<div dir="auto">I am on a family trip this week, so I can't look into this now. Sorry.</div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Thu, Feb 23, 2023, 09:40 Dragan Zecevic <<a href="mailto:dragan.zecevic@live.com">dragan.zecevic@live.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">
<div style="font-family:Calibri,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0);background-color:rgb(255,255,255)">
<br>
</div>
<div>
<div style="font-family:Calibri,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)">
<br>
</div>
<div id="m_8514148758271801352Signature" style="font-family:Calibri,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0);background-color:rgb(255,255,255)">
Hi again,</div>
<div id="m_8514148758271801352Signature" style="font-family:Calibri,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0);background-color:rgb(255,255,255)">
Does somebody have an idea on this?</div>
<div id="m_8514148758271801352Signature" style="font-family:Calibri,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0);background-color:rgb(255,255,255)">
<br>
</div>
<div id="m_8514148758271801352Signature" style="font-family:Calibri,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0);background-color:rgb(255,255,255)">
Thank you.</div>
<div id="m_8514148758271801352Signature" style="font-family:Calibri,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0);background-color:rgb(255,255,255)">
<br>
</div>
<div id="m_8514148758271801352Signature" style="font-family:Calibri,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0);background-color:rgb(255,255,255)">
Br,</div>
<div id="m_8514148758271801352Signature" style="font-family:Calibri,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0);background-color:rgb(255,255,255)">
Dragan</div>
<div><br>
</div>
</div>
<div id="m_8514148758271801352appendonsend"></div>
<hr style="display:inline-block;width:98%">
<div id="m_8514148758271801352divRplyFwdMsg" dir="ltr"><font face="Calibri, sans-serif" style="font-size:11pt" color="#000000"><b>From:</b> syslog-ng <<a href="mailto:syslog-ng-bounces@lists.balabit.hu" target="_blank" rel="noreferrer">syslog-ng-bounces@lists.balabit.hu</a>> on behalf of Dragan Zecevic <<a href="mailto:dragan.zecevic@live.com" target="_blank" rel="noreferrer">dragan.zecevic@live.com</a>><br>
<b>Sent:</b> Tuesday, February 14, 2023 2:33 PM<br>
<b>To:</b> <a href="mailto:syslog-ng@lists.balabit.hu" target="_blank" rel="noreferrer">syslog-ng@lists.balabit.hu</a> <<a href="mailto:syslog-ng@lists.balabit.hu" target="_blank" rel="noreferrer">syslog-ng@lists.balabit.hu</a>><br>
<b>Subject:</b> [syslog-ng] syslog-ng reset connection before data transfer</font>
<div> </div>
</div>
<div dir="ltr">
<div style="font-family:Calibri,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0);background-color:rgb(255,255,255)">
<div>Hi everybody,</div>
<div>I hope you are well.</div>
<div><br>
</div>
<div>I was hoping if you can help me with some issue.</div>
<div>I am trying to collect logs from some servers via syslog.</div>
<div>TLS session seems to be established - handshake, certs, ciphers all looking ok.</div>
<div>But when data need to be send it seems syslog-ng server disconnects the session from some reason.</div>
<div><br>
</div>
<div>In /var/log/messages I can only see start/stop messages even after turning on verbose logging:</div>
<div><br>
</div>
