imtcp: TCP Syslog Input Module

Module Name:

imtcp

Author:

Rainer Gerhards <rgerhards@adiscon.com>

Purpose

Provides the ability to receive syslog messages via TCP. Encryption is natively provided by selecting the appropriate network stream driver and can also be provided by using stunnel (an alternative is the use the imgssapi module).

Notable Features

Configuration Parameters

Note

Parameter names are case-insensitive.

Module Parameters

AddtlFrameDelimiter

type

default

mandatory

obsolete legacy directive

integer

-1

no

$InputTCPServerAddtlFrameDelimiter

New in version 4.3.1.

This directive permits to specify an additional frame delimiter for Multiple receivers may be configured by specifying $InputTCPServerRun multiple times.

DisableLFDelimiter

type

default

mandatory

obsolete legacy directive

binary

off

no

$InputTCPServerDisableLFDelimiter

Industry-standard plain text tcp syslog uses the LF to delimit syslog frames. However, some users brought up the case that it may be useful to define a different delimiter and totally disable LF as a delimiter (the use case named were multi-line messages). This mode is non-standard and will probably come with a lot of problems. However, as there is need for it and it is relatively easy to support, we do so. Be sure to turn this setting to “on” only if you exactly know what you are doing. You may run into all sorts of troubles, so be prepared to wrangle with that!

MaxFrameSize

type

default

mandatory

obsolete legacy directive

integer

200000

no

none

When in octet counted mode, the frame size is given at the beginning of the message. With this parameter the max size this frame can have is specified and when the frame gets to large the mode is switched to octet stuffing. The max value this parameter can have was specified because otherwise the integer could become negative and this would result in a Segmentation Fault. (Max Value = 200000000)

NotifyOnConnectionOpen

type

default

mandatory

obsolete legacy directive

binary

off

no

Instructs imtcp to emit a message if the remote peer closes a connection.

NotifyOnConnectionOpen

type

default

mandatory

obsolete legacy directive

binary

off

no

none

Instructs imtcp to emit a message if the remote peer opens a connection.

NotifyOnConnectionClose

type

default

mandatory

obsolete legacy directive

binary

off

no

$InputTCPServerNotifyOnConnectionClose

Instructs imtcp to emit a message if the remote peer closes a connection.

KeepAlive

type

default

mandatory

obsolete legacy directive

binary

off

no

$InputTCPServerKeepAlive

Enable or disable keep-alive packets at the tcp socket layer. The default is to disable them.

KeepAlive.Probes

type

default

mandatory

obsolete legacy directive

integer

0

no

$InputTCPServerKeepAlive_probes

The number of unacknowledged probes to send before considering the connection dead and notifying the application layer. The default, 0, means that the operating system defaults are used. This has only effect if keep-alive is enabled. The functionality may not be available on all platforms.

KeepAlive.Time

type

default

mandatory

obsolete legacy directive

integer

0

no

$InputTCPServerKeepAlive_time

The interval between the last data packet sent (simple ACKs are not considered data) and the first keepalive probe; after the connection is marked to need keepalive, this counter is not used any further. The default, 0, means that the operating system defaults are used. This has only effect if keep-alive is enabled. The functionality may not be available on all platforms.

KeepAlive.Interval

type

default

mandatory

obsolete legacy directive

integer

0

no

New in version 8.2106.0.

The interval for keep alive packets.

FlowControl

type

default

mandatory

obsolete legacy directive

binary

on

no

$InputTCPFlowControl

This setting specifies whether some message flow control shall be exercised on the related TCP input. If set to on, messages are handled as “light delayable”, which means the sender is throttled a bit when the queue becomes near-full. This is done in order to preserve some queue space for inputs that can not throttle (like UDP), but it may have some undesired effect in some configurations. Still, we consider this as a useful setting and thus it is the default. To turn the handling off, simply configure that explicitly.

MaxListeners

type

default

mandatory

obsolete legacy directive

integer

20

no

$InputTCPMaxListeners

Sets the maximum number of listeners (server ports) supported. This must be set before the first $InputTCPServerRun directive.

MaxSessions

type

default

mandatory

obsolete legacy directive

integer

200

no

$InputTCPMaxSessions

Sets the maximum number of sessions supported. This must be set before the first $InputTCPServerRun directive.

StreamDriver.Name

type

default

mandatory

obsolete legacy directive

string

none

no

none

Selects network stream driver for all inputs using this module.

StreamDriver.Mode

type

default

mandatory

obsolete legacy directive

integer

0

no

$InputTCPServerStreamDriverMode

Sets the driver mode for the currently selected network stream driver. <number> is driver specific.

