Mailing List Archive

On Thu, 3 Aug 2023, Redbourne,Michael via rsyslog wrote:

> I know rsyslog is using gnutls (default) with a recommendation for openssl and has support for TLS-encrypted TCP connections. Does rsyslog support TLS-encrypted UDP connections (specifically, inbound)?

No, TLS requires a stream of packets as the encryption for each packet changes
based on the prior packets., UDP syslog has each packet handled completely
independently, and packets can get reordered or dropped on the network before
they are processed, so TLS really can't work.

David Lang
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.

Yeah, unfortunately that's what I expected. Thanks David.

Cheers,
Mike
-----Original Message-----
From: David Lang <david@lang.hm>
Sent: Thursday, August 3, 2023 8:03 PM
To: Redbourne,Michael via rsyslog <rsyslog@lists.adiscon.com>
Cc: Redbourne,Michael <michael.redbourne@bulletproofsi.com>
Subject: Re: [rsyslog] DTLS Support with rsyslog

CAUTION: The Sender is located Outside The Organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.


On Thu, 3 Aug 2023, Redbourne,Michael via rsyslog wrote:

> I know rsyslog is using gnutls (default) with a recommendation for openssl and has support for TLS-encrypted TCP connections. Does rsyslog support TLS-encrypted UDP connections (specifically, inbound)?

No, TLS requires a stream of packets as the encryption for each packet changes based on the prior packets., UDP syslog has each packet handled completely independently, and packets can get reordered or dropped on the network before they are processed, so TLS really can't work.

David Lang
________________________________________
This e-mail communication (including any or all attachments) is intended only for the use of the person or entity to which it is addressed and may contain confidential and/or privileged material. If you are not the intended recipient of this e-mail, any use, review, retransmission, distribution, dissemination, copying, printing, or other use of, or taking of any action in reliance upon this e-mail, is strictly prohibited. If you have received this e-mail in error, please contact the sender and delete the original and any copy of this e-mail and any printout thereof, immediately. If you have any questions or concerns, please contact our Customer Service Desk at 1-877-274-2349. Your co-operation is appreciated.

Le présent courriel (y compris toute pièce jointe) s'adresse uniquement à son destinataire, qu'il soit une personne ou un organisme, et pourrait comporter des renseignements privilégiés ou confidentiels. Si vous n'êtes pas le destinataire du courriel, il est interdit d'utiliser, de revoir, de retransmettre, de distribuer, de disséminer, de copier ou d'imprimer ce courriel, d'agir en vous y fiant ou de vous en servir de toute autre façon. Si vous avez reçu le présent courriel par erreur, prière de communiquer avec l'expéditeur et d'éliminer l'original du courriel, ainsi que toute copie électronique ou imprimée de celui-ci, immédiatement. Si vous avez des questions ou des préoccupations, veuillez contacter notre centre de service à la clientèle au 1-877-274-2349. Nous sommes reconnaissants de votre collaboration.
________________________________________
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.

actually, there is DTLS, which is "datagram tls" and there also is a RFC.

So far, we had no real demand to implement it. My impression is that
DTLS syslog is largely unused.

Rainer

El jue, 3 ago 2023 a las 12:07, Redbourne,Michael via rsyslog
(<rsyslog@lists.adiscon.com>) escribió:
>
> Yeah, unfortunately that's what I expected. Thanks David.
>
> Cheers,
> Mike
> -----Original Message-----
> From: David Lang <david@lang.hm>
> Sent: Thursday, August 3, 2023 8:03 PM
> To: Redbourne,Michael via rsyslog <rsyslog@lists.adiscon.com>
> Cc: Redbourne,Michael <michael.redbourne@bulletproofsi.com>
> Subject: Re: [rsyslog] DTLS Support with rsyslog
>
> CAUTION: The Sender is located Outside The Organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.
>
>
> On Thu, 3 Aug 2023, Redbourne,Michael via rsyslog wrote:
>
> > I know rsyslog is using gnutls (default) with a recommendation for openssl and has support for TLS-encrypted TCP connections. Does rsyslog support TLS-encrypted UDP connections (specifically, inbound)?
>
> No, TLS requires a stream of packets as the encryption for each packet changes based on the prior packets., UDP syslog has each packet handled completely independently, and packets can get reordered or dropped on the network before they are processed, so TLS really can't work.
>
> David Lang
> ________________________________________
> This e-mail communication (including any or all attachments) is intended only for the use of the person or entity to which it is addressed and may contain confidential and/or privileged material. If you are not the intended recipient of this e-mail, any use, review, retransmission, distribution, dissemination, copying, printing, or other use of, or taking of any action in reliance upon this e-mail, is strictly prohibited. If you have received this e-mail in error, please contact the sender and delete the original and any copy of this e-mail and any printout thereof, immediately. If you have any questions or concerns, please contact our Customer Service Desk at 1-877-274-2349. Your co-operation is appreciated.
>
> Le présent courriel (y compris toute pièce jointe) s'adresse uniquement à son destinataire, qu'il soit une personne ou un organisme, et pourrait comporter des renseignements privilégiés ou confidentiels. Si vous n'êtes pas le destinataire du courriel, il est interdit d'utiliser, de revoir, de retransmettre, de distribuer, de disséminer, de copier ou d'imprimer ce courriel, d'agir en vous y fiant ou de vous en servir de toute autre façon. Si vous avez reçu le présent courriel par erreur, prière de communiquer avec l'expéditeur et d'éliminer l'original du courriel, ainsi que toute copie électronique ou imprimée de celui-ci, immédiatement. Si vous avez des questions ou des préoccupations, veuillez contacter notre centre de service à la clientèle au 1-877-274-2349. Nous sommes reconnaissants de votre collaboration.
> ________________________________________
> _______________________________________________
> rsyslog mailing list
> https://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.

Ah: Originally I'd seen this one: https://datatracker.ietf.org/doc/html/rfc6347

You're probably referring to this one though > https://datatracker.ietf.org/doc/html/rfc6012, written by you & Cisco of course ????

Regardless, there's multiple issues with approaching DTLS Syslog. I sincerely doubt DTLS Syslog is supported by the 'server' (sender), and evidently, it's not supported by the client (rsyslog). I have a few other ideas on how to handle our use case without DTLS, it's just going to be a pain to implement, and might involve a variety of load balancers, or a lot more research with rsyslog.

At a very high level: We have a 'cloud device' (think: ZScaler, Cortex lake, FortiAnalzyer via Cloud, etc) that's sending an average of 50k EPS. There's a pool of 'backend' nodes that receive the data and forward it to a SIEM (Splunk, etc), but each node in the backend pool is rate limited by the vendor at 5,000 EPS. (These numbers are just examples.) In an n build, we need 10 nodes in the pool. N+1 calls for 11 nodes, but realistically, we're probably looking at 13 in this case, so we have redundancy and we're not running them full tilt. With TCP, anything that hits the external LB is going to be routed to the same server unless we can get the cloud service to open multiple streams. (This is the ideal solution... Something we're talking to that vendor about). If they can't do that, this gets far more complex, and is something I'm going to have to mock up in a dev environment.

The other solution being:

/ ---- TCP TLS RCV rsyslog 1 (act) UDP FWD ---- \
Cloud Service ----> Ext Load Balancer -----VIP---> ----> Int F5s on K3605 ---> Backend Pool
\ ---- TCP TLS RCV rsyslog 2 (pas) UDP FWD ---- /

K3605 for context describes round-robin "per-packet" forwarding: https://my.f5.com/manage/s/article/K3605. Useful for things like UDP-based DNS, though in this case we're not expecting a response from syslog... Anyways, I have some design work to do if the cloud service vendor tells me they can't open multiple TCP streams to balance this out without the need for external and internal NLBs.

Thanks Rainer & David!

-----Original Message-----
From: Rainer Gerhards <rgerhards@hq.adiscon.com>
Sent: Thursday, August 3, 2023 9:11 PM
To: rsyslog-users <rsyslog@lists.adiscon.com>
Cc: David Lang <david@lang.hm>; Redbourne,Michael <michael.redbourne@bulletproofsi.com>
Subject: Re: [rsyslog] DTLS Support with rsyslog

CAUTION: The Sender is located Outside The Organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.


actually, there is DTLS, which is "datagram tls" and there also is a RFC.

So far, we had no real demand to implement it. My impression is that DTLS syslog is largely unused.

Rainer

El jue, 3 ago 2023 a las 12:07, Redbourne,Michael via rsyslog
(<rsyslog@lists.adiscon.com>) escribió:
>
> Yeah, unfortunately that's what I expected. Thanks David.
>
> Cheers,
> Mike
> -----Original Message-----
> From: David Lang <david@lang.hm>
> Sent: Thursday, August 3, 2023 8:03 PM
> To: Redbourne,Michael via rsyslog <rsyslog@lists.adiscon.com>
> Cc: Redbourne,Michael <michael.redbourne@bulletproofsi.com>
> Subject: Re: [rsyslog] DTLS Support with rsyslog
>
> CAUTION: The Sender is located Outside The Organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.
>
>
> On Thu, 3 Aug 2023, Redbourne,Michael via rsyslog wrote:
>
> > I know rsyslog is using gnutls (default) with a recommendation for openssl and has support for TLS-encrypted TCP connections. Does rsyslog support TLS-encrypted UDP connections (specifically, inbound)?
>
> No, TLS requires a stream of packets as the encryption for each packet changes based on the prior packets., UDP syslog has each packet handled completely independently, and packets can get reordered or dropped on the network before they are processed, so TLS really can't work.
>
> David Lang
> ________________________________________
> This e-mail communication (including any or all attachments) is intended only for the use of the person or entity to which it is addressed and may contain confidential and/or privileged material. If you are not the intended recipient of this e-mail, any use, review, retransmission, distribution, dissemination, copying, printing, or other use of, or taking of any action in reliance upon this e-mail, is strictly prohibited. If you have received this e-mail in error, please contact the sender and delete the original and any copy of this e-mail and any printout thereof, immediately. If you have any questions or concerns, please contact our Customer Service Desk at 1-877-274-2349. Your co-operation is appreciated.
>
> Le présent courriel (y compris toute pièce jointe) s'adresse uniquement à son destinataire, qu'il soit une personne ou un organisme, et pourrait comporter des renseignements privilégiés ou confidentiels. Si vous n'êtes pas le destinataire du courriel, il est interdit d'utiliser, de revoir, de retransmettre, de distribuer, de disséminer, de copier ou d'imprimer ce courriel, d'agir en vous y fiant ou de vous en servir de toute autre façon. Si vous avez reçu le présent courriel par erreur, prière de communiquer avec l'expéditeur et d'éliminer l'original du courriel, ainsi que toute copie électronique ou imprimée de celui-ci, immédiatement. Si vous avez des questions ou des préoccupations, veuillez contacter notre centre de service à la clientèle au 1-877-274-2349. Nous sommes reconnaissants de votre collaboration.
> ________________________________________
> _______________________________________________
> rsyslog mailing list
> https://list/
> s.adiscon.net%2Fmailman%2Flistinfo%2Frsyslog&data=05%7C01%7Cmichael.re
> dbourne%40bulletproofsi.com%7C4e06ad57bdb44f952ad808db9412629f%7C9a63d
> 13853ea411bbe8458b7e2570747%7C1%7C0%7C638266578912416607%7CUnknown%7CT
> WFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI
> 6Mn0%3D%7C3000%7C%7C%7C&sdata=5q2IR4TFoaN2R4gNwwa5mIxDkC8PlFjlNSl89jhA
> IzQ%3D&reserved=0
> http://www.r/
> syslog.com%2Fprofessional-services%2F&data=05%7C01%7Cmichael.redbourne
> %40bulletproofsi.com%7C4e06ad57bdb44f952ad808db9412629f%7C9a63d13853ea
> 411bbe8458b7e2570747%7C1%7C0%7C638266578912416607%7CUnknown%7CTWFpbGZs
> b3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D
> %7C3000%7C%7C%7C&sdata=OQvU6xVQoBpGaGmNbTydmWwVlajb7zU2dII3wSOYobQ%3D&
> reserved=0 What's up with rsyslog? Follow
> https://twit/
> ter.com%2Frgerhards&data=05%7C01%7Cmichael.redbourne%40bulletproofsi.c
> om%7C4e06ad57bdb44f952ad808db9412629f%7C9a63d13853ea411bbe8458b7e25707
> 47%7C1%7C0%7C638266578912416607%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLj
> AwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&s
> data=ZUlgey8kGBpLZ0RVf%2BZ3mLoxFcoNjs8NCvy5P98Z1yI%3D&reserved=0
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.

And why can't you use rsyslog to load-balance multiple outputs?

As far as I remember rsyslog doesn't have an built-in LB functionality
but it can be implemented in a ruleset.

MK

On 3.08.2023 13:53, Redbourne,Michael via rsyslog wrote:
> Ah: Originally I'd seen this one: https://datatracker.ietf.org/doc/html/rfc6347
>
> You're probably referring to this one though > https://datatracker.ietf.org/doc/html/rfc6012, written by you & Cisco of course ????
>
> Regardless, there's multiple issues with approaching DTLS Syslog. I sincerely doubt DTLS Syslog is supported by the 'server' (sender), and evidently, it's not supported by the client (rsyslog). I have a few other ideas on how to handle our use case without DTLS, it's just going to be a pain to implement, and might involve a variety of load balancers, or a lot more research with rsyslog.
>
> At a very high level: We have a 'cloud device' (think: ZScaler, Cortex lake, FortiAnalzyer via Cloud, etc) that's sending an average of 50k EPS. There's a pool of 'backend' nodes that receive the data and forward it to a SIEM (Splunk, etc), but each node in the backend pool is rate limited by the vendor at 5,000 EPS. (These numbers are just examples.) In an n build, we need 10 nodes in the pool. N+1 calls for 11 nodes, but realistically, we're probably looking at 13 in this case, so we have redundancy and we're not running them full tilt. With TCP, anything that hits the external LB is going to be routed to the same server unless we can get the cloud service to open multiple streams. (This is the ideal solution... Something we're talking to that vendor about). If they can't do that, this gets far more complex, and is something I'm going to have to mock up in a dev environment.
>
> The other solution being:
>
> / ---- TCP TLS RCV rsyslog 1 (act) UDP FWD ---- \
> Cloud Service ----> Ext Load Balancer -----VIP---> ----> Int F5s on K3605 ---> Backend Pool
> \ ---- TCP TLS RCV rsyslog 2 (pas) UDP FWD ---- /
>
> K3605 for context describes round-robin "per-packet" forwarding: https://my.f5.com/manage/s/article/K3605. Useful for things like UDP-based DNS, though in this case we're not expecting a response from syslog... Anyways, I have some design work to do if the cloud service vendor tells me they can't open multiple TCP streams to balance this out without the need for external and internal NLBs.
>
> Thanks Rainer & David!
>
> -----Original Message-----
> From: Rainer Gerhards <rgerhards@hq.adiscon.com>
> Sent: Thursday, August 3, 2023 9:11 PM
> To: rsyslog-users <rsyslog@lists.adiscon.com>
> Cc: David Lang <david@lang.hm>; Redbourne,Michael <michael.redbourne@bulletproofsi.com>
> Subject: Re: [rsyslog] DTLS Support with rsyslog
>
> CAUTION: The Sender is located Outside The Organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.
>
>
> actually, there is DTLS, which is "datagram tls" and there also is a RFC.
>
> So far, we had no real demand to implement it. My impression is that DTLS syslog is largely unused.
>
> Rainer
>
> El jue, 3 ago 2023 a las 12:07, Redbourne,Michael via rsyslog
> (<rsyslog@lists.adiscon.com>) escribió:
>> Yeah, unfortunately that's what I expected. Thanks David.
>>
>> Cheers,
>> Mike
>> -----Original Message-----
>> From: David Lang <david@lang.hm>
>> Sent: Thursday, August 3, 2023 8:03 PM
>> To: Redbourne,Michael via rsyslog <rsyslog@lists.adiscon.com>
>> Cc: Redbourne,Michael <michael.redbourne@bulletproofsi.com>
>> Subject: Re: [rsyslog] DTLS Support with rsyslog
>>
>> CAUTION: The Sender is located Outside The Organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.
>>
>>
>> On Thu, 3 Aug 2023, Redbourne,Michael via rsyslog wrote:
>>
>>> I know rsyslog is using gnutls (default) with a recommendation for openssl and has support for TLS-encrypted TCP connections. Does rsyslog support TLS-encrypted UDP connections (specifically, inbound)?
>> No, TLS requires a stream of packets as the encryption for each packet changes based on the prior packets., UDP syslog has each packet handled completely independently, and packets can get reordered or dropped on the network before they are processed, so TLS really can't work.
>>
>> David Lang
>> ________________________________________
>> This e-mail communication (including any or all attachments) is intended only for the use of the person or entity to which it is addressed and may contain confidential and/or privileged material. If you are not the intended recipient of this e-mail, any use, review, retransmission, distribution, dissemination, copying, printing, or other use of, or taking of any action in reliance upon this e-mail, is strictly prohibited. If you have received this e-mail in error, please contact the sender and delete the original and any copy of this e-mail and any printout thereof, immediately. If you have any questions or concerns, please contact our Customer Service Desk at 1-877-274-2349. Your co-operation is appreciated.
>>
>> Le présent courriel (y compris toute pièce jointe) s'adresse uniquement à son destinataire, qu'il soit une personne ou un organisme, et pourrait comporter des renseignements privilégiés ou confidentiels. Si vous n'êtes pas le destinataire du courriel, il est interdit d'utiliser, de revoir, de retransmettre, de distribuer, de disséminer, de copier ou d'imprimer ce courriel, d'agir en vous y fiant ou de vous en servir de toute autre façon. Si vous avez reçu le présent courriel par erreur, prière de communiquer avec l'expéditeur et d'éliminer l'original du courriel, ainsi que toute copie électronique ou imprimée de celui-ci, immédiatement. Si vous avez des questions ou des préoccupations, veuillez contacter notre centre de service à la clientèle au 1-877-274-2349. Nous sommes reconnaissants de votre collaboration.
>> ________________________________________
>> _______________________________________________
>> rsyslog mailing list
>> https://list/
>> s.adiscon.net%2Fmailman%2Flistinfo%2Frsyslog&data=05%7C01%7Cmichael.re
>> dbourne%40bulletproofsi.com%7C4e06ad57bdb44f952ad808db9412629f%7C9a63d
>> 13853ea411bbe8458b7e2570747%7C1%7C0%7C638266578912416607%7CUnknown%7CT
>> WFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI
>> 6Mn0%3D%7C3000%7C%7C%7C&sdata=5q2IR4TFoaN2R4gNwwa5mIxDkC8PlFjlNSl89jhA
>> IzQ%3D&reserved=0
>> http://www.r/
>> syslog.com%2Fprofessional-services%2F&data=05%7C01%7Cmichael.redbourne
>> %40bulletproofsi.com%7C4e06ad57bdb44f952ad808db9412629f%7C9a63d13853ea
>> 411bbe8458b7e2570747%7C1%7C0%7C638266578912416607%7CUnknown%7CTWFpbGZs
>> b3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D
>> %7C3000%7C%7C%7C&sdata=OQvU6xVQoBpGaGmNbTydmWwVlajb7zU2dII3wSOYobQ%3D&
>> reserved=0 What's up with rsyslog? Follow
>> https://twit/
>> ter.com%2Frgerhards&data=05%7C01%7Cmichael.redbourne%40bulletproofsi.c
>> om%7C4e06ad57bdb44f952ad808db9412629f%7C9a63d13853ea411bbe8458b7e25707
>> 47%7C1%7C0%7C638266578912416607%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLj
>> AwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&s
>> data=ZUlgey8kGBpLZ0RVf%2BZ3mLoxFcoNjs8NCvy5P98Z1yI%3D&reserved=0
>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
> _______________________________________________
> rsyslog mailing list
> https://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.

