<div dir="auto">Yup, it should work. More or less all combinations are possible with the driver, transport option and the syslog-protocol flag.</div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Thu, Mar 2, 2023, 20:12 Evan Rempel <<a href="mailto:erempel@uvic.ca">erempel@uvic.ca</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div>
<div>I have never tried to send TLS streams
from an RFC3164 source. All of my sources that could support TLS
also support RFC5425.</div>
<div><br>
</div>
<div>What I understand you saying is that
you have a source that is sending RFC54524 messages, using TLS but
without the frame header. That is completely outside of any RFC
combination but that's the story of syslog aggregation :-(<br>
</div>
<div><br>
</div>
<div>I think you could do as you say. Use a
network source driver with the syslog-protocol flag and enable
TLS. This would have to be done on a special port so as not to
conflict with the RFC5425 framed data streams, but it sounds like
it would work.</div>
<div><br>
</div>
<div>Evan.<br>
</div>
<div><br>
</div>
<br>
<div>On 2023-03-02 10:32, Dragan Zecevic
wrote:<br>
</div>
<blockquote type="cite">
<br>
<div>
<div style="font-family:Calibri,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0);background-color:rgb(255,255,255)">
Hi Steve and Evan,</div>
<div>
<div style="font-family:Calibri,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)">
Sorry for the delay, I was on a sick leave.</div>
<div style="font-family:Calibri,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)">
Thanks for the ideas.</div>
<div style="font-family:Calibri,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)">
<br>
</div>
<div style="font-family:Calibri,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)">
It seems you are wright, there is an error in front of
connection closed:</div>
<div style="font-family:Calibri,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)">
Feb 10 15:08:02 xxx syslog-ng[21262]: Invalid frame header;
header=''<br>
Feb 10 15:08:02 xxx syslog-ng[21262]: Syslog connection
closed; fd='468', client='AF_INET(x.y.z.w:xxx)',
local='AF_INET(0.0.0.0:xxx)'<br>
</div>
<div style="font-family:Calibri,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)">
<br>
</div>
<div style="font-family:Calibri,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)">
It seems there is no frame header in incoming syslog
messages.</div>
<div style="font-family:Calibri,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)">
<br>
</div>
<div style="font-family:Calibri,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)">
I found this in syslog-ng docs:</div>
<div style="font-family:Calibri,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)">
<br>
</div>
<div style="font-family:Calibri,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)">
syslog-protocol: The syslog-protocol flag instructs the
driver to format the messages according to the new IETF
syslog protocol standard (RFC5424), but without the frame
header. If this flag is enabled, macros used for the message
have effect only for the text of the message, the message
header is formatted to the new standard. Note that this flag
is not needed for the syslog driver, and that the syslog
driver automatically adds the frame header to the messages.
<div><br>
</div>
syslog-protocol: The syslog-protocol flag specifies that
incoming messages are expected to be formatted according to
the new IETF syslog protocol standard (RFC5424), but without
the frame header. Note that this flag is not needed for the
syslog driver, which handles only messages that have a frame
header.<br>
</div>
<div style="font-family:Calibri,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)">
<br>
</div>
<div style="font-family:Calibri,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)">
As I understand syslog driver for RFC5425 doesn't support
messages without frame header.</div>
<div style="font-family:Calibri,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)">
<br>
</div>
<div style="font-family:Calibri,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)">
So should I then use network driver with syslog-protocol
flag in combination with RFC3164 messages?</div>
<div style="font-family:Calibri,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)">
<br>
</div>
<div style="font-family:Calibri,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)">
Thank you.</div>
<div style="font-family:Calibri,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)">
<br>
</div>
<div style="font-family:Calibri,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)">
Br,</div>
<div style="font-family:Calibri,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)">
Dragan</div>
<div id="m_954874743524945210Signature"><br>
</div>
</div>
<hr style="display:inline-block;width:98%">
<div id="m_954874743524945210divRplyFwdMsg" dir="ltr"><font style="font-size:11pt" face="Calibri, sans-serif" color="#000000"><b>From:</b>
syslog-ng <a href="mailto:syslog-ng-bounces@lists.balabit.hu" target="_blank" rel="noreferrer"><syslog-ng-bounces@lists.balabit.hu></a> on
behalf of Evan Rempel <a href="mailto:erempel@uvic.ca" target="_blank" rel="noreferrer"><erempel@uvic.ca></a><br>
<b>Sent:</b> Thursday, February 23, 2023 2:17 PM<br>
<b>To:</b> <a href="mailto:syslog-ng@lists.balabit.hu" target="_blank" rel="noreferrer">syslog-ng@lists.balabit.hu</a>
<a href="mailto:syslog-ng@lists.balabit.hu" target="_blank" rel="noreferrer"><syslog-ng@lists.balabit.hu></a><br>
<b>Subject:</b> Re: [syslog-ng] syslog-ng reset connection
before data transfer</font>
<div> </div>
</div>
<div>
<div>I had an issue with they
symptom of the connection closing as the first message was
sent. If eventually came down to the packet framing. When
using syslog protocol (RFC 5424/5425) you must use framing.