StreamDriver.AuthMode

type

default

mandatory

obsolete legacy directive

string

none

no

$InputTCPServerStreamDriverAuthMode

Sets stream driver authentication mode. Possible values and meaning depend on the network stream driver. used.

StreamDriver.PermitExpiredCerts

type

default

mandatory

obsolete legacy directive

string

warn

no

none

Controls how expired certificates will be handled when stream driver is in TLS mode. It can have one of the following values:

  • on = Expired certificates are allowed

  • off = Expired certificates are not allowed (Default, changed from warn to off since Version 8.2012.0)

  • warn = Expired certificates are allowed but warning will be logged

StreamDriver.CheckExtendedKeyPurpose

type

default

mandatory

obsolete legacy directive

binary

off

no

none

Whether to check also purpose value in extended fields part of certificate for compatibility with rsyslog operation. (driver-specific)

StreamDriver.PrioritizeSAN

type

default

mandatory

obsolete legacy directive

binary

off

no

none

Whether to use stricter SAN/CN matching. (driver-specific)

StreamDriver.TlsVerifyDepth

type

default

mandatory

obsolete legacy directive

integer

TLS library default

no

none

Specifies the allowed maximum depth for the certificate chain verification. Support added in v8.2001.0, supported by GTLS and OpenSSL driver. If not set, the API default will be used. For OpenSSL, the default is 100 - see the doc for more: https://www.openssl.org/docs/man1.1.1/man3/SSL_set_verify_depth.html For GnuTLS, the default is 5 - see the doc for more: https://www.gnutls.org/manual/gnutls.html

PermittedPeer

type

default

mandatory

obsolete legacy directive

array

none

no

$InputTCPServerStreamDriverPermittedPeer

Sets permitted peer IDs. Only these peers are able to connect to the listener. <id-string> semantics depend on the currently selected AuthMode and network stream driver. PermittedPeer may not be set in anonymous modes. PermittedPeer may be set either to a single peer or an array of peers either of type IP or name, depending on the tls certificate.

Single peer: PermittedPeer=”127.0.0.1”

Array of peers: PermittedPeer=[“test1.example.net”,”10.1.2.3”,”test2.example.net”,”…”]

DiscardTruncatedMsg

Normally when a message is truncated in octet stuffing mode the part that is cut off is processed as the next message. When this parameter is activated, the part that is cut off after a truncation is discarded and not processed.

type

default

mandatory

obsolete legacy directive

binary

off

no

none

gnutlsPriorityString

The “gnutls priority string” parameter in rsyslog offers enhanced customization for secure communications, allowing detailed configuration of TLS driver properties. This includes specifying handshake algorithms and other settings for GnuTLS, as well as implementing OpenSSL configuration commands. Initially developed for GnuTLS, the “gnutls priority string” has evolved since version v8.1905.0 to also support OpenSSL, broadening its application and utility in network security configurations. This update signifies a key advancement in rsyslog’s capabilities, making the “gnutls priority string” an essential feature for advanced TLS configuration.

type

default

mandatory

obsolete legacy directive

string

none

no

none

New in version 8.29.0.

Configuring Driver-Specific Properties

This configuration string is used to set properties specific to different drivers. Originally designed for the GnuTLS driver, it has been extended to support OpenSSL configuration commands from version v8.1905.0 onwards.

GNUTLS Configuration

In GNUTLS, this setting determines the handshake algorithms and options for the TLS session. It’s designed to allow user overrides of the library’s default settings. If you leave this parameter unset (NULL), the system will revert to the default settings. For more detailed information on priority strings in GNUTLS, you can refer to the GnuTLS Priority Strings Documentation available at [GnuTLS Website](https://gnutls.org/manual/html_node/Priority-Strings.html).

OpenSSL Configuration

This feature is compatible with OpenSSL Version 1.0.2 and above. It enables the passing of configuration commands to the OpenSSL library. You can find a comprehensive list of commands and their acceptable values in the OpenSSL Documentation, accessible at [OpenSSL Documentation](https://www.openssl.org/docs/man1.0.2/man3/SSL_CONF_cmd.html).

General Configuration Guidelines

The configuration can be formatted as a single line or across multiple lines. Each command within the configuration is separated by a linefeed (n). To differentiate between a command and its corresponding value, use an equal sign (=). Below are some examples to guide you in formatting these commands.

Example 1

This will allow all protocols except for SSLv2 and SSLv3:

gnutlsPriorityString="Protocol=ALL,-SSLv2,-SSLv3"

Example 2

This will allow all protocols except for SSLv2, SSLv3 and TLSv1. It will also set the minimum protocol to TLSv1.2

gnutlsPriorityString="Protocol=ALL,-SSLv2,-SSLv3,-TLSv1
MinProtocol=TLSv1.2"

PreserveCase

type

default

mandatory

obsolete legacy directive

boolean

on

no

none

New in version 8.37.0.