<div>Feb 10 16:11:48 xxx syslog-ng[21262]: Syslog connection accepted; fd='175', client='AF_INET(x.y.w.z:34986)', local='AF_INET(0.0.0.0:xxx)'</div>
<div>Feb 10 16:11:49 xxx syslog-ng[21262]: Syslog connection closed; fd='175', client='AF_INET(x.y.w.z:34986)', local='AF_INET(0.0.0.0:xxx)'</div>
<div><br>
</div>
<div>This is the configuration I am using:</div>
<div><br>
</div>
<div>source s_xxx {</div>
<div> syslog(</div>
<div> ip(0.0.0.0)</div>
<div> port(xxx)</div>
<div> transport("tls")</div>
<div> tls(</div>
<div> key-file("/etc/syslog-ng/key.d/xxx.key")</div>
<div> cert-file("/etc/syslog-ng/cert.d/xxx.cer")</div>
<div> ca-dir("/etc/syslog-ng/ca.d")</div>
<div> peer-verify(required-trusted)</div>
<div> cipher-suite("xxx...xxx")</div>
<div> )</div>
<div> flags(store-raw-message)</div>
<div> );</div>
<div>};</div>
<div><br>
</div>
<div>filter filter_xxx {</div>
<div><br>
</div>
<div> host("xxx") ... or host("xxx");</div>
<div>};</div>
<div><br>
</div>
<div>destination folder_xxx {</div>
<div><br>
</div>
<div> file(</div>
<div> "/var/log/xxx/${R_YEAR}${R_MONTH}${R_DAY}/${SOURCEIP}_${HOST}_${R_HOUR}.log"</div>
<div> template("${RAWMSG}\n")</div>
<div> dir-group(xxx)</div>
<div> dir-perm(0650)</div>
<div> group(xxx)</div>
<div> );</div>
<div>};</div>
<div><br>
</div>
<div>log {</div>
<div> source(s_xxx); filter(filter_xxx); destination(folder_xxx); flags(flow-control);</div>
<div>};</div>
<div><br>
</div>
<div><br>
</div>
<div>And bellow is last part of the session captured with tcpdump from source side.</div>
<div>It is interesting to me that there is 1h offset comparing to /var/log/messages on syslog-ng. Src and dst server are in same environment.</div>
<div><br>
</div>
<div><br>
</div>
<div>24 2023-02-10 15:11:49,073335 x.y.w.z x.y.w.z TLSv1.2 445 Application Data</div>
<div>Frame 24: 445 bytes on wire (3560 bits), 445 bytes captured (3560 bits)</div>
<div> Encapsulation type: Ethernet (1)</div>
<div> Arrival Time: Feb 10, 2023 15:11:49.073335000 Central Europe Standard Time</div>
<div> [Time shift for this packet: 0.000000000 seconds]</div>
<div> Epoch Time: 1676038309.073335000 seconds</div>
<div> [Time delta from previous captured frame: 0.906559000 seconds]</div>
<div> [Time delta from previous displayed frame: 0.906559000 seconds]</div>
<div> [Time since reference or first frame: 6.775677000 seconds]</div>
<div> Frame Number: 24</div>
<div> Frame Length: 445 bytes (3560 bits)</div>
<div> Capture Length: 445 bytes (3560 bits)</div>
<div> [Frame is marked: False]</div>
<div> [Frame is ignored: False]</div>
<div> [Protocols in frame: eth:ethertype:ip:tcp:tls]</div>
<div> [Coloring Rule Name: TCP]</div>
<div> [Coloring Rule String: tcp]</div>
<div>Ethernet II, Src: xxx, Dst: xxx</div>
<div> Destination: xxx</div>
<div> Address: xxx</div>
<div> .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)</div>
<div> .... ...0 .... .... .... .... = IG bit: Individual address (unicast)</div>
<div> Source: xxx</div>
<div> Address: xxx</div>
<div> .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)</div>
<div> .... ...0 .... .... .... .... = IG bit: Individual address (unicast)</div>
<div> Type: IPv4 (0x0800)</div>
<div>Internet Protocol Version 4, Src: x.y.z.w, Dst: x.y.z.w</div>
<div> 0100 .... = Version: 4</div>
<div> .... 0101 = Header Length: 20 bytes (5)</div>
<div> Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)</div>
<div> 0000 00.. = Differentiated Services Codepoint: Default (0)</div>
<div> .... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)</div>
<div> Total Length: 431</div>
<div> Identification: 0xeebc (61116)</div>
<div> 010. .... = Flags: 0x2, Don't fragment</div>
<div> 0... .... = Reserved bit: Not set</div>
<div> .1.. .... = Don't fragment: Set</div>
<div> ..0. .... = More fragments: Not set</div>
<div> ...0 0000 0000 0000 = Fragment Offset: 0</div>
<div> Time to Live: 64</div>
<div> Protocol: TCP (6)</div>
<div> Header Checksum: 0x0a89 [validation disabled]</div>
<div> [Header checksum status: Unverified]</div>
<div> Source Address: x.y.z.w</div>
<div> Destination Address: x.y.z.w</div>
<div>Transmission Control Protocol, Src Port: 34986, Dst Port: xxx, Seq: 2380, Ack: 5750, Len: 391</div>
<div> Source Port: 34986</div>
<div> Destination Port: xxx</div>
<div> [Stream index: 1]</div>
<div> [Conversation completeness: Complete, WITH_DATA (63)]</div>
<div> [TCP Segment Len: 391]</div>
<div> Sequence Number: 2380 (relative sequence number)</div>
<div> Sequence Number (raw): 2630184540</div>
<div> [Next Sequence Number: 2771 (relative sequence number)]</div>
<div> Acknowledgment Number: 5750 (relative ack number)</div>
<div> Acknowledgment number (raw): 2509794849</div>
<div> 0101 .... = Header Length: 20 bytes (5)</div>
<div> Flags: 0x018 (PSH, ACK)</div>
<div> 000. .... .... = Reserved: Not set</div>
<div> ...0 .... .... = Accurate ECN: Not set</div>
<div> .... 0... .... = Congestion Window Reduced: Not set</div>
<div> .... .0.. .... = ECN-Echo: Not set</div>
<div> .... ..0. .... = Urgent: Not set</div>
<div> .... ...1 .... = Acknowledgment: Set</div>
<div> .... .... 1... = Push: Set</div>
<div> .... .... .0.. = Reset: Not set</div>
<div> .... .... ..0. = Syn: Not set</div>
<div> .... .... ...0 = Fin: Not set</div>
<div> [TCP Flags: ·······AP···]</div>
<div> Window: 318</div>
<div> [Calculated window size: 40704]</div>
<div> [Window size scaling factor: 128]</div>
<div> Checksum: 0x41a5 [unverified]</div>
<div> [Checksum Status: Unverified]</div>
<div> Urgent Pointer: 0</div>
<div> [Timestamps]</div>
<div> [Time since first frame in this TCP stream: 1.007330000 seconds]</div>
<div> [Time since previous frame in this TCP stream: 0.906559000 seconds]</div>
<div> [SEQ/ACK analysis]</div>
<div> [iRTT: 0.003010000 seconds]</div>
<div> [Bytes in flight: 391]</div>
<div> [Bytes sent since last PSH flag: 391]</div>
<div> TCP payload (391 bytes)</div>
<div>Transport Layer Security</div>
<div> TLSv1.2 Record Layer: Application Data Protocol: Application Data</div>
<div> Content Type: Application Data (23)</div>
<div> Version: TLS 1.2 (0x0303)</div>
<div> Length: 386</div>
<div> Encrypted Application Data: 000000000000000146f17ff0e884c81f9317ba9e01c3b48763944e3905fb27fc96ce76fc…</div>
<div><br>
</div>
<div><br>
</div>
<div>25 2023-02-10 15:11:49,076214 x.y.z.w x.y.z.w TCP 60 xxx → 34986 [FIN, ACK] Seq=5750 Ack=2771 Win=65536 Len=0</div>
<div>Frame 25: 60 bytes on wire (480 bits), 60 bytes captured (480 bits)</div>
<div> Encapsulation type: Ethernet (1)</div>
<div> Arrival Time: Feb 10, 2023 15:11:49.076214000 Central Europe Standard Time</div>
<div> [Time shift for this packet: 0.000000000 seconds]</div>
<div> Epoch Time: 1676038309.076214000 seconds</div>
<div> [Time delta from previous captured frame: 0.002879000 seconds]</div>
<div> [Time delta from previous displayed frame: 0.002879000 seconds]</div>
<div> [Time since reference or first frame: 6.778556000 seconds]</div>
<div> Frame Number: 25</div>
<div> Frame Length: 60 bytes (480 bits)</div>