Without it syslog-ng drops the connection.</div>
<div><br>
</div>
<div>As Steve says, look for errors
from the receiving syslog-ng process. There should be an
error immediately preceding the closed connection.</div>
<div><br>
</div>
<div>Evan.<br>
</div>
<div><br>
</div>
<div>On 2023-02-23 05:33, Steve
Bernacki wrote:<br>
</div>
<blockquote type="cite"><br>
<div>
<p>Dragan,</p>
<p><br>
</p>
<p>1) Are you seeing any error or diagnostic message
immediately before "Syslog connection closed"? If a log
message immediately precedes this message with the same
timestamp, it's usually related even though there's
nothing in the two entries to tie them together.</p>
<p><br>
</p>
<p>2) Are the clients running syslog-ng?</p>
<p><br>
</p>
<p>3) Any other similarities with the clients that are not
working, e.g. on the same network segment etc? Could
there be some type of network IDS device sniping these
connections?</p>
<p><br>
</p>
<p>Steve<br>
</p>
<p><br>
</p>
<div>On 2/23/2023 3:40 AM,
Dragan Zecevic wrote:<br>
</div>
<blockquote type="cite">
<div style="font-family:Calibri,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0);background-color:rgb(255,255,255)">
<br>
</div>
<div>
<div style="font-family:Calibri,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)">
<br>
</div>
<div id="m_954874743524945210x_Signature" style="font-family:Calibri,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0);background-color:rgb(255,255,255)">
Hi again,</div>
<div id="m_954874743524945210x_Signature" style="font-family:Calibri,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0);background-color:rgb(255,255,255)">
Does somebody have an idea on this?</div>
<div id="m_954874743524945210x_Signature" style="font-family:Calibri,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0);background-color:rgb(255,255,255)">
<br>
</div>
<div id="m_954874743524945210x_Signature" style="font-family:Calibri,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0);background-color:rgb(255,255,255)">
Thank you.</div>
<div id="m_954874743524945210x_Signature" style="font-family:Calibri,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0);background-color:rgb(255,255,255)">
<br>
</div>
<div id="m_954874743524945210x_Signature" style="font-family:Calibri,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0);background-color:rgb(255,255,255)">
Br,</div>
<div id="m_954874743524945210x_Signature" style="font-family:Calibri,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0);background-color:rgb(255,255,255)">
Dragan</div>
<div><br>
</div>
</div>
<hr style="display:inline-block;width:98%">
<div id="m_954874743524945210x_divRplyFwdMsg" dir="ltr"><font style="font-size:11pt" face="Calibri, sans-serif" color="#000000"><b>From:</b> syslog-ng
<a href="mailto:syslog-ng-bounces@lists.balabit.hu" target="_blank" rel="noreferrer">
<syslog-ng-bounces@lists.balabit.hu></a> on
behalf of Dragan Zecevic <a href="mailto:dragan.zecevic@live.com" target="_blank" rel="noreferrer">
<dragan.zecevic@live.com></a><br>
<b>Sent:</b> Tuesday, February 14, 2023 2:33 PM<br>
<b>To:</b> <a href="mailto:syslog-ng@lists.balabit.hu" target="_blank" rel="noreferrer">
syslog-ng@lists.balabit.hu</a> <a href="mailto:syslog-ng@lists.balabit.hu" target="_blank" rel="noreferrer">
<syslog-ng@lists.balabit.hu></a><br>
<b>Subject:</b> [syslog-ng] syslog-ng reset
connection before data transfer</font>
<div> </div>
</div>
<div dir="ltr">
