the sending side. So my first hunch that it's the omhttp's fault seems
to have been wrong. Good to know.

_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: omhttp RSTs [ In reply to ]
rsyslog at lists
Apr 1, 2021, 6:40 AM
Post #4 of 4 (474 views)
Permalink
In case anyone is interested ;-)

It seems that omhttp is in a sense a culprit here since it looks as the
bug seems to be in the libcurl, because the RSTs appear even in getting
a simple webpage from a https server but do not appear if I use wget. So
there must be something wrong with the underlying libcurl. And omhttp
uses it as well...


On 01.04.2021 10:06, Mariusz Kruk via rsyslog wrote:

> OK. I dug a bit deeper into this and it seems that it's not an issue
> with rsyslog as such because... posting events to HEC endpoint with
> simple curl ends the same way - normal TCP connection and then RST
> from the sending side. So my first hunch that it's the omhttp's fault
> seems to have been wrong. Good to know.
>
> _______________________________________________
> rsyslog mailing list
> https://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
> myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST
> if you DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal