TwitterFacebookGoogle

imrelp: RELP Input Module

Module Name:imrelp
Author:Rainer Gerhards <rgerhards@adiscon.com>

Purpose

Provides the ability to receive syslog messages via the reliable RELP protocol. This module requires librelp to be present on the system. From the user’s point of view, imrelp works much like imtcp or imgssapi, except that no message loss can occur. Please note that with the currently supported relp protocol version, a minor message duplication may occur if a network connection between the relp client and relp server breaks after the client could successfully send some messages but the server could not acknowledge them. The window of opportunity is very slim, but in theory this is possible. Future versions of RELP will prevent this. Please also note that rsyslogd may lose a few messages if rsyslog is shutdown while a network connection to the server is broken and could not yet be recovered. Future version of RELP support in rsyslog will prevent that. Please note that both scenarios also exists with plain tcp syslog. RELP, even with the small nits outlined above, is a much more reliable solution than plain tcp syslog and so it is highly suggested to use RELP instead of plain tcp. Clients send messages to the RELP server via omrelp.

Notable Features

Configuration Parameters

Note

Parameter names are case-insensitive.

Module Parameters

Ruleset

typedefaultmandatoryobsolete legacy directive
wordnoneno$InputRELPServerBindRuleset

New in version 7.5.0.

Binds the specified ruleset to all RELP listeners. This can be overridden at the instance level.

tls.tlslib

typedefaultmandatoryobsolete legacy directive
wordnonenonone

New in version 8.1903.0.

Permits to specify the TLS library used by librelp. All relp protocol operations or actually performed by librelp and not rsyslog itself. This value specified is directly passed down to librelp. Depending on librelp version and build parameters, supported tls libraries differ (or TLS may not be supported at all). In this case rsyslog emits an error message.

Usually, the following options should be available: “openssl”, “gnutls”.

Note that “gnutls” is the current default for historic reasons. We actually recommend to use “openssl”. It provides better error messages and accepts a wider range of certificate types.

If you have problems with the default setting, we recommend to switch to “openssl”.

Input Parameters

Port

typedefaultmandatoryobsolete legacy directive
stringnoneyes$InputRELPServerRun

Starts a RELP server on selected port

Address

typedefaultmandatoryobsolete legacy directive
stringnonenonone

Bind the RELP server to that address. If not specified, the server will be bound to the wildcard address.

Name

typedefaultmandatoryobsolete legacy directive
stringimrelpnonone

Ruleset

typedefaultmandatoryobsolete legacy directive
stringnonenonone

Binds specified ruleset to this listener. This overrides the module-level Ruleset parameter.

MaxDataSize

typedefaultmandatoryobsolete legacy directive
size_nbrglobal(maxMessageSize)nonone

Sets the max message size (in bytes) that can be received. Messages that are too long are handled as specified in parameter oversizeMode. Note that maxDataSize cannot be smaller than the global parameter maxMessageSize.

TLS

typedefaultmandatoryobsolete legacy directive
binaryoffnonone

If set to “on”, the RELP connection will be encrypted by TLS, so that the data is protected against observers. Please note that both the client and the server must have set TLS to either “on” or “off”. Other combinations lead to unpredictable results.

Attention when using GnuTLS 2.10.x or older

Versions older than GnuTLS 2.10.x may cause a crash (Segfault) under certain circumstances. Most likely when an imrelp inputs and an omrelp output is configured. The crash may happen when you are receiving/sending messages at the same time. Upgrade to a newer version like GnuTLS 2.12.21 to solve the problem.

TLS.Compression

typedefaultmandatoryobsolete legacy directive
binaryoffnonone

The controls if the TLS stream should be compressed (zipped). While this increases CPU use, the network bandwidth should be reduced. Note that typical text-based log records usually compress rather well.

TLS.dhbits

typedefaultmandatoryobsolete legacy directive
integer0nonone

This setting controls how many bits are used for Diffie-Hellman key generation. If not set, the librelp default is used. For security reasons, at least 1024 bits should be used. Please note that the number of bits must be supported by GnuTLS. If an invalid number is given, rsyslog will report an error when the listener is started. We do this to be transparent to changes/upgrades in GnuTLS (to check at config processing time, we would need to hardcode the supported bits and keep them in sync with GnuTLS - this is even impossible when custom GnuTLS changes are made…).

TLS.PermittedPeer

typedefaultmandatoryobsolete legacy directive
arraynonenonone

Peer places access restrictions on this listener. Only peers which have been listed in this parameter may connect. The validation bases on the certificate the remote peer presents.

The peer parameter lists permitted certificate fingerprints. Note that it is an array parameter, so either a single or multiple fingerprints can be listed. When a non-permitted peer connects, the refusal is logged together with it’s fingerprint. So if the administrator knows this was a valid request, he can simple add the fingerprint by copy and paste from the logfile to rsyslog.conf.

To specify multiple fingerprints, just enclose them in braces like this:

tls.permittedPeer=["SHA1:...1", "SHA1:....2"]

To specify just a single peer, you can either specify the string directly or enclose it in braces. You may also use wildcards to match a larger number of permitted peers, e.g. *.example.com.

When using wildcards to match larger number of permitted peers, please know that the implementation is similar to Syslog RFC5425 which means: This wildcard matches any left-most DNS label in the server name. That is, the subject *.example.com matches the server names a.example.com and b.example.com, but does not match example.com or a.b.example.com.

TLS.AuthMode

typedefaultmandatoryobsolete legacy directive
stringnonenonone

Sets the mode used for mutual authentication.

Supported values are either “fingerprint” or “name”.

Fingerprint mode basically is what SSH does. It does not require a full PKI to be present, instead self-signed certs can be used on all peers. Even if a CA certificate is given, the validity of the peer cert is NOT verified against it. Only the certificate fingerprint counts.