<div style="font-family:Calibri,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0);background-color:rgb(255,255,255)">
<div>Hi
everybody,</div>
<div>I
hope you are well.</div>
<div><br>
</div>
<div>I
was hoping if you can help me with some issue.</div>
<div>I am trying to
collect logs from some servers via syslog.</div>
<div>TLS session seems to
be established - handshake, certs, ciphers all
looking ok.</div>
<div>But when data need
to be send it seems syslog-ng server disconnects
the session from some reason.</div>
<div><br>
</div>
<div>In /var/log/messages
I can only see start/stop messages even after
turning on verbose logging:</div>
<div><br>
</div>
<div>Feb 10 16:11:48 xxx
syslog-ng[21262]: Syslog connection accepted;
fd='175', client='AF_INET(x.y.w.z:34986)',
local='AF_INET(0.0.0.0:xxx)'</div>
<div>Feb 10 16:11:49 xxx
syslog-ng[21262]: Syslog connection closed;
fd='175', client='AF_INET(x.y.w.z:34986)',
local='AF_INET(0.0.0.0:xxx)'</div>
<div><br>
</div>
<div>This is the
configuration I am using:</div>
<div><br>
</div>
<div>source s_xxx {</div>
<div> syslog(</div>
<div> ip(0.0.0.0)</div>
<div> port(xxx)</div>
<div>
transport("tls")</div>
<div> tls(</div>
<div>
key-file("/etc/syslog-ng/key.d/xxx.key")</div>
<div>
cert-file("/etc/syslog-ng/cert.d/xxx.cer")</div>
<div>
ca-dir("/etc/syslog-ng/ca.d")</div>
<div>
peer-verify(required-trusted)</div>
<div>
cipher-suite("xxx...xxx")</div>
<div> )</div>
<div>
flags(store-raw-message)</div>
<div> );</div>
<div>};</div>
<div><br>
</div>
<div>filter filter_xxx {</div>
<div><br>
</div>
<div>
host("xxx") ... or host("xxx");</div>
<div>};</div>
<div><br>
</div>
<div>destination
folder_xxx {</div>
<div><br>
</div>
<div>
file(</div>
<div>
"/var/log/xxx/${R_YEAR}${R_MONTH}${R_DAY}/${SOURCEIP}_${HOST}_${R_HOUR}.log"</div>
<div>
template("${RAWMSG}\n")</div>
<div>
dir-group(xxx)</div>
<div>
dir-perm(0650)</div>
<div>
group(xxx)</div>
<div> );</div>
<div>};</div>
<div><br>
</div>
<div>log {</div>
<div>
source(s_xxx); filter(filter_xxx);
destination(folder_xxx); flags(flow-control);</div>
<div>};</div>
<div><br>
</div>
<div><br>
</div>
<div>And bellow is last
part of the session captured with tcpdump from
source side.</div>
<div>It
is interesting to me that there is 1h offset
comparing to /var/log/messages on syslog-ng. Src
and dst server are in same environment.</div>
<div><br>
</div>
<div><br>
</div>
<div>24 2023-02-10
15:11:49,073335 x.y.w.z x.y.w.z TLSv1.2 445 Application
Data</div>
<div>Frame 24: 445 bytes
on wire (3560 bits), 445 bytes captured (3560
bits)</div>
<div> Encapsulation
type: Ethernet (1)</div>
<div> Arrival Time:
Feb 10, 2023 15:11:49.073335000 Central Europe
Standard Time</div>
<div> [Time shift for
this packet: 0.000000000 seconds]</div>
<div> Epoch Time:
1676038309.073335000 seconds</div>
<div> [Time delta from
previous captured frame: 0.906559000 seconds]</div>
<div> [Time delta from
previous displayed frame: 0.906559000 seconds]</div>
<div> [Time since
reference or first frame: 6.775677000 seconds]</div>
<div> Frame Number: 24</div>
<div> Frame Length:
445 bytes (3560 bits)</div>
<div> Capture Length:
445 bytes (3560 bits)</div>
<div> [Frame is
marked: False]</div>
<div> [Frame is
ignored: False]</div>
<div> [Protocols in
frame: eth:ethertype:ip:tcp:tls]</div>
<div> [Coloring Rule
Name: TCP]</div>
<div> [Coloring Rule
String: tcp]</div>
<div>Ethernet II, Src:
xxx, Dst: xxx</div>
<div> Destination: xxx</div>
<div> Address: xxx</div>
<div> .... ..0.