<div> Capture Length: 60 bytes (480 bits)</div>
<div> [Frame is marked: False]</div>
<div> [Frame is ignored: False]</div>
<div> [Protocols in frame: eth:ethertype:ip:tcp]</div>
<div> [Coloring Rule Name: TCP SYN/FIN]</div>
<div> [Coloring Rule String: tcp.flags & 0x02 || tcp.flags.fin == 1]</div>
<div>Ethernet II, Src: xxx, Dst: xxx</div>
<div> Destination: xxx</div>
<div> Address: xxx</div>
<div> .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)</div>
<div> .... ...0 .... .... .... .... = IG bit: Individual address (unicast)</div>
<div> Source: xxx</div>
<div> Address: xxx</div>
<div> .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)</div>
<div> .... ...0 .... .... .... .... = IG bit: Individual address (unicast)</div>
<div> Type: IPv4 (0x0800)</div>
<div> Trailer: 000085725dce</div>
<div>Internet Protocol Version 4, Src: x.y.z.w, Dst: x.y.z.w</div>
<div> 0100 .... = Version: 4</div>
<div> .... 0101 = Header Length: 20 bytes (5)</div>
<div> Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)</div>
<div> 0000 00.. = Differentiated Services Codepoint: Default (0)</div>
<div> .... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)</div>
<div> Total Length: 40</div>
<div> Identification: 0xea10 (59920)</div>
<div> 010. .... = Flags: 0x2, Don't fragment</div>
<div> 0... .... = Reserved bit: Not set</div>
<div> .1.. .... = Don't fragment: Set</div>
<div> ..0. .... = More fragments: Not set</div>
<div> ...0 0000 0000 0000 = Fragment Offset: 0</div>
<div> Time to Live: 52</div>
<div> Protocol: TCP (6)</div>
<div> Header Checksum: 0x1cbc [validation disabled]</div>
<div> [Header checksum status: Unverified]</div>
<div> Source Address: x.y.z.w</div>
<div> Destination Address: x.y.z.w</div>
<div>Transmission Control Protocol, Src Port: xxx, Dst Port: 34986, Seq: 5750, Ack: 2771, Len: 0</div>
<div> Source Port: xxx</div>
<div> Destination Port: 34986</div>
<div> [Stream index: 1]</div>
<div> [Conversation completeness: Complete, WITH_DATA (63)]</div>
<div> [TCP Segment Len: 0]</div>
<div> Sequence Number: 5750 (relative sequence number)</div>
<div> Sequence Number (raw): 2509794849</div>
<div> [Next Sequence Number: 5751 (relative sequence number)]</div>
<div> Acknowledgment Number: 2771 (relative ack number)</div>
<div> Acknowledgment number (raw): 2630184931</div>
<div> 0101 .... = Header Length: 20 bytes (5)</div>
<div> Flags: 0x011 (FIN, ACK)</div>
<div> 000. .... .... = Reserved: Not set</div>
<div> ...0 .... .... = Accurate ECN: Not set</div>
<div> .... 0... .... = Congestion Window Reduced: Not set</div>
<div> .... .0.. .... = ECN-Echo: Not set</div>
<div> .... ..0. .... = Urgent: Not set</div>
<div> .... ...1 .... = Acknowledgment: Set</div>
<div> .... .... 0... = Push: Not set</div>
<div> .... .... .0.. = Reset: Not set</div>
<div> .... .... ..0. = Syn: Not set</div>
<div> .... .... ...1 = Fin: Set</div>
<div> [TCP Flags: ·······A···F]</div>
<div> Window: 4</div>
<div> [Calculated window size: 65536]</div>
<div> [Window size scaling factor: 16384]</div>
<div> Checksum: 0xc512 [unverified]</div>
<div> [Checksum Status: Unverified]</div>
<div> Urgent Pointer: 0</div>
<div> [Timestamps]</div>
<div> [Time since first frame in this TCP stream: 1.010209000 seconds]</div>
<div> [Time since previous frame in this TCP stream: 0.002879000 seconds]</div>
<div> [SEQ/ACK analysis]</div>
<div> [This is an ACK to the segment in frame: 24]</div>