This parameter is for controlling the case in fromhost. If preservecase is set to “off”, the case in fromhost is not preserved. E.g., ‘host1.example.org’ the message was received from ‘Host1.Example.Org’. Default to “on” for the backword compatibility.

Input Parameters

Port

type

default

mandatory

obsolete legacy directive

string

none

yes

$InputTCPServerRun

Starts a TCP server on selected port. If port zero is selected, the OS automatically assigens a free port. Use listenPortFileName in this case to obtain the information of which port was assigned.

ListenPortFileName

type

default

mandatory

obsolete legacy directive

string

none

no

none

This parameter specifies a file name into which the port number this input listens on is written. It is primarily intended for cases when port is set to 0 to let the OS automatically assign a free port number.

Address

type

default

mandatory

obsolete legacy directive

string

none

no

none

On multi-homed machines, specifies to which local address the listener should be bound.

Name

type

default

mandatory

obsolete legacy directive

string

imtcp

no

$InputTCPServerInputName

Sets a name for the inputname property. If no name is set “imtcp” is used by default. Setting a name is not strictly necessary, but can be useful to apply filtering based on which input the message was received from.

Ruleset

type

default

mandatory

obsolete legacy directive

string

none

no

$InputTCPServerBindRuleset

Binds the listener to a specific ruleset.

SupportOctetCountedFraming

type

default

mandatory

obsolete legacy directive

binary

on

no

$InputTCPServerSupportOctetCountedFraming

If set to “on”, the legacy octed-counted framing (similar to RFC5425 framing) is activated. This should be left unchanged until you know very well what you do. It may be useful to turn it off, if you know this framing is not used and some senders emit multi-line messages into the message stream.

RateLimit.Interval

type

default

mandatory

obsolete legacy directive

integer

0

no

none

Specifies the rate-limiting interval in seconds. Default value is 0, which turns off rate limiting. Set it to a number of seconds (5 recommended) to activate rate-limiting.

RateLimit.Burst

type

default

mandatory

obsolete legacy directive

integer

10000

no

none

Specifies the rate-limiting burst in number of messages. Default is 10,000.

listenPortFileName

type

default

mandatory

obsolete legacy directive

string

none

no

none

New in version 8.38.0.

With this parameter you can specify the name for a file. In this file the port, imtcp is connected to, will be written. This parameter was introduced because the testbench works with dynamic ports.

Note

If this parameter is set, 0 will be accepted as the port. Otherwise it is automatically changed to port 514

StreamDriver.Name

type

default

mandatory

obsolete legacy directive

string

module parameter

no

none

New in version 8.2106.0.

This permits to override the equally-named module parameter on the input() level. For further details, see the module parameter.

StreamDriver.Mode

type

default

mandatory

obsolete legacy directive

integer

module parameter

no

$InputTCPServerStreamDriverMode

New in version 8.2106.0.

This permits to override the equally-named module parameter on the input() level. For further details, see the module parameter.

StreamDriver.AuthMode

type

default

mandatory

obsolete legacy directive

string

module parameter

no

$InputTCPServerStreamDriverAuthMode

New in version 8.2106.0.

This permits to override the equally-named module parameter on the input() level. For further details, see the module parameter.

StreamDriver.PermitExpiredCerts

type

default

mandatory

obsolete legacy directive

string

module parameter

no

none

New in version 8.2106.0.

This permits to override the equally-named module parameter on the input() level. For further details, see the module parameter.

StreamDriver.CheckExtendedKeyPurpose

type

default

mandatory

obsolete legacy directive

binary

module parameter

no

none

New in version 8.2106.0.

This permits to override the equally-named module parameter on the input() level. For further details, see the module parameter.

StreamDriver.PrioritizeSAN

type

default

mandatory

obsolete legacy directive

binary

module parameter

no

none

New in version 8.2106.0.

This permits to override the equally-named module parameter on the input() level. For further details, see the module parameter.

StreamDriver.TlsVerifyDepth

type

default

mandatory

obsolete legacy directive

integer

module parameter

no

none

New in version 8.2106.0.

This permits to override the equally-named module parameter on the input() level. For further details, see the module parameter.

streamDriver.CAFile

type

default

mandatory

obsolete legacy directive

string

global parameter

no

none

New in version 8.2108.0.

This permits to override the DefaultNetstreamDriverCAFile global parameter on the input() level. For further details, see the global parameter.

streamDriver.CRLFile

type

default

optional

obsolete legacy directive

string

global parameter

no

none

New in version 8.2308.0.