.... .... .... .... = LG bit: Globally unique
address (factory default)</div>
<div> .... ...0
.... .... .... .... = IG bit: Individual address
(unicast)</div>
<div> Source: xxx</div>
<div> Address: xxx</div>
<div> .... ..0.
.... .... .... .... = LG bit: Globally unique
address (factory default)</div>
<div> .... ...0
.... .... .... .... = IG bit: Individual address
(unicast)</div>
<div> Type: IPv4
(0x0800)</div>
<div>Internet Protocol
Version 4, Src: x.y.z.w, Dst: x.y.z.w</div>
<div> 0100 .... =
Version: 4</div>
<div> .... 0101 =
Header Length: 20 bytes (5)</div>
<div> Differentiated
Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)</div>
<div> 0000 00.. =
Differentiated Services Codepoint: Default (0)</div>
<div> .... ..00 =
Explicit Congestion Notification: Not ECN-Capable
Transport (0)</div>
<div> Total Length:
431</div>
<div> Identification:
0xeebc (61116)</div>
<div> 010. .... =
Flags: 0x2, Don't fragment</div>
<div> 0... .... =
Reserved bit: Not set</div>
<div> .1.. .... =
Don't fragment: Set</div>
<div> ..0. .... =
More fragments: Not set</div>
<div> ...0 0000 0000
0000 = Fragment Offset: 0</div>
<div> Time to Live: 64</div>
<div> Protocol: TCP
(6)</div>
<div> Header Checksum:
0x0a89 [validation disabled]</div>
<div> [Header checksum
status: Unverified]</div>
<div> Source Address:
x.y.z.w</div>
<div> Destination
Address: x.y.z.w</div>
<div>Transmission Control
Protocol, Src Port: 34986, Dst Port: xxx, Seq:
2380, Ack: 5750, Len: 391</div>
<div> Source Port:
34986</div>
<div> Destination
Port: xxx</div>
<div> [Stream index:
1]</div>
<div> [Conversation
completeness: Complete, WITH_DATA (63)]</div>
<div> [TCP Segment
Len: 391]</div>
<div> Sequence Number:
2380 (relative sequence number)</div>
<div> Sequence Number
(raw): 2630184540</div>
<div> [Next Sequence
Number: 2771 (relative sequence number)]</div>
<div> Acknowledgment
Number: 5750 (relative ack number)</div>
<div> Acknowledgment
number (raw): 2509794849</div>
<div> 0101 .... =
Header Length: 20 bytes (5)</div>
<div> Flags: 0x018
(PSH, ACK)</div>
<div> 000. ....
.... = Reserved: Not set</div>
<div> ...0 ....
.... = Accurate ECN: Not set</div>
<div> .... 0...
.... = Congestion Window Reduced: Not set</div>
<div> .... .0..
.... = ECN-Echo: Not set</div>
<div> .... ..0.
.... = Urgent: Not set</div>
<div> .... ...1
.... = Acknowledgment: Set</div>
<div> .... ....
1... = Push: Set</div>
<div> .... ....
.0.. = Reset: Not set</div>
<div> .... ....
..0. = Syn: Not set</div>
<div> .... ....