<div> [The RTT to ACK the segment was: 0.002879000 seconds]</div>
<div> [iRTT: 0.003010000 seconds]</div>
<div><br>
</div>
<div><br>
</div>
<div>26 2023-02-10 15:11:49,117776 x.y.z.w x.y.z.w TCP 54 34986 → xxx [ACK] Seq=2771 Ack=5751 Win=40704 Len=0</div>
<div>Frame 26: 54 bytes on wire (432 bits), 54 bytes captured (432 bits)</div>
<div> Encapsulation type: Ethernet (1)</div>
<div> Arrival Time: Feb 10, 2023 15:11:49.117776000 Central Europe Standard Time</div>
<div> [Time shift for this packet: 0.000000000 seconds]</div>
<div> Epoch Time: 1676038309.117776000 seconds</div>
<div> [Time delta from previous captured frame: 0.041562000 seconds]</div>
<div> [Time delta from previous displayed frame: 0.041562000 seconds]</div>
<div> [Time since reference or first frame: 6.820118000 seconds]</div>
<div> Frame Number: 26</div>
<div> Frame Length: 54 bytes (432 bits)</div>
<div> Capture Length: 54 bytes (432 bits)</div>
<div> [Frame is marked: False]</div>
<div> [Frame is ignored: False]</div>
<div> [Protocols in frame: eth:ethertype:ip:tcp]</div>
<div> [Coloring Rule Name: TCP]</div>
<div> [Coloring Rule String: tcp]</div>
<div>Ethernet II, Src: Mellanox_69:6f:47 (1c:34:da:69:6f:47), Dst: ICANNIAN_00:40:20 (00:00:5e:00:40:20)</div>
<div> Destination: ICANNIAN_00:40:20 (00:00:5e:00:40:20)</div>
<div> Address: ICANNIAN_00:40:20 (00:00:5e:00:40:20)</div>
<div> .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)</div>
<div> .... ...0 .... .... .... .... = IG bit: Individual address (unicast)</div>
<div> Source: Mellanox_69:6f:47 (1c:34:da:69:6f:47)</div>
<div> Address: Mellanox_69:6f:47 (1c:34:da:69:6f:47)</div>
<div> .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)</div>
<div> .... ...0 .... .... .... .... = IG bit: Individual address (unicast)</div>
<div> Type: IPv4 (0x0800)</div>
<div>Internet Protocol Version 4, Src: x.y.z.w, Dst: x.y.z.w</div>
<div> 0100 .... = Version: 4</div>
<div> .... 0101 = Header Length: 20 bytes (5)</div>
<div> Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)</div>
<div> 0000 00.. = Differentiated Services Codepoint: Default (0)</div>
<div> .... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)</div>
<div> Total Length: 40</div>
<div> Identification: 0xeebd (61117)</div>
<div> 010. .... = Flags: 0x2, Don't fragment</div>
<div> 0... .... = Reserved bit: Not set</div>
<div> .1.. .... = Don't fragment: Set</div>
<div> ..0. .... = More fragments: Not set</div>
<div> ...0 0000 0000 0000 = Fragment Offset: 0</div>
<div> Time to Live: 64</div>
<div> Protocol: TCP (6)</div>
<div> Header Checksum: 0x0c0f [validation disabled]</div>
<div> [Header checksum status: Unverified]</div>
<div> Source Address: x.y.z.w</div>
<div> Destination Address: x.y.z.w</div>
<div>Transmission Control Protocol, Src Port: 34986, Dst Port: xxx, Seq: 2771, Ack: 5751, Len: 0</div>
<div> Source Port: 34986</div>
<div> Destination Port: xxx</div>
<div> [Stream index: 1]</div>
<div> [Conversation completeness: Complete, WITH_DATA (63)]</div>
<div> [TCP Segment Len: 0]</div>
<div> Sequence Number: 2771 (relative sequence number)</div>
<div> Sequence Number (raw): 2630184931</div>
<div> [Next Sequence Number: 2771 (relative sequence number)]</div>
<div> Acknowledgment Number: 5751 (relative ack number)</div>
<div> Acknowledgment number (raw): 2509794850</div>
<div> 0101 .... = Header Length: 20 bytes (5)</div>
<div> Flags: 0x010 (ACK)</div>
<div> 000. .... .... = Reserved: Not set</div>
<div> ...0 .... .... = Accurate ECN: Not set</div>