Rsyslog can implement load balancing via ruleset (Ex: https://community.microfocus.com/cyberres/arcsight/f/arcsight-discussions/334766/using-rsyslog-to-load-balance-all-connectors-across-a-logger-pool). Whether I complicate this with multiple rulesets in rsyslog, or complicate this with F5, it's sort of 50/50 on which is worse - in my opinion at least. We already have experience with F5, so we're just be looking at managing two additional VMs. Bonus, we get formal support for it (albeit, paid).

Ideally none of this would be necessary, we'd just have an external LB to 2 nodes (HA, Act/Pas) running rsyslog with the other vendor software on the same server. Unfortunately, the SIEM vendor isn't quite there yet.

-----Original Message-----
From: rsyslog <rsyslog-bounces@lists.adiscon.com> On Behalf Of Mariusz Kruk via rsyslog
Sent: Thursday, August 3, 2023 10:06 PM
To: rsyslog@lists.adiscon.com
Cc: Mariusz Kruk <kruk@epsilon.eu.org>
Subject: Re: [rsyslog] DTLS Support with rsyslog

CAUTION: The Sender is located Outside The Organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.


And why can't you use rsyslog to load-balance multiple outputs?

As far as I remember rsyslog doesn't have an built-in LB functionality but it can be implemented in a ruleset.

