Re: [rsyslog] Complex forwarding and spoofing question

Randy Baca Thu, 01 Oct 2015 17:27:06 -0700

This is what I am using but nothing in a tcpdump going to local on port 515 or 
remote on port 514.


# In: 514/TCP (uses the same queue as UDP)
input(type="imtcp"
    address="10.1.2.3"
    port="514"
    ruleset="ruleset_eth0_514") 

# In: 514/UDP (uses the same queue as TCP)
input(type="imudp"
    address="10.1.2.3"
    port="514"
    ruleset="ruleset_eth0_514") 

 # Queue: UDP-spoof to the local and also forward to remote rsyslog
 ruleset(name="ruleset_eth0_514"
    queue.highwatermark 50000
    queue.fulldelaymark 20000
    queue.lowwatermark 2000
    queue.type="LinkedList") {
        call action.local.udp515
        call action.fwd.remotebox
        stop
    }

 # Fwd to localhost:udp/515
ruleset(name="action.local.udp515") {
    action(type="omudpspoof"
        name="omudpspoof.local515"
        target="127.0.0.1"
        port="515")
    }

 # Fwd to remotebox w/ compression and local disk queueing
ruleset(name="action.fwd.remotebox") {
    action(type="omfwd"
        name="omfwd.remotebox"
        queue.type="LinkedList"
        queue.filename="omfwd_remotebox"
        queue.size="10000"
        queue.maxdiskspace="2G"
        queue.saveonshutdown="on"
        action.resumeretrycount="-1"
        target="172.22.22.22"
        port="514"
        protocol="tcp"
        compression.mode="stream:always")
    }




________________________________________
From: [email protected] [[email protected]] on 
behalf of Dave Caplinger [[email protected]]
Sent: Thursday, October 01, 2015 2:09 PM
To: rsyslog-users
Subject: Re: [rsyslog] Complex forwarding and spoofing question

Looks like it's "queue.fulldelaymark" (and I presume "queue.lightdelaymark" may 
be related, but there's no description at 
http://www.rsyslog.com/doc/master/rainerscript/queue_parameters.html so I'm not 
sure yet what it does...)

Thanks!

--
Dave Caplinger, Director, Technical Product Management | 402.361.3063 | 
Solutionary — An NTT Group Security Company

> On Oct 1, 2015, at 4:03 PM, David Lang <[email protected]> wrote:
>
> There is a queue parameter that tells rsyslog that if the queue is larger 
> than X, stop accepting inputs that can be delayed (like TCP) so that there is 
> space left for a burst of traffic from inputs that can't be delayed (like UDP)
>

_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Re: [rsyslog] Complex forwarding and spoofing question

Reply via email to