In “name” mode, certificate validation happens. Here, the matching is done against the certificate’s subjectAltName and, as a fallback, the subject common name. If the certificate contains multiple names, a match on any one of these names is considered good and permits the peer to talk to rsyslog.

TLS.CaCert

typedefaultmandatoryobsolete legacy directive
stringnonenonone

The CA certificate that is being used to verify the client certificates. Has to be configured if TLS.AuthMode is set to “fingerprint” or “name”.

TLS.MyCert

typedefaultmandatoryobsolete legacy directive
stringnonenonone

The machine certificate that is being used for TLS communication.

TLS.MyPrivKey

typedefaultmandatoryobsolete legacy directive
stringnonenonone

The machine private key for the configured TLS.MyCert.

TLS.PriorityString

typedefaultmandatoryobsolete legacy directive
stringnonenonone

This parameter permits to specify the so-called “priority string” to GnuTLS. This string gives complete control over all crypto parameters, including compression setting. For this reason, when the prioritystring is specified, the “tls.compression” parameter has no effect and is ignored.

Full information about how to construct a priority string can be found in the GnuTLS manual. At the time of this writing, this information was contained in section 6.10 of the GnuTLS manual.

Note: this is an expert parameter. Do not use if you do not exactly know what you are doing.

KeepAlive

typedefaultmandatoryobsolete legacy directive
binaryoffnonone

Enable of disable keep-alive packets at the tcp socket layer. The default is to disable them.

KeepAlive.Probes

typedefaultmandatoryobsolete legacy directive
integer0nonone

The number of unacknowledged probes to send before considering the connection dead and notifying the application layer. The default, 0, means that the operating system defaults are used. This has only effect if keep-alive is enabled. The functionality may not be available on all platforms.

KeepAlive.Interval

typedefaultmandatoryobsolete legacy directive
integer0nonone

The interval between subsequent keepalive probes, regardless of what the connection has exchanged in the meantime. The default, 0, means that the operating system defaults are used. This has only effect if keep-alive is enabled. The functionality may not be available on all platforms.

KeepAlive.Time

typedefaultmandatoryobsolete legacy directive
integer0nonone

The interval between the last data packet sent (simple ACKs are not considered data) and the first keepalive probe; after the connection is marked to need keepalive, this counter is not used any further. The default, 0, means that the operating system defaults are used. This has only effect if keep-alive is enabled. The functionality may not be available on all platforms.

oversizeMode

typedefaultmandatoryobsolete legacy directive
stringtruncatenonone

New in version 8.35.0.

This parameter specifies how messages that are too long will be handled. For this parameter the length of the parameter maxDataSize is used.

  • truncate: Messages will be truncated at the maximal message size.
  • abort: This is the behaviour until version 8.35.0. Upon receiving a message that is too long imrelp will abort.
  • accept: Messages will be accepted even if they are too long and an error message will be put out. Using this option will bring some risks with it.

flowControl

typedefaultmandatoryobsolete legacy directive
stringlightnonone

New in version 8.1911.0.

This parameter permits to fine-tune the flowControl parameter. Possible values are “no”, “light”, and “full”. With “light” being the default and previously only value.

Changing the flow control setting may be useful for some rare applications, but be sure to know exactly what you are doing when changing this setting. Most importantly, rsyslog as whole may block and become unresponsive if you change flowcontrol to “full”. While this may be a desired effect when intentionally trying to make it most unlikely that rsyslog needs to lose/discard messages, usually this is not what you want.

General rule of thumb: if you do not fully understand what this decription here talks about, leave the paramter at default value.

This part of the documentation is intentionally brief, as one needs to have deep understanding of rsyslog to evaluate usage of this parameter. If someone has the insight, the meaning of this parameter is crystal-clear. If not, that someone will most likely make the wrong decision when changing this parameter away from the default value.

Statistic Counter

This plugin maintains statistics for each listener. The statistic by default is named “imrelp” , followed by the listener port in parenthesis. For example, the counter for a listener on port 514 is called “imprelp(514)”. If the input is given a name, that input name is used instead of “imrelp”. This counter is available starting rsyslog 7.5.1

The following properties are maintained for each listener:

  • submitted - total number of messages submitted for processing since startup

Caveats/Known Bugs

  • see description
  • To obtain the remote system’s IP address, you need to have at least librelp 1.0.0 installed. Versions below it return the hostname instead of the IP address.

Examples

Example 1

This sets up a RELP server on port 2514 with a max message size of 10,000 bytes.

module(load="imrelp") # needs to be done just once
input(type="imrelp" port="2514" maxDataSize="10k")

Receive RELP traffic via TLS

This receives RELP traffic via tls using the recommended “openssl” library. Except for encryption support the scenario is the same as in Example 1.

Certificate files must exist at configured locations. Note that authmode “certvalid” is not very strong - you may want to use a different one for actual deployments. For details, see parameter descriptions.

module(load="imrelp" tls.tlslib="openssl")
input(type="imrelp" port="2514" maxDataSize="10k"
             tls="on"
             tls.cacert="/tls-certs/ca.pem"
             tls.mycert="/tls-certs/cert.pem"
             tls.myprivkey="/tls-certs/key.pem"
             tls.authmode="certvalid"
             tls.permittedpeer="rsyslog")

See also

Help with configuring/using Rsyslog:

  • Mailing list - best route for general questions
  • GitHub: rsyslog source project - detailed questions, reporting issues that are believed to be bugs with Rsyslog
  • Stack Exchange (View, Ask) - experimental support from rsyslog community

See also

Contributing to Rsyslog:

© 2008-2019, `Rainer Gerhards and Others. This site uses the “better” theme for Sphinx.