This permits to override the CRL (Certificate revocation list) file set via global() config object at the per-action basis. This parameter is ignored if the netstream driver and/or its mode does not need or support certificates.

streamDriver.KeyFile

type

default

mandatory

obsolete legacy directive

string

global parameter

no

none

New in version 8.2108.0.

This permits to override the DefaultNetstreamDriverKeyFile global parameter on the input() level. For further details, see the global parameter.

streamDriver.CertFile

type

default

mandatory

obsolete legacy directive

string

global parameter

no

none

New in version 8.2108.0.

This permits to override the DefaultNetstreamDriverCertFile global parameter on the input() level. For further details, see the global parameter.

PermittedPeer

type

default

mandatory

obsolete legacy directive

array

none

no

equally-named module parameter

New in version 8.2112.0.

This permits to override the equally-named module parameter on the input() level. For further details, see the module parameter.

gnutlsPriorityString

type

default

mandatory

obsolete legacy directive

string

module parameter

no

none

New in version 8.2106.0.

This permits to override the equally-named module parameter on the input() level. For further details, see the module parameter.

MaxSessions

type

default

mandatory

obsolete legacy directive

integer

module parameter

no

New in version 8.2106.0.

This permits to override the equally-named module parameter on the input() level. For further details, see the module parameter.

MaxListeners

type

default

mandatory

obsolete legacy directive

integer

module parameter

no

New in version 8.2106.0.

This permits to override the equally-named module parameter on the input() level. For further details, see the module parameter.

FlowControl

type

default

mandatory

obsolete legacy directive

binary

module parameter

no

New in version 8.2106.0.

This permits to override the equally-named module parameter on the input() level. For further details, see the module parameter.

DisableLFDelimiter

type

default

mandatory

obsolete legacy directive

binary

module parameter

no

New in version 8.2106.0.

This permits to override the equally-named module parameter on the input() level. For further details, see the module parameter.

DiscardTruncatedMsg

type

default

mandatory

obsolete legacy directive

binary

module parameter

no

none

New in version 8.2106.0.

This permits to override the equally-named module parameter on the input() level. For further details, see the module parameter.

NotifyOnConnectionClose

type

default

mandatory

obsolete legacy directive

binary

module parameter

no

none

New in version 8.2106.0.

This permits to override the equally-named module parameter on the input() level. For further details, see the module parameter.

AddtlFrameDelimiter

type

default

mandatory

obsolete legacy directive

integer

module parameter

no

New in version 8.2106.0.

This permits to override the equally-named module parameter on the input() level. For further details, see the module parameter.

MaxFrameSize

type

default

mandatory

obsolete legacy directive

integer

module parameter

no

none

New in version 8.2106.0.

This permits to override the equally-named module parameter on the input() level. For further details, see the module parameter.

PreserveCase

type

default

mandatory

obsolete legacy directive

boolean

module parameter

no

none

New in version 8.2106.0.

This permits to override the equally-named module parameter on the input() level. For further details, see the module parameter.

KeepAlive

type

default

mandatory

obsolete legacy directive

binary

module parameter

no

New in version 8.2106.0.

This permits to override the equally-named module parameter on the input() level. For further details, see the module parameter.

KeepAlive.Probes

type

default

mandatory

obsolete legacy directive

integer

module parameter

no

New in version 8.2106.0.

This permits to override the equally-named module parameter on the input() level. For further details, see the module parameter.

KeepAlive.Time

type

default

mandatory

obsolete legacy directive

integer

module parameter

no

New in version 8.2106.0.

This permits to override the equally-named module parameter on the input() level. For further details, see the module parameter.

KeepAlive.Interval

type

default

mandatory

obsolete legacy directive

integer

module parameter

no

New in version 8.2106.0.

This permits to override the equally-named module parameter on the input() level. For further details, see the module parameter.

Statistic Counter

This plugin maintains statistics for each listener. The statistic is named after the given input name (or “imtcp” if none is configured), followed by the listener port in parenthesis. For example, the counter for a listener on port 514 with no set name is called “imtcp(514)”.

The following properties are maintained for each listener:

  • submitted - total number of messages submitted for processing since startup

Caveats/Known Bugs

  • module always binds to all interfaces

  • can not be loaded together with imgssapi (which includes the functionality of imtcp)

Examples

Example 1

This sets up a TCP server on port 514 and permits it to accept up to 500 connections:

module(load="imtcp" MaxSessions="500")
input(type="imtcp" port="514")

Note that the global parameters (here: max sessions) need to be set when the module is loaded. Otherwise, the parameters will not apply.

Additional Resources

See also

Help with configuring/using Rsyslog:

See also

Contributing to Rsyslog:

Copyright 2008-2023 Rainer Gerhards (Großrinderfeld), and Others.