rsyslog

High-performance log ingestion and ETL engine

rsyslog

High-performance log ingestion and ETL engine

Docs moved to new Domain

Rainer GerhardsNews

We have today moved the rsyslog official documentation to https://docs.rsyslog.com/doc instead of our long-standing location directly on www.rsyslog.com/doc. All existing links will be properly redirected. The goal is to keep the all-important doc set on its own resource, which helps with scaling and ensuring availability of the documentation.

This move was considered for quite a while and has its pros and cons. The ultimate reason we are doing it, and doing it now is a cyberattack against rsyslog.com which began four days ago. While we mitigated it quickly, it led to unavailability of the doc for around one hour. That made us finally make the decision to move doc to a dedicated system, which we can make more robust than the full featured site with it’s dynamic content.

About the Attack

The attack is a pretty sophisticated layer 7 DDoS attack, including slowloris and others and looks at least somewhat targeted at the rsyslog.com site structure. While we have mitigated it, it is still going on, albeit at a lower magnitude. This does not cause any stress and we have specific alerting and reset instrumentation currently running in our system.

One thing that facilitated it was that, in order to keep some very, very seldom-used dynamic capabilities, we did some general, lightly compute-intense processing on the html files for doc.

Why a separate domain component?

While we are flexible, the current system requires somewhat elevated effort for full hardening. An easy way would be to use cloudflare, but for reasons we are not yet ready to move that way.

As such, the cleanest approach is make the doc its own entity, which we can scale, harden, geographically mirror and guard as we like. This also gives us the flexibility to change what we do without touching systems that are harder to move. Remember: we like sovereignty as a tool to have freedom of choice (vs. excluding options).

Right now, the doc resides on GitHub pages – an easy choice and was quick to set up. Also, GitHub as L7 guards in place and a responsive team. We are evaluating how we can add more mirrors to the system. Now that it is detangled from the main site, this is much easier.

So, all in all, the attacker helped us make better decision and even consider some interesting other alternatives.

Scroll to top