<div> .... 0... .... = Congestion Window Reduced: Not set</div>
<div> .... .0.. .... = ECN-Echo: Not set</div>
<div> .... ..0. .... = Urgent: Not set</div>
<div> .... ...1 .... = Acknowledgment: Set</div>
<div> .... .... 0... = Push: Not set</div>
<div> .... .... .0.. = Reset: Not set</div>
<div> .... .... ..0. = Syn: Not set</div>
<div> .... .... ...0 = Fin: Not set</div>
<div> [TCP Flags: ·······A····]</div>
<div> Window: 318</div>
<div> [Calculated window size: 40704]</div>
<div> [Window size scaling factor: 128]</div>
<div> Checksum: 0x401e [unverified]</div>
<div> [Checksum Status: Unverified]</div>
<div> Urgent Pointer: 0</div>
<div> [Timestamps]</div>
<div> [Time since first frame in this TCP stream: 1.051771000 seconds]</div>
<div> [Time since previous frame in this TCP stream: 0.041562000 seconds]</div>
<div> [SEQ/ACK analysis]</div>
<div> [This is an ACK to the segment in frame: 25]</div>
<div> [The RTT to ACK the segment was: 0.041562000 seconds]</div>
<div> [iRTT: 0.003010000 seconds]</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
<div>27 2023-02-10 15:12:10,183395 x.y.w.z x.y.w.z TLSv1.2 457 Application Data</div>
<div>Frame 27: 457 bytes on wire (3656 bits), 457 bytes captured (3656 bits)</div>
<div> Encapsulation type: Ethernet (1)</div>
<div> Arrival Time: Feb 10, 2023 15:12:10.183395000 Central Europe Standard Time</div>
<div> [Time shift for this packet: 0.000000000 seconds]</div>
<div> Epoch Time: 1676038330.183395000 seconds</div>
<div> [Time delta from previous captured frame: 21.065619000 seconds]</div>
<div> [Time delta from previous displayed frame: 21.065619000 seconds]</div>
<div> [Time since reference or first frame: 27.885737000 seconds]</div>
<div> Frame Number: 27</div>
<div> Frame Length: 457 bytes (3656 bits)</div>
<div> Capture Length: 457 bytes (3656 bits)</div>
<div> [Frame is marked: False]</div>
<div> [Frame is ignored: False]</div>
<div> [Protocols in frame: eth:ethertype:ip:tcp:tls]</div>
<div> [Coloring Rule Name: TCP]</div>
<div> [Coloring Rule String: tcp]</div>
<div>Ethernet II, Src: xxx, Dst: xxx</div>
<div> Destination: xxx</div>
<div> Address: xxx</div>
<div> .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)</div>
<div> .... ...0 .... .... .... .... = IG bit: Individual address (unicast)</div>
<div> Source: xxx</div>
<div> Address: xxx</div>
<div> .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)</div>
<div> .... ...0 .... .... .... .... = IG bit: Individual address (unicast)</div>
<div> Type: IPv4 (0x0800)</div>
<div>Internet Protocol Version 4, Src: x.y.w.z, Dst: x.y.w.z</div>
<div> 0100 .... = Version: 4</div>
<div> .... 0101 = Header Length: 20 bytes (5)</div>
<div> Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)</div>
<div> 0000 00.. = Differentiated Services Codepoint: Default (0)</div>
<div> .... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)</div>
<div> Total Length: 443</div>
<div> Identification: 0xeebe (61118)</div>
<div> 010. .... = Flags: 0x2, Don't fragment</div>
<div> 0... .... = Reserved bit: Not set</div>
<div> .1.. .... = Don't fragment: Set</div>
<div> ..0. .... = More fragments: Not set</div>
<div> ...0 0000 0000 0000 = Fragment Offset: 0</div>
<div> Time to Live: 64</div>
<div> Protocol: TCP (6)</div>
<div> Header Checksum: 0x0a7b [validation disabled]</div>
<div> [Header checksum status: Unverified]</div>
<div> Source Address: x.y.w.z</div>
<div> Destination Address: x.y.w.z</div>