MK

On 3.08.2023 13:53, Redbourne,Michael via rsyslog wrote:
> Ah: Originally I'd seen this one:
> https://data/
> tracker.ietf.org%2Fdoc%2Fhtml%2Frfc6347&data=05%7C01%7Cmichael.redbour
> ne%40bulletproofsi.com%7Cba26d2bbdb9949505ddb08db941a0cfa%7C9a63d13853
> ea411bbe8458b7e2570747%7C1%7C0%7C638266611832589878%7CUnknown%7CTWFpbG
> Zsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%
> 3D%7C3000%7C%7C%7C&sdata=%2BJuDKgA0D20BttUkyuDMmM6lX%2BnPU6C%2BUI3y0Tr
> 4hiw%3D&reserved=0
>
> You're probably referring to this one though >
> https://data/
> tracker.ietf.org%2Fdoc%2Fhtml%2Frfc6012&data=05%7C01%7Cmichael.redbour
> ne%40bulletproofsi.com%7Cba26d2bbdb9949505ddb08db941a0cfa%7C9a63d13853
> ea411bbe8458b7e2570747%7C1%7C0%7C638266611832589878%7CUnknown%7CTWFpbG
> Zsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%
> 3D%7C3000%7C%7C%7C&sdata=49OGZDkUaZfVkYk2uBmyF9r4GHSgYw62SYylr7iYF5A%3
> D&reserved=0, written by you & Cisco of course ????
>
> Regardless, there's multiple issues with approaching DTLS Syslog. I sincerely doubt DTLS Syslog is supported by the 'server' (sender), and evidently, it's not supported by the client (rsyslog). I have a few other ideas on how to handle our use case without DTLS, it's just going to be a pain to implement, and might involve a variety of load balancers, or a lot more research with rsyslog.
>
> At a very high level: We have a 'cloud device' (think: ZScaler, Cortex lake, FortiAnalzyer via Cloud, etc) that's sending an average of 50k EPS. There's a pool of 'backend' nodes that receive the data and forward it to a SIEM (Splunk, etc), but each node in the backend pool is rate limited by the vendor at 5,000 EPS. (These numbers are just examples.) In an n build, we need 10 nodes in the pool. N+1 calls for 11 nodes, but realistically, we're probably looking at 13 in this case, so we have redundancy and we're not running them full tilt. With TCP, anything that hits the external LB is going to be routed to the same server unless we can get the cloud service to open multiple streams. (This is the ideal solution... Something we're talking to that vendor about). If they can't do that, this gets far more complex, and is something I'm going to have to mock up in a dev environment.
>
> The other solution being:
>
> / ---- TCP TLS RCV rsyslog 1 (act) UDP FWD ---- \
> Cloud Service ----> Ext Load Balancer -----VIP---> ----> Int F5s on K3605 ---> Backend Pool
>
> \ ---- TCP TLS RCV rsyslog 2 (pas) UDP FWD ---- /
>
> K3605 for context describes round-robin "per-packet" forwarding: https://my.f5.com/manage/s/article/K3605. Useful for things like UDP-based DNS, though in this case we're not expecting a response from syslog... Anyways, I have some design work to do if the cloud service vendor tells me they can't open multiple TCP streams to balance this out without the need for external and internal NLBs.
>
> Thanks Rainer & David!
>
> -----Original Message-----
> From: Rainer Gerhards <rgerhards@hq.adiscon.com>
> Sent: Thursday, August 3, 2023 9:11 PM
> To: rsyslog-users <rsyslog@lists.adiscon.com>
> Cc: David Lang <david@lang.hm>; Redbourne,Michael
> <michael.redbourne@bulletproofsi.com>
> Subject: Re: [rsyslog] DTLS Support with rsyslog
>
> CAUTION: The Sender is located Outside The Organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.
>
>
> actually, there is DTLS, which is "datagram tls" and there also is a RFC.
>
> So far, we had no real demand to implement it. My impression is that DTLS syslog is largely unused.
>
> Rainer
>
> El jue, 3 ago 2023 a las 12:07, Redbourne,Michael via rsyslog
> (<rsyslog@lists.adiscon.com>) escribió:
>> Yeah, unfortunately that's what I expected. Thanks David.
>>
>> Cheers,
>> Mike
>> -----Original Message-----
>> From: David Lang <david@lang.hm>
>> Sent: Thursday, August 3, 2023 8:03 PM
>> To: Redbourne,Michael via rsyslog <rsyslog@lists.adiscon.com>
>> Cc: Redbourne,Michael <michael.redbourne@bulletproofsi.com>
>> Subject: Re: [rsyslog] DTLS Support with rsyslog
>>
>> CAUTION: The Sender is located Outside The Organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.
>>
>>
>> On Thu, 3 Aug 2023, Redbourne,Michael via rsyslog wrote:
>>
>>> I know rsyslog is using gnutls (default) with a recommendation for openssl and has support for TLS-encrypted TCP connections. Does rsyslog support TLS-encrypted UDP connections (specifically, inbound)?
>> No, TLS requires a stream of packets as the encryption for each packet changes based on the prior packets., UDP syslog has each packet handled completely independently, and packets can get reordered or dropped on the network before they are processed, so TLS really can't work.
>>
>> David Lang
>> ________________________________________
>> This e-mail communication (including any or all attachments) is intended only for the use of the person or entity to which it is addressed and may contain confidential and/or privileged material. If you are not the intended recipient of this e-mail, any use, review, retransmission, distribution, dissemination, copying, printing, or other use of, or taking of any action in reliance upon this e-mail, is strictly prohibited. If you have received this e-mail in error, please contact the sender and delete the original and any copy of this e-mail and any printout thereof, immediately. If you have any questions or concerns, please contact our Customer Service Desk at 1-877-274-2349. Your co-operation is appreciated.
>>
>> Le présent courriel (y compris toute pièce jointe) s'adresse uniquement à son destinataire, qu'il soit une personne ou un organisme, et pourrait comporter des renseignements privilégiés ou confidentiels. Si vous n'êtes pas le destinataire du courriel, il est interdit d'utiliser, de revoir, de retransmettre, de distribuer, de disséminer, de copier ou d'imprimer ce courriel, d'agir en vous y fiant ou de vous en servir de toute autre façon. Si vous avez reçu le présent courriel par erreur, prière de communiquer avec l'expéditeur et d'éliminer l'original du courriel, ainsi que toute copie électronique ou imprimée de celui-ci, immédiatement. Si vous avez des questions ou des préoccupations, veuillez contacter notre centre de service à la clientèle au 1-877-274-2349. Nous sommes reconnaissants de votre collaboration.
>> ________________________________________
>> _______________________________________________
>> rsyslog mailing list
>> https://list/
>> s.adiscon.net%2Fmailman%2Flistinfo%2Frsyslog&data=05%7C01%7Cmichael.r
>> e
>> dbourne%40bulletproofsi.com%7C4e06ad57bdb44f952ad808db9412629f%7C9a63
>> d
>> 13853ea411bbe8458b7e2570747%7C1%7C0%7C638266578912416607%7CUnknown%7C
>> T
>> WFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVC
>> I
>> 6Mn0%3D%7C3000%7C%7C%7C&sdata=5q2IR4TFoaN2R4gNwwa5mIxDkC8PlFjlNSl89jh
>> A
>> IzQ%3D&reserved=0
>> http://www/.
>> r%2F&data=05%7C01%7Cmichael.redbourne%40bulletproofsi.com%7Cba26d2bbd
>> b9949505ddb08db941a0cfa%7C9a63d13853ea411bbe8458b7e2570747%7C1%7C0%7C
>> 638266611832589878%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIj
>> oiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=FGr9%2
>> FnnqkWdjgD8kSi%2F95myYAdEZfalRc2ewLRy15Ec%3D&reserved=0
>> syslog.com%2Fprofessional-services%2F&data=05%7C01%7Cmichael.redbourn
>> e
>> %40bulletproofsi.com%7C4e06ad57bdb44f952ad808db9412629f%7C9a63d13853e
>> a
>> 411bbe8458b7e2570747%7C1%7C0%7C638266578912416607%7CUnknown%7CTWFpbGZ
>> s
>> b3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3
>> D
>> %7C3000%7C%7C%7C&sdata=OQvU6xVQoBpGaGmNbTydmWwVlajb7zU2dII3wSOYobQ%3D
>> &
>> reserved=0 What's up with rsyslog? Follow https://twit/
>> ter.com%2Frgerhards&data=05%7C01%7Cmichael.redbourne%40bulletproofsi.
>> c
>> om%7C4e06ad57bdb44f952ad808db9412629f%7C9a63d13853ea411bbe8458b7e2570
>> 7
>> 47%7C1%7C0%7C638266578912416607%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wL
>> j
>> AwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&
>> s
>> data=ZUlgey8kGBpLZ0RVf%2BZ3mLoxFcoNjs8NCvy5P98Z1yI%3D&reserved=0
>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
> _______________________________________________
> rsyslog mailing list
> https://list/
> s.adiscon.net%2Fmailman%2Flistinfo%2Frsyslog&data=05%7C01%7Cmichael.re
> dbourne%40bulletproofsi.com%7Cba26d2bbdb9949505ddb08db941a0cfa%7C9a63d
> 13853ea411bbe8458b7e2570747%7C1%7C0%7C638266611832589878%7CUnknown%7CT
> WFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI
> 6Mn0%3D%7C3000%7C%7C%7C&sdata=8UzQjuAVWr1D68MUb882fZj%2FM0lYRbcz2RxxUy
> Fb5zM%3D&reserved=0
> http://www.r/
> syslog.com%2Fprofessional-services%2F&data=05%7C01%7Cmichael.redbourne
> %40bulletproofsi.com%7Cba26d2bbdb9949505ddb08db941a0cfa%7C9a63d13853ea
> 411bbe8458b7e2570747%7C1%7C0%7C638266611832589878%7CUnknown%7CTWFpbGZs
> b3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D
> %7C3000%7C%7C%7C&sdata=u1YULLOobor4Uo2LF9vyMxO%2BcpPc2O9JyFuPqe6NrU4%3
> D&reserved=0 What's up with rsyslog? Follow
> https://twit/
> ter.com%2Frgerhards&data=05%7C01%7Cmichael.redbourne%40bulletproofsi.c
> om%7Cba26d2bbdb9949505ddb08db941a0cfa%7C9a63d13853ea411bbe8458b7e25707
> 47%7C1%7C0%7C638266611832589878%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLj
> AwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&s
> data=24%2FSX0x%2FruL%2BoMZV6i4BER4qjcBBXPCX09fOdKpUqxg%3D&reserved=0
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.

I know it can be implemented. I have it in constant use :-)

The pro of rsyslog vs F5 is that rsyslog operates on a per-event basis
and understands syslog with its many quirks. F5 - yes, you get support.
You can also buy support for rsyslog from the guys @Adiscon.

What SIEM are you sending it to if it's not a secret?

