imtcp: TCP Syslog Input Module¶
|Author:||Rainer Gerhards <email@example.com>|
Provides the ability to receive syslog messages via TCP. Encryption is natively provided by selecting the appropriate network stream driver and can also be provided by using stunnel (an alternative is the use the imgssapi module).
Parameter names are case-insensitive.
New in version 4.3.1.
This directive permits to specify an additional frame delimiter for Multiple receivers may be configured by specifying $InputTCPServerRun multiple times.
Industry-standard plain text tcp syslog uses the LF to delimit syslog frames. However, some users brought up the case that it may be useful to define a different delimiter and totally disable LF as a delimiter (the use case named were multi-line messages). This mode is non-standard and will probably come with a lot of problems. However, as there is need for it and it is relatively easy to support, we do so. Be sure to turn this setting to “on” only if you exactly know what you are doing. You may run into all sorts of troubles, so be prepared to wrangle with that!
When in octet counted mode, the frame size is given at the beginning of the message. With this parameter the max size this frame can have is specified and when the frame gets to large the mode is switched to octet stuffing. The max value this parameter can have was specified because otherwise the integer could become negative and this would result in a Segmentation Fault. (Max Value = 200000000)
Instructs imtcp to emit a message if the remote peer closes a connection.
Important: This directive is global to all listeners and must be given right after loading imtcp, otherwise it may have no effect.
Enable of disable keep-alive packets at the tcp socket layer. The default is to disable them.
The number of unacknowledged probes to send before considering the connection dead and notifying the application layer. The default, 0, means that the operating system defaults are used. This has only effect if keep-alive is enabled. The functionality may not be available on all platforms.
The interval between the last data packet sent (simple ACKs are not considered data) and the first keepalive probe; after the connection is marked to need keepalive, this counter is not used any further. The default, 0, means that the operating system defaults are used. This has only effect if keep-alive is enabled. The functionality may not be available on all platforms.
This setting specifies whether some message flow control shall be exercised on the related TCP input. If set to on, messages are handled as “light delayable”, which means the sender is throttled a bit when the queue becomes near-full. This is done in order to preserve some queue space for inputs that can not throttle (like UDP), but it may have some undesired effect in some configurations. Still, we consider this as a useful setting and thus it is the default. To turn the handling off, simply configure that explicitly.
Sets the maximum number of listeners (server ports) supported. This must be set before the first $InputTCPServerRun directive.
Sets the maximum number of sessions supported. This must be set before the first $InputTCPServerRun directive.
Selects network stream driver for all inputs using this module.
Sets the driver mode for the currently selected network stream driver. <number> is driver specific.
Sets permitted peer IDs. Only these peers are able to connect to the listener. <id-string> semantics depend on the currently selected AuthMode and network stream driver. PermittedPeers may not be set in anonymous modes.
Controls how expired certificates will be handled when stream driver is in TLS mode. It can have one of the following values:
- on = Expired certificates are allowed
- off = Expired certificates are not allowed
- warn = Expired certificates are allowed but warning will be logged (Default due legacy support)
Whether to check also purpose value in extended fields part of certificate for compatibility with rsyslog operation. (driver-specific)
Whether to use stricter SAN/CN matching. (driver-specific)
|integer||TLS library default||no||none|
Specifies the allowed maximum depth for the certificate chain verification. Support added in v8.2001.0, supported by GTLS and OpenSSL driver. If not set, the API default will be used. For OpenSSL, the default is 100 - see the doc for more: https://www.openssl.org/docs/man1.1.1/man3/SSL_set_verify_depth.html For GnuTLS, the default is 5 - see the doc for more: https://www.gnutls.org/manual/gnutls.html
Sets permitted peer IDs. Only these peers are able to connect to the listener. <id-string> semantics depend on the currently selected AuthMode and network stream driver. PermittedPeer may not be set in anonymous modes. PermittedPeer may be set either to a single peer or an array of peers either of type IP or name, depending on the tls certificate.
Single peer: PermittedPeer=”127.0.0.1”
Array of peers: PermittedPeer=[“test1.example.net”,”10.1.2.3”,”test2.example.net”,”…”]
Normally when a message is truncated in octet stuffing mode the part that is cut off is processed as the next message. When this parameter is activated, the part that is cut off after a truncation is discarded and not processed.
New in version 8.29.0.
This strings setting is used to configure driver specific properties. Historically, the setting was only meant for gnutls driver. However with version v8.1905.0 and higher, the setting can also be used to set openssl configuration commands.
For GNUTls, the setting specifies the TLS session’s handshake algorithms and options. These strings are intended as a user-specified override of the library defaults. If this parameter is NULL, the default settings are used. More information about priority Strings here
For OpenSSL, the setting can be used to pass configuration commands to openssl libray. OpenSSL Version 1.0.2 or higher is required for this feature. A list of possible commands and their valid values can be found in the documentation: https://www.openssl.org/docs/man1.0.2/man3/SSL_CONF_cmd.html
The setting can be single or multiline, each configuration command is separated by linefeed (n). Command and value are separated by equal sign (=). Here are a few samples:
This will allow all protocols except for SSLv2 and SSLv3:
This will allow all protocols except for SSLv2, SSLv3 and TLSv1. It will also set the minimum protocol to TLSv1.2
New in version 8.37.0.
This parameter is for controlling the case in fromhost. If preservecase is set to “off”, the case in fromhost is not preserved. E.g., ‘host1.example.org’ the message was received from ‘Host1.Example.Org’. Default to “on” for the backword compatibility.
Starts a TCP server on selected port. If port zero is selected, the OS automatically assigens a free port. Use listenPortFileName in this case to obtain the information of which port was assigned.
This parameter specifies a file name into which the port number this input listens on is written. It is primarily intended for cases when port is set to 0 to let the OS automatically assign a free port number.
On multi-homed machines, specifies to which local address the listener should be bound.
Sets a name for the inputname property. If no name is set “imtcp” is used by default. Setting a name is not strictly necessary, but can be useful to apply filtering based on which input the message was received from.
Binds the listener to a specific ruleset.
If set to “on”, the legacy octed-counted framing (similar to RFC5425 framing) is activated. This should be left unchanged until you know very well what you do. It may be useful to turn it off, if you know this framing is not used and some senders emit multi-line messages into the message stream.
Specifies the rate-limiting interval in seconds. Default value is 0, which turns off rate limiting. Set it to a number of seconds (5 recommended) to activate rate-limiting.
Specifies the rate-limiting burst in number of messages. Default is 10,000.
New in version 8.38.0.
With this parameter you can specify the name for a file. In this file the port, imtcp is connected to, will be written. This parameter was introduced because the testbench works with dynamic ports.
If this parameter is set, 0 will be accepted as the port. Otherwise it is automatically changed to port 514
This plugin maintains statistics for each listener. The statistic is named after the given input name (or “imtcp” if none is configured), followed by the listener port in parenthesis. For example, the counter for a listener on port 514 with no set name is called “imtcp(514)”.
The following properties are maintained for each listener:
- submitted - total number of messages submitted for processing since startup
- module always binds to all interfaces
- can not be loaded together with imgssapi (which includes the functionality of imtcp)
This sets up a TCP server on port 514 and permits it to accept up to 500 connections:
module(load="imtcp" MaxSessions="500") input(type="imtcp" port="514")
Note that the global parameters (here: max sessions) need to be set when the module is loaded. Otherwise, the parameters will not apply.
- rsyslog video tutorial on how to store remote messages in a separate file (for legacy syntax, but you get the idea).
Help with configuring/using