<div>Transmission Control Protocol, Src Port: 34986, Dst Port: xxx, Seq: 2771, Ack: 5751, Len: 403</div>
<div> Source Port: 34986</div>
<div> Destination Port: xxx</div>
<div> [Stream index: 1]</div>
<div> [Conversation completeness: Complete, WITH_DATA (63)]</div>
<div> [TCP Segment Len: 403]</div>
<div> Sequence Number: 2771 (relative sequence number)</div>
<div> Sequence Number (raw): 2630184931</div>
<div> [Next Sequence Number: 3174 (relative sequence number)]</div>
<div> Acknowledgment Number: 5751 (relative ack number)</div>
<div> Acknowledgment number (raw): 2509794850</div>
<div> 0101 .... = Header Length: 20 bytes (5)</div>
<div> Flags: 0x018 (PSH, ACK)</div>
<div> 000. .... .... = Reserved: Not set</div>
<div> ...0 .... .... = Accurate ECN: Not set</div>
<div> .... 0... .... = Congestion Window Reduced: Not set</div>
<div> .... .0.. .... = ECN-Echo: Not set</div>
<div> .... ..0. .... = Urgent: Not set</div>
<div> .... ...1 .... = Acknowledgment: Set</div>
<div> .... .... 1... = Push: Set</div>
<div> .... .... .0.. = Reset: Not set</div>
<div> .... .... ..0. = Syn: Not set</div>
<div> .... .... ...0 = Fin: Not set</div>
<div> [TCP Flags: ·······AP···]</div>
<div> Window: 318</div>
<div> [Calculated window size: 40704]</div>
<div> [Window size scaling factor: 128]</div>
<div> Checksum: 0x41b1 [unverified]</div>
<div> [Checksum Status: Unverified]</div>
<div> Urgent Pointer: 0</div>
<div> [Timestamps]</div>
<div> [Time since first frame in this TCP stream: 22.117390000 seconds]</div>
<div> [Time since previous frame in this TCP stream: 21.065619000 seconds]</div>
<div> [SEQ/ACK analysis]</div>
<div> [iRTT: 0.003010000 seconds]</div>
<div> [Bytes in flight: 403]</div>
<div> [Bytes sent since last PSH flag: 403]</div>
<div> TCP payload (403 bytes)</div>
<div>Transport Layer Security</div>
<div> TLSv1.2 Record Layer: Application Data Protocol: Application Data</div>
<div> Content Type: Application Data (23)</div>
<div> Version: TLS 1.2 (0x0303)</div>
<div> Length: 398</div>
<div> Encrypted Application Data: 0000000000000002be4aae5822b205849734ad881717619991987bc9817d0b0417781265…</div>
<div><br>
</div>
<div><br>
</div>
<div>28 2023-02-10 15:12:10,185930 x.y.w.z x.y.w.z TCP 60 xxx → 34986 [RST] Seq=5751 Win=0 Len=0</div>
<div>Frame 28: 60 bytes on wire (480 bits), 60 bytes captured (480 bits)</div>
<div> Encapsulation type: Ethernet (1)</div>
<div> Arrival Time: Feb 10, 2023 15:12:10.185930000 Central Europe Standard Time</div>
<div> [Time shift for this packet: 0.000000000 seconds]</div>
<div> Epoch Time: 1676038330.185930000 seconds</div>
<div> [Time delta from previous captured frame: 0.002535000 seconds]</div>
<div> [Time delta from previous displayed frame: 0.002535000 seconds]</div>
<div> [Time since reference or first frame: 27.888272000 seconds]</div>
<div> Frame Number: 28</div>
<div> Frame Length: 60 bytes (480 bits)</div>
<div> Capture Length: 60 bytes (480 bits)</div>
<div> [Frame is marked: False]</div>
<div> [Frame is ignored: False]</div>
<div> [Protocols in frame: eth:ethertype:ip:tcp]</div>
<div> [Coloring Rule Name: TCP RST]</div>
<div> [Coloring Rule String: tcp.flags.reset eq 1]</div>
<div>Ethernet II, Src: xxx, Dst: xxx</div>
<div> Destination: xxx</div>
<div> Address: xxx</div>
<div> .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)</div>
<div> .... ...0 .... .... .... .... = IG bit: Individual address (unicast)</div>
<div> Source: xxx</div>