MK

On 3.08.2023 14:26, Redbourne,Michael wrote:
> Rsyslog can implement load balancing via ruleset (Ex: https://community.microfocus.com/cyberres/arcsight/f/arcsight-discussions/334766/using-rsyslog-to-load-balance-all-connectors-across-a-logger-pool). Whether I complicate this with multiple rulesets in rsyslog, or complicate this with F5, it's sort of 50/50 on which is worse - in my opinion at least. We already have experience with F5, so we're just be looking at managing two additional VMs. Bonus, we get formal support for it (albeit, paid).
>
> Ideally none of this would be necessary, we'd just have an external LB to 2 nodes (HA, Act/Pas) running rsyslog with the other vendor software on the same server. Unfortunately, the SIEM vendor isn't quite there yet.
>
> -----Original Message-----
> From: rsyslog <rsyslog-bounces@lists.adiscon.com> On Behalf Of Mariusz Kruk via rsyslog
> Sent: Thursday, August 3, 2023 10:06 PM
> To: rsyslog@lists.adiscon.com
> Cc: Mariusz Kruk <kruk@epsilon.eu.org>
> Subject: Re: [rsyslog] DTLS Support with rsyslog
>
> CAUTION: The Sender is located Outside The Organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.
>
>
> And why can't you use rsyslog to load-balance multiple outputs?
>
> As far as I remember rsyslog doesn't have an built-in LB functionality but it can be implemented in a ruleset.
>
> MK
>
> On 3.08.2023 13:53, Redbourne,Michael via rsyslog wrote:
>> Ah: Originally I'd seen this one:
>> https://data/
>> tracker.ietf.org%2Fdoc%2Fhtml%2Frfc6347&data=05%7C01%7Cmichael.redbour
>> ne%40bulletproofsi.com%7Cba26d2bbdb9949505ddb08db941a0cfa%7C9a63d13853
>> ea411bbe8458b7e2570747%7C1%7C0%7C638266611832589878%7CUnknown%7CTWFpbG
>> Zsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%
>> 3D%7C3000%7C%7C%7C&sdata=%2BJuDKgA0D20BttUkyuDMmM6lX%2BnPU6C%2BUI3y0Tr
>> 4hiw%3D&reserved=0
>>
>> You're probably referring to this one though >
>> https://data/
>> tracker.ietf.org%2Fdoc%2Fhtml%2Frfc6012&data=05%7C01%7Cmichael.redbour
>> ne%40bulletproofsi.com%7Cba26d2bbdb9949505ddb08db941a0cfa%7C9a63d13853
>> ea411bbe8458b7e2570747%7C1%7C0%7C638266611832589878%7CUnknown%7CTWFpbG
>> Zsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%
>> 3D%7C3000%7C%7C%7C&sdata=49OGZDkUaZfVkYk2uBmyF9r4GHSgYw62SYylr7iYF5A%3
>> D&reserved=0, written by you & Cisco of course ????
>>
>> Regardless, there's multiple issues with approaching DTLS Syslog. I sincerely doubt DTLS Syslog is supported by the 'server' (sender), and evidently, it's not supported by the client (rsyslog). I have a few other ideas on how to handle our use case without DTLS, it's just going to be a pain to implement, and might involve a variety of load balancers, or a lot more research with rsyslog.
>>
>> At a very high level: We have a 'cloud device' (think: ZScaler, Cortex lake, FortiAnalzyer via Cloud, etc) that's sending an average of 50k EPS. There's a pool of 'backend' nodes that receive the data and forward it to a SIEM (Splunk, etc), but each node in the backend pool is rate limited by the vendor at 5,000 EPS. (These numbers are just examples.) In an n build, we need 10 nodes in the pool. N+1 calls for 11 nodes, but realistically, we're probably looking at 13 in this case, so we have redundancy and we're not running them full tilt. With TCP, anything that hits the external LB is going to be routed to the same server unless we can get the cloud service to open multiple streams. (This is the ideal solution... Something we're talking to that vendor about). If they can't do that, this gets far more complex, and is something I'm going to have to mock up in a dev environment.
>>
>> The other solution being:
>>
>> / ---- TCP TLS RCV rsyslog 1 (act) UDP FWD ---- \
>> Cloud Service ----> Ext Load Balancer -----VIP---> ----> Int F5s on K3605 ---> Backend Pool
>>
>> \ ---- TCP TLS RCV rsyslog 2 (pas) UDP FWD ---- /
>>
>> K3605 for context describes round-robin "per-packet" forwarding: https://my.f5.com/manage/s/article/K3605. Useful for things like UDP-based DNS, though in this case we're not expecting a response from syslog... Anyways, I have some design work to do if the cloud service vendor tells me they can't open multiple TCP streams to balance this out without the need for external and internal NLBs.
>>
>> Thanks Rainer & David!
>>
>> -----Original Message-----
>> From: Rainer Gerhards <rgerhards@hq.adiscon.com>
>> Sent: Thursday, August 3, 2023 9:11 PM
>> To: rsyslog-users <rsyslog@lists.adiscon.com>
>> Cc: David Lang <david@lang.hm>; Redbourne,Michael
>> <michael.redbourne@bulletproofsi.com>
>> Subject: Re: [rsyslog] DTLS Support with rsyslog
>>
>> CAUTION: The Sender is located Outside The Organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.
>>
>>
>> actually, there is DTLS, which is "datagram tls" and there also is a RFC.
>>
>> So far, we had no real demand to implement it. My impression is that DTLS syslog is largely unused.
>>
>> Rainer
>>
>> El jue, 3 ago 2023 a las 12:07, Redbourne,Michael via rsyslog
>> (<rsyslog@lists.adiscon.com>) escribió:
>>> Yeah, unfortunately that's what I expected. Thanks David.
>>>
>>> Cheers,
>>> Mike
>>> -----Original Message-----
>>> From: David Lang <david@lang.hm>
>>> Sent: Thursday, August 3, 2023 8:03 PM
>>> To: Redbourne,Michael via rsyslog <rsyslog@lists.adiscon.com>
>>> Cc: Redbourne,Michael <michael.redbourne@bulletproofsi.com>
>>> Subject: Re: [rsyslog] DTLS Support with rsyslog
>>>
>>> CAUTION: The Sender is located Outside The Organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.
>>>
>>>
>>> On Thu, 3 Aug 2023, Redbourne,Michael via rsyslog wrote:
>>>
>>>> I know rsyslog is using gnutls (default) with a recommendation for openssl and has support for TLS-encrypted TCP connections. Does rsyslog support TLS-encrypted UDP connections (specifically, inbound)?
>>> No, TLS requires a stream of packets as the encryption for each packet changes based on the prior packets., UDP syslog has each packet handled completely independently, and packets can get reordered or dropped on the network before they are processed, so TLS really can't work.
>>>
>>> David Lang
>>> ________________________________________
>>> This e-mail communication (including any or all attachments) is intended only for the use of the person or entity to which it is addressed and may contain confidential and/or privileged material. If you are not the intended recipient of this e-mail, any use, review, retransmission, distribution, dissemination, copying, printing, or other use of, or taking of any action in reliance upon this e-mail, is strictly prohibited. If you have received this e-mail in error, please contact the sender and delete the original and any copy of this e-mail and any printout thereof, immediately. If you have any questions or concerns, please contact our Customer Service Desk at 1-877-274-2349. Your co-operation is appreciated.
>>>
>>> Le présent courriel (y compris toute pièce jointe) s'adresse uniquement à son destinataire, qu'il soit une personne ou un organisme, et pourrait comporter des renseignements privilégiés ou confidentiels. Si vous n'êtes pas le destinataire du courriel, il est interdit d'utiliser, de revoir, de retransmettre, de distribuer, de disséminer, de copier ou d'imprimer ce courriel, d'agir en vous y fiant ou de vous en servir de toute autre façon. Si vous avez reçu le présent courriel par erreur, prière de communiquer avec l'expéditeur et d'éliminer l'original du courriel, ainsi que toute copie électronique ou imprimée de celui-ci, immédiatement. Si vous avez des questions ou des préoccupations, veuillez contacter notre centre de service à la clientèle au 1-877-274-2349. Nous sommes reconnaissants de votre collaboration.
>>> ________________________________________
>>> _______________________________________________
>>> rsyslog mailing list
>>> https://list/
>>> s.adiscon.net%2Fmailman%2Flistinfo%2Frsyslog&data=05%7C01%7Cmichael.r
>>> e
>>> dbourne%40bulletproofsi.com%7C4e06ad57bdb44f952ad808db9412629f%7C9a63
>>> d
>>> 13853ea411bbe8458b7e2570747%7C1%7C0%7C638266578912416607%7CUnknown%7C
>>> T
>>> WFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVC
>>> I
>>> 6Mn0%3D%7C3000%7C%7C%7C&sdata=5q2IR4TFoaN2R4gNwwa5mIxDkC8PlFjlNSl89jh
>>> A
>>> IzQ%3D&reserved=0
>>> http://www/.
>>> r%2F&data=05%7C01%7Cmichael.redbourne%40bulletproofsi.com%7Cba26d2bbd
>>> b9949505ddb08db941a0cfa%7C9a63d13853ea411bbe8458b7e2570747%7C1%7C0%7C
>>> 638266611832589878%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIj
>>> oiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=FGr9%2
>>> FnnqkWdjgD8kSi%2F95myYAdEZfalRc2ewLRy15Ec%3D&reserved=0
>>> syslog.com%2Fprofessional-services%2F&data=05%7C01%7Cmichael.redbourn
>>> e
>>> %40bulletproofsi.com%7C4e06ad57bdb44f952ad808db9412629f%7C9a63d13853e
>>> a
>>> 411bbe8458b7e2570747%7C1%7C0%7C638266578912416607%7CUnknown%7CTWFpbGZ
>>> s
>>> b3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3
>>> D
>>> %7C3000%7C%7C%7C&sdata=OQvU6xVQoBpGaGmNbTydmWwVlajb7zU2dII3wSOYobQ%3D
>>> &
>>> reserved=0 What's up with rsyslog? Follow https://twit/
>>> ter.com%2Frgerhards&data=05%7C01%7Cmichael.redbourne%40bulletproofsi.
>>> c
>>> om%7C4e06ad57bdb44f952ad808db9412629f%7C9a63d13853ea411bbe8458b7e2570
>>> 7
>>> 47%7C1%7C0%7C638266578912416607%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wL
>>> j
>>> AwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&
>>> s
>>> data=ZUlgey8kGBpLZ0RVf%2BZ3mLoxFcoNjs8NCvy5P98Z1yI%3D&reserved=0
>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
>> _______________________________________________
>> rsyslog mailing list
>> https://list/
>> s.adiscon.net%2Fmailman%2Flistinfo%2Frsyslog&data=05%7C01%7Cmichael.re
>> dbourne%40bulletproofsi.com%7Cba26d2bbdb9949505ddb08db941a0cfa%7C9a63d
>> 13853ea411bbe8458b7e2570747%7C1%7C0%7C638266611832589878%7CUnknown%7CT
>> WFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI
>> 6Mn0%3D%7C3000%7C%7C%7C&sdata=8UzQjuAVWr1D68MUb882fZj%2FM0lYRbcz2RxxUy
>> Fb5zM%3D&reserved=0
>> http://www.r/
>> syslog.com%2Fprofessional-services%2F&data=05%7C01%7Cmichael.redbourne
>> %40bulletproofsi.com%7Cba26d2bbdb9949505ddb08db941a0cfa%7C9a63d13853ea
>> 411bbe8458b7e2570747%7C1%7C0%7C638266611832589878%7CUnknown%7CTWFpbGZs
>> b3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D
>> %7C3000%7C%7C%7C&sdata=u1YULLOobor4Uo2LF9vyMxO%2BcpPc2O9JyFuPqe6NrU4%3
>> D&reserved=0 What's up with rsyslog? Follow
>> https://twit/
>> ter.com%2Frgerhards&data=05%7C01%7Cmichael.redbourne%40bulletproofsi.c
>> om%7Cba26d2bbdb9949505ddb08db941a0cfa%7C9a63d13853ea411bbe8458b7e25707
>> 47%7C1%7C0%7C638266611832589878%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLj
>> AwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&s
>> data=24%2FSX0x%2FruL%2BoMZV6i4BER4qjcBBXPCX09fOdKpUqxg%3D&reserved=0
>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
> _______________________________________________
> rsyslog mailing list
> https://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.

As a practical matter, if you have multiple senders, you don't need to have
'correct' load balancing where each sender opens multiple connections and sends
to all targets.

Instead you can get by with a much simpler mechanism.

setup a load balancer of your choice, use TCP, and configure the senders to
disconnect and reconnect every X messages (set X to something large enough that
the connection, slow start, and encryption handshake isn't significant, start at
something like 1000, or 10000, a few seconds worth of logs)

with many senders, your load will be fairly well balanced statistically, and by
disconnecting and reconnecting you give the load balancer a chance to adjust the
inbalance.

It won't be perfect, but in practice it's pretty close.

Rsyslog supports this on the sender side (rebind interval) for exactly this
purpose, and you can use anything from CLUSTERIP with corosync/pacemaker to
external load balancers to split the traffic across multiple systems with
failover if a system stops responding.

I've done this with very high volume systems


re: DTLS, to be able to do TLS over UDP, you have to introduce sequencing and
retries, at which point you are pretty much reinventing TCP.

If these connections are over unreliable networks (such as the Internet), I
highly recommend that you look at RELP as a reasonable protocol. That way if the
connection gets broken, you don't lose any logs.

David Lang
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.

David,

On Thu, August 3, 2023 8:35 am, David Lang via rsyslog wrote:

> re: DTLS, to be able to do TLS over UDP, you have to introduce sequencing
> and
> retries, at which point you are pretty much reinventing TCP.

Just FYI, "DTLS" is Datagram Transport Layer Security (RFC-9147). It is
based on (but NOT) standard TLS; DTLS is designed to handle the
out-of-order UDP Packets. You do NOT need to introduce sequencing or
retries. DTLS handles that (well, it wont retry,but it handles dropped
and reordered packets).

There are times when DTLS is the right answer. I'm not sure if (r)syslog
is the right place or not.

-derek

--
Derek Atkins 617-623-3745
derek@ihtfp.com www.ihtfp.com
Computer and Internet Security Consultant

_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.

Microsoft Sentinel under the new AMA (Azure Monitor Agent). Rated to 10k EPS > https://learn.microsoft.com/en-us/azure/azure-monitor/agents/azure-monitor-agent-performance. Microsoft says it's a simulated load (with avg CPU at 51% of 800%). But in private conversations with them, they've indicated that's a hard cap. They've been slowly stepping it up. It started at 5k EPS, then 8500 EPS, and now 10k EPS. This has been a long time known issue, and something I've complained to Microsoft about. A 10k EPS limit on a single node is an absolutely insane limit to place considering the use case for the new agent is almost exclusively forwarding. Competitors (IBM, Logstash) are all well capable of supporting well into the 10s of thousands in EPS (with approiriately sized VMs...)

AMA doesn't care about VM sizing once you're above relastically above 4 vCPUs.


-----Original Message-----
From: rsyslog <rsyslog-bounces@lists.adiscon.com> On Behalf Of Mariusz Kruk via rsyslog
Sent: Thursday, August 3, 2023 10:33 PM
To: rsyslog-users <rsyslog@lists.adiscon.com>
Cc: Mariusz Kruk <kruk@epsilon.eu.org>
Subject: Re: [rsyslog] DTLS Support with rsyslog

CAUTION: The Sender is located Outside The Organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.


I know it can be implemented. I have it in constant use :-)

The pro of rsyslog vs F5 is that rsyslog operates on a per-event basis and understands syslog with its many quirks. F5 - yes, you get support.
You can also buy support for rsyslog from the guys @Adiscon.

What SIEM are you sending it to if it's not a secret?