<div> Address: xxx</div>
<div> .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)</div>
<div> .... ...0 .... .... .... .... = IG bit: Individual address (unicast)</div>
<div> Type: IPv4 (0x0800)</div>
<div> Trailer: 00003b22a540</div>
<div>Internet Protocol Version 4, Src: x.y.w.z, Dst: x.y.w.z</div>
<div> 0100 .... = Version: 4</div>
<div> .... 0101 = Header Length: 20 bytes (5)</div>
<div> Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)</div>
<div> 0000 00.. = Differentiated Services Codepoint: Default (0)</div>
<div> .... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)</div>
<div> Total Length: 40</div>
<div> Identification: 0xd52f (54575)</div>
<div> 010. .... = Flags: 0x2, Don't fragment</div>
<div> 0... .... = Reserved bit: Not set</div>
<div> .1.. .... = Don't fragment: Set</div>
<div> ..0. .... = More fragments: Not set</div>
<div> ...0 0000 0000 0000 = Fragment Offset: 0</div>
<div> Time to Live: 52</div>
<div> Protocol: TCP (6)</div>
<div> Header Checksum: 0x319d [validation disabled]</div>
<div> [Header checksum status: Unverified]</div>
<div> Source Address: x.y.w.z</div>
<div> Destination Address: x.y.w.z</div>
<div>Transmission Control Protocol, Src Port: xxx, Dst Port: 34986, Seq: 5751, Len: 0</div>
<div> Source Port: xxx</div>
<div> Destination Port: 34986</div>
<div> [Stream index: 1]</div>
<div> [Conversation completeness: Complete, WITH_DATA (63)]</div>
<div> [TCP Segment Len: 0]</div>
<div> Sequence Number: 5751 (relative sequence number)</div>
<div> Sequence Number (raw): 2509794850</div>
<div> [Next Sequence Number: 5751 (relative sequence number)]</div>
<div> Acknowledgment Number: 0</div>
<div> Acknowledgment number (raw): 0</div>
<div> 0101 .... = Header Length: 20 bytes (5)</div>
<div> Flags: 0x004 (RST)</div>
<div> 000. .... .... = Reserved: Not set</div>
<div> ...0 .... .... = Accurate ECN: Not set</div>
<div> .... 0... .... = Congestion Window Reduced: Not set</div>
<div> .... .0.. .... = ECN-Echo: Not set</div>
<div> .... ..0. .... = Urgent: Not set</div>
<div> .... ...0 .... = Acknowledgment: Not set</div>
<div> .... .... 0... = Push: Not set</div>
<div> .... .... .1.. = Reset: Set</div>
<div> .... .... ..0. = Syn: Not set</div>
<div> .... .... ...0 = Fin: Not set</div>
<div> [TCP Flags: ·········R··]</div>
<div> Window: 0</div>
<div> [Calculated window size: 0]</div>
<div> [Window size scaling factor: 16384]</div>
<div> Checksum: 0xd1cb [unverified]</div>
<div> [Checksum Status: Unverified]</div>
<div> Urgent Pointer: 0</div>
<div> [Timestamps]</div>
<div> [Time since first frame in this TCP stream: 22.119925000 seconds]</div>
<div> [Time since previous frame in this TCP stream: 0.002535000 seconds]</div>
<div><br>
</div>
<div>I have other log collections working fine with TLS.</div>
<div><br>
</div>
<div>Can you please give me some hint what could cause this?</div>
<div><br>
</div>
<div>Thank you.</div>
<div><br>
</div>
<div>Br,</div>
Dragan<br>
</div>
<div>
<div id="m_8514148758271801352x_Signature">
<div><br>
</div>
</div>
</div>
</div>
</div>
______________________________________________________________________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" rel="noreferrer noreferrer" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" rel="noreferrer noreferrer" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" rel="noreferrer noreferrer" target="_blank">http://www.balabit.com/wiki/syslog-ng-faq</a><br>
<br>
</blockquote></div>