MK

On 3.08.2023 14:26, Redbourne,Michael wrote:
> Rsyslog can implement load balancing via ruleset (Ex: https://community.microfocus.com/cyberres/arcsight/f/arcsight-discussions/334766/using-rsyslog-to-load-balance-all-connectors-across-a-logger-pool). Whether I complicate this with multiple rulesets in rsyslog, or complicate this with F5, it's sort of 50/50 on which is worse - in my opinion at least. We already have experience with F5, so we're just be looking at managing two additional VMs. Bonus, we get formal support for it (albeit, paid).
>
> Ideally none of this would be necessary, we'd just have an external LB to 2 nodes (HA, Act/Pas) running rsyslog with the other vendor software on the same server. Unfortunately, the SIEM vendor isn't quite there yet.
>
> -----Original Message-----
> From: rsyslog <rsyslog-bounces@lists.adiscon.com> On Behalf Of Mariusz
> Kruk via rsyslog
> Sent: Thursday, August 3, 2023 10:06 PM
> To: rsyslog@lists.adiscon.com
> Cc: Mariusz Kruk <kruk@epsilon.eu.org>
> Subject: Re: [rsyslog] DTLS Support with rsyslog
>
> CAUTION: The Sender is located Outside The Organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.
>
>
> And why can't you use rsyslog to load-balance multiple outputs?
>
> As far as I remember rsyslog doesn't have an built-in LB functionality but it can be implemented in a ruleset.
>
> MK
>
> On 3.08.2023 13:53, Redbourne,Michael via rsyslog wrote:
>> Ah: Originally I'd seen this one:
>> https://data/
>> tracker.ietf.org%2Fdoc%2Fhtml%2Frfc6347&data=05%7C01%7Cmichael.redbou
>> r
>> ne%40bulletproofsi.com%7Cba26d2bbdb9949505ddb08db941a0cfa%7C9a63d1385
>> 3
>> ea411bbe8458b7e2570747%7C1%7C0%7C638266611832589878%7CUnknown%7CTWFpb
>> G
>> Zsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0
>> %
>> 3D%7C3000%7C%7C%7C&sdata=%2BJuDKgA0D20BttUkyuDMmM6lX%2BnPU6C%2BUI3y0T
>> r
>> 4hiw%3D&reserved=0
>>
>> You're probably referring to this one though > https://data/
>> tracker.ietf.org%2Fdoc%2Fhtml%2Frfc6012&data=05%7C01%7Cmichael.redbou
>> r
>> ne%40bulletproofsi.com%7Cba26d2bbdb9949505ddb08db941a0cfa%7C9a63d1385
>> 3
>> ea411bbe8458b7e2570747%7C1%7C0%7C638266611832589878%7CUnknown%7CTWFpb
>> G
>> Zsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0
>> %
>> 3D%7C3000%7C%7C%7C&sdata=49OGZDkUaZfVkYk2uBmyF9r4GHSgYw62SYylr7iYF5A%
>> 3 D&reserved=0, written by you & Cisco of course ????
>>
>> Regardless, there's multiple issues with approaching DTLS Syslog. I sincerely doubt DTLS Syslog is supported by the 'server' (sender), and evidently, it's not supported by the client (rsyslog). I have a few other ideas on how to handle our use case without DTLS, it's just going to be a pain to implement, and might involve a variety of load balancers, or a lot more research with rsyslog.
>>
>> At a very high level: We have a 'cloud device' (think: ZScaler, Cortex lake, FortiAnalzyer via Cloud, etc) that's sending an average of 50k EPS. There's a pool of 'backend' nodes that receive the data and forward it to a SIEM (Splunk, etc), but each node in the backend pool is rate limited by the vendor at 5,000 EPS. (These numbers are just examples.) In an n build, we need 10 nodes in the pool. N+1 calls for 11 nodes, but realistically, we're probably looking at 13 in this case, so we have redundancy and we're not running them full tilt. With TCP, anything that hits the external LB is going to be routed to the same server unless we can get the cloud service to open multiple streams. (This is the ideal solution... Something we're talking to that vendor about). If they can't do that, this gets far more complex, and is something I'm going to have to mock up in a dev environment.
>>
>> The other solution being:
>>
>> / ---- TCP TLS RCV rsyslog 1 (act) UDP FWD ---- \
>> Cloud Service ----> Ext Load Balancer -----VIP---> ----> Int F5s on K3605 ---> Backend Pool
>>
>> \ ---- TCP TLS RCV rsyslog 2 (pas) UDP FWD ---- /
>>
>> K3605 for context describes round-robin "per-packet" forwarding: https://my.f5.com/manage/s/article/K3605. Useful for things like UDP-based DNS, though in this case we're not expecting a response from syslog... Anyways, I have some design work to do if the cloud service vendor tells me they can't open multiple TCP streams to balance this out without the need for external and internal NLBs.
>>
>> Thanks Rainer & David!
>>
>> -----Original Message-----
>> From: Rainer Gerhards <rgerhards@hq.adiscon.com>
>> Sent: Thursday, August 3, 2023 9:11 PM
>> To: rsyslog-users <rsyslog@lists.adiscon.com>
>> Cc: David Lang <david@lang.hm>; Redbourne,Michael
>> <michael.redbourne@bulletproofsi.com>
>> Subject: Re: [rsyslog] DTLS Support with rsyslog
>>
>> CAUTION: The Sender is located Outside The Organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.
>>
>>
>> actually, there is DTLS, which is "datagram tls" and there also is a RFC.
>>
>> So far, we had no real demand to implement it. My impression is that DTLS syslog is largely unused.
>>
>> Rainer
>>
>> El jue, 3 ago 2023 a las 12:07, Redbourne,Michael via rsyslog
>> (<rsyslog@lists.adiscon.com>) escribió:
>>> Yeah, unfortunately that's what I expected. Thanks David.
>>>
>>> Cheers,
>>> Mike
>>> -----Original Message-----
>>> From: David Lang <david@lang.hm>
>>> Sent: Thursday, August 3, 2023 8:03 PM
>>> To: Redbourne,Michael via rsyslog <rsyslog@lists.adiscon.com>
>>> Cc: Redbourne,Michael <michael.redbourne@bulletproofsi.com>
>>> Subject: Re: [rsyslog] DTLS Support with rsyslog
>>>
>>> CAUTION: The Sender is located Outside The Organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.
>>>
>>>
>>> On Thu, 3 Aug 2023, Redbourne,Michael via rsyslog wrote:
>>>
>>>> I know rsyslog is using gnutls (default) with a recommendation for openssl and has support for TLS-encrypted TCP connections. Does rsyslog support TLS-encrypted UDP connections (specifically, inbound)?
>>> No, TLS requires a stream of packets as the encryption for each packet changes based on the prior packets., UDP syslog has each packet handled completely independently, and packets can get reordered or dropped on the network before they are processed, so TLS really can't work.
>>>
>>> David Lang
>>> ________________________________________
>>> This e-mail communication (including any or all attachments) is intended only for the use of the person or entity to which it is addressed and may contain confidential and/or privileged material. If you are not the intended recipient of this e-mail, any use, review, retransmission, distribution, dissemination, copying, printing, or other use of, or taking of any action in reliance upon this e-mail, is strictly prohibited. If you have received this e-mail in error, please contact the sender and delete the original and any copy of this e-mail and any printout thereof, immediately. If you have any questions or concerns, please contact our Customer Service Desk at 1-877-274-2349. Your co-operation is appreciated.
>>>
>>> Le présent courriel (y compris toute pièce jointe) s'adresse uniquement à son destinataire, qu'il soit une personne ou un organisme, et pourrait comporter des renseignements privilégiés ou confidentiels. Si vous n'êtes pas le destinataire du courriel, il est interdit d'utiliser, de revoir, de retransmettre, de distribuer, de disséminer, de copier ou d'imprimer ce courriel, d'agir en vous y fiant ou de vous en servir de toute autre façon. Si vous avez reçu le présent courriel par erreur, prière de communiquer avec l'expéditeur et d'éliminer l'original du courriel, ainsi que toute copie électronique ou imprimée de celui-ci, immédiatement. Si vous avez des questions ou des préoccupations, veuillez contacter notre centre de service à la clientèle au 1-877-274-2349. Nous sommes reconnaissants de votre collaboration.
>>> ________________________________________
>>> _______________________________________________
>>> rsyslog mailing list
>>> https://list/
>>> s.adiscon.net%2Fmailman%2Flistinfo%2Frsyslog&data=05%7C01%7Cmichael.
>>> r
>>> e
>>> dbourne%40bulletproofsi.com%7C4e06ad57bdb44f952ad808db9412629f%7C9a6
>>> 3
>>> d
>>> 13853ea411bbe8458b7e2570747%7C1%7C0%7C638266578912416607%7CUnknown%7
>>> C
>>> T
>>> WFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXV
>>> C
>>> I
>>> 6Mn0%3D%7C3000%7C%7C%7C&sdata=5q2IR4TFoaN2R4gNwwa5mIxDkC8PlFjlNSl89j
>>> h
>>> A
>>> IzQ%3D&reserved=0
>>> http://www/.
>>> r%2F&data=05%7C01%7Cmichael.redbourne%40bulletproofsi.com%7Cba26d2bb
>>> d
>>> b9949505ddb08db941a0cfa%7C9a63d13853ea411bbe8458b7e2570747%7C1%7C0%7
>>> C
>>> 638266611832589878%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQI
>>> j
>>> oiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=FGr9%
>>> 2
>>> FnnqkWdjgD8kSi%2F95myYAdEZfalRc2ewLRy15Ec%3D&reserved=0
>>> syslog.com%2Fprofessional-services%2F&data=05%7C01%7Cmichael.redbour
>>> n
>>> e
>>> %40bulletproofsi.com%7C4e06ad57bdb44f952ad808db9412629f%7C9a63d13853
>>> e
>>> a
>>> 411bbe8458b7e2570747%7C1%7C0%7C638266578912416607%7CUnknown%7CTWFpbG
>>> Z
>>> s
>>> b3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%
>>> 3
>>> D
>>> %7C3000%7C%7C%7C&sdata=OQvU6xVQoBpGaGmNbTydmWwVlajb7zU2dII3wSOYobQ%3
>>> D
>>> &
>>> reserved=0 What's up with rsyslog? Follow https://twit/
>>> ter.com%2Frgerhards&data=05%7C01%7Cmichael.redbourne%40bulletproofsi.
>>> c
>>> om%7C4e06ad57bdb44f952ad808db9412629f%7C9a63d13853ea411bbe8458b7e257
>>> 0
>>> 7
>>> 47%7C1%7C0%7C638266578912416607%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4w
>>> L
>>> j
>>> AwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C
>>> &
>>> s
>>> data=ZUlgey8kGBpLZ0RVf%2BZ3mLoxFcoNjs8NCvy5P98Z1yI%3D&reserved=0
>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
>> _______________________________________________
>> rsyslog mailing list
>> https://list/
>> s.adiscon.net%2Fmailman%2Flistinfo%2Frsyslog&data=05%7C01%7Cmichael.r
>> e
>> dbourne%40bulletproofsi.com%7Cba26d2bbdb9949505ddb08db941a0cfa%7C9a63
>> d
>> 13853ea411bbe8458b7e2570747%7C1%7C0%7C638266611832589878%7CUnknown%7C
>> T
>> WFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVC
>> I
>> 6Mn0%3D%7C3000%7C%7C%7C&sdata=8UzQjuAVWr1D68MUb882fZj%2FM0lYRbcz2RxxU
>> y
>> Fb5zM%3D&reserved=0
>> http://www/.
>> r%2F&data=05%7C01%7Cmichael.redbourne%40bulletproofsi.com%7C6d3e3a901
>> 7b24914e34408db941dc425%7C9a63d13853ea411bbe8458b7e2570747%7C1%7C0%7C
>> 638266627792462949%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIj
>> oiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=8EwR0R
>> 2F3KWWlOG98TfbRoLvbk5S1M5%2BK%2BXpUQw3k4A%3D&reserved=0
>> syslog.com%2Fprofessional-services%2F&data=05%7C01%7Cmichael.redbourn
>> e
>> %40bulletproofsi.com%7Cba26d2bbdb9949505ddb08db941a0cfa%7C9a63d13853e
>> a
>> 411bbe8458b7e2570747%7C1%7C0%7C638266611832589878%7CUnknown%7CTWFpbGZ
>> s
>> b3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3
>> D
>> %7C3000%7C%7C%7C&sdata=u1YULLOobor4Uo2LF9vyMxO%2BcpPc2O9JyFuPqe6NrU4%
>> 3
>> D&reserved=0 What's up with rsyslog? Follow https://twit/
>> ter.com%2Frgerhards&data=05%7C01%7Cmichael.redbourne%40bulletproofsi.
>> c
>> om%7Cba26d2bbdb9949505ddb08db941a0cfa%7C9a63d13853ea411bbe8458b7e2570
>> 7
>> 47%7C1%7C0%7C638266611832589878%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wL
>> j
>> AwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&
>> s
>> data=24%2FSX0x%2FruL%2BoMZV6i4BER4qjcBBXPCX09fOdKpUqxg%3D&reserved=0
>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
> _______________________________________________
> rsyslog mailing list
> https://list/
> s.adiscon.net%2Fmailman%2Flistinfo%2Frsyslog&data=05%7C01%7Cmichael.re
> dbourne%40bulletproofsi.com%7C6d3e3a9017b24914e34408db941dc425%7C9a63d
> 13853ea411bbe8458b7e2570747%7C1%7C0%7C638266627792462949%7CUnknown%7CT
> WFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI
> 6Mn0%3D%7C3000%7C%7C%7C&sdata=3bACVP%2FFX8clVFz9ceyD%2BqaALbhgb4ztNLKW
> sUiRrhA%3D&reserved=0
> http://www.r/
> syslog.com%2Fprofessional-services%2F&data=05%7C01%7Cmichael.redbourne
> %40bulletproofsi.com%7C6d3e3a9017b24914e34408db941dc425%7C9a63d13853ea
> 411bbe8458b7e2570747%7C1%7C0%7C638266627792462949%7CUnknown%7CTWFpbGZs
> b3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D
> %7C3000%7C%7C%7C&sdata=DkvId4FXn751b%2BLjUXvSUIqy6Bd2WT6TpjaDQ75UiyQ%3
> D&reserved=0 What's up with rsyslog? Follow
> https://twit/
> ter.com%2Frgerhards&data=05%7C01%7Cmichael.redbourne%40bulletproofsi.c
> om%7C6d3e3a9017b24914e34408db941dc425%7C9a63d13853ea411bbe8458b7e25707
> 47%7C1%7C0%7C638266627792462949%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLj
> AwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&s
> data=ISQs47LiY%2FBY0TaAHGLzN0sti%2Bp%2BABPGMyJl7n5BTeI%3D&reserved=0
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.

That's an interesting request, I will put it as Issue on github and
investigate it.
I have worked with DTLS already but in another context. I think when done
right, it can be a huge benefit for secure sending syslog data over udp when
it is ok that data can be lost.

Best regards,
Andre Lorbach
--
Adiscon GmbH
Mozartstr. 21
97950 Großrinderfeld, Germany
Ph. +49-9349-9298530
Geschäftsführer/President: Rainer Gerhards Reg.-Gericht Mannheim, HRB
560610
Ust.-IDNr.: DE 81 22 04 622
Web: www.adiscon.com - Mail: info@adiscon.com

Informations regarding your data privacy policy can be found here:
https://www.adiscon.com/data-privacy-policy/

This e-mail may contain confidential and/or privileged information. If you
are not the intended recipient or have received this e-mail in error please
notify the sender immediately and delete this e-mail. Any unauthorized
copying, disclosure or distribution of the material in this e-mail is
strictly forbidden.

> -----Original Message-----
> From: rsyslog <rsyslog-bounces@lists.adiscon.com> On Behalf Of
> Redbourne,Michael via rsyslog
> Sent: Donnerstag, 3. August 2023 11:58
> To: rsyslog@lists.adiscon.com
> Cc: Redbourne,Michael <michael.redbourne@bulletproofsi.com>
> Subject: [rsyslog] DTLS Support with rsyslog
>
> Hey folks,
>
> I know rsyslog is using gnutls (default) with a recommendation for openssl
> and
> has support for TLS-encrypted TCP connections. Does rsyslog support TLS-
> encrypted UDP connections (specifically, inbound)?
>
> Cheers,
> Mike
> ________________________________________
> This e-mail communication (including any or all attachments) is intended
> only
> for the use of the person or entity to which it is addressed and may
> contain
> confidential and/or privileged material. If you are not the intended
> recipient of
> this e-mail, any use, review, retransmission, distribution, dissemination,
> copying, printing, or other use of, or taking of any action in reliance
> upon this
> e-mail, is strictly prohibited. If you have received this e-mail in error,
> please
> contact the sender and delete the original and any copy of this e-mail and
> any
> printout thereof, immediately. If you have any questions or concerns,
> please
> contact our Customer Service Desk at 1-877-274-2349. Your co-operation is
> appreciated.
>
> Le pr?sent courriel (y compris toute pi?ce jointe) s'adresse uniquement ?
> son
> destinataire, qu'il soit une personne ou un organisme, et pourrait
> comporter
> des renseignements privil?gi?s ou confidentiels. Si vous n'?tes pas le
> destinataire du courriel, il est interdit d'utiliser, de revoir, de
> retransmettre, de
> distribuer, de diss?miner, de copier ou d'imprimer ce courriel, d'agir en
> vous y
> fiant ou de vous en servir de toute autre fa?on. Si vous avez re?u le
> pr?sent
> courriel par erreur, pri?re de communiquer avec l'exp?diteur et d'?liminer
> l'original du courriel, ainsi que toute copie ?lectronique ou imprim?e de
> celui-
> ci, imm?diatement. Si vous avez des questions ou des pr?occupations,
> veuillez
> contacter notre centre de service ? la client?le au 1-877-274-2349. Nous
> sommes reconnaissants de votre collaboration.
> ________________________________________
> _______________________________________________
> rsyslog mailing list
> https://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL:
> This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites
> beyond
> our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.