...0 = Fin: Not set</div>
<div> [TCP Flags:
·······AP···]</div>
<div> Window: 318</div>
<div> [Calculated
window size: 40704]</div>
<div> [Window size
scaling factor: 128]</div>
<div> Checksum: 0x41a5
[unverified]</div>
<div> [Checksum
Status: Unverified]</div>
<div> Urgent Pointer:
0</div>
<div> [Timestamps]</div>
<div> [Time since
first frame in this TCP stream: 1.007330000
seconds]</div>
<div> [Time since
previous frame in this TCP stream: 0.906559000
seconds]</div>
<div> [SEQ/ACK
analysis]</div>
<div> [iRTT:
0.003010000 seconds]</div>
<div> [Bytes in
flight: 391]</div>
<div> [Bytes sent
since last PSH flag: 391]</div>
<div> TCP payload (391
bytes)</div>
<div>Transport Layer
Security</div>
<div> TLSv1.2 Record
Layer: Application Data Protocol: Application Data</div>
<div> Content
Type: Application Data (23)</div>
<div> Version: TLS
1.2 (0x0303)</div>
<div> Length: 386</div>
<div> Encrypted
Application Data:
000000000000000146f17ff0e884c81f9317ba9e01c3b48763944e3905fb27fc96ce76fc…</div>
<div><br>
</div>
<div><br>
</div>
<div>25 2023-02-10
15:11:49,076214 x.y.z.w x.y.z.w TCP 60 xxx
→ 34986 [FIN, ACK] Seq=5750 Ack=2771 Win=65536
Len=0</div>
<div>Frame 25: 60 bytes
on wire (480 bits), 60 bytes captured (480 bits)</div>
<div> Encapsulation
type: Ethernet (1)</div>
<div> Arrival Time:
Feb 10, 2023 15:11:49.076214000 Central Europe
Standard Time</div>
<div> [Time shift for
this packet: 0.000000000 seconds]</div>
<div> Epoch Time:
1676038309.076214000 seconds</div>
<div> [Time delta from
previous captured frame: 0.002879000 seconds]</div>
<div> [Time delta from
previous displayed frame: 0.002879000 seconds]</div>
<div> [Time since
reference or first frame: 6.778556000 seconds]</div>
<div> Frame Number: 25</div>
<div> Frame Length: 60
bytes (480 bits)</div>
<div> Capture Length:
60 bytes (480 bits)</div>
<div> [Frame is
marked: False]</div>
<div> [Frame is
ignored: False]</div>
<div> [Protocols in
frame: eth:ethertype:ip:tcp]</div>
<div> [Coloring Rule
Name: TCP SYN/FIN]</div>
<div> [Coloring Rule
String: tcp.flags & 0x02 || tcp.flags.fin ==
1]</div>
<div>Ethernet II, Src:
xxx, Dst: xxx</div>
<div> Destination: xxx</div>
<div> Address: xxx</div>
<div> .... ..0.
.... .... .... .... = LG bit: Globally unique
address (factory default)</div>
<div> .... ...0
.... .... .... .... = IG bit: Individual address
(unicast)</div>
<div> Source: xxx</div>
<div> Address: xxx</div>
<div> .... ..0.
.... .... .... .... = LG bit: Globally unique
address (factory default)</div>
<div> .... ...0
.... .... .... .... = IG bit: Individual address
(unicast)</div>
<div> Type: IPv4
(0x0800)</div>
<div> Trailer:
000085725dce</div>
<div>Internet Protocol
Version 4, Src: x.y.z.w, Dst: x.y.z.w</div>
<div> 0100 .... =
Version: 4</div>
<div> .... 0101 =
Header Length: 20 bytes (5)</div>
<div> Differentiated
Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)</div>
<div> 0000 00.. =
Differentiated Services Codepoint: Default (0)</div>
<div> .... ..00 =
Explicit Congestion Notification: Not ECN-Capable
Transport (0)</div>
<div> Total Length: 40</div>
<div> Identification:
0xea10 (59920)</div>
<div> 010. .... =
Flags: 0x2, Don't fragment</div>
<div> 0... .... =
Reserved bit: Not set</div>
<div> .1.. .... =
Don't fragment: Set</div>
<div> ..0. .... =
More fragments: Not set</div>
<div> ...0 0000 0000
0000 = Fragment Offset: 0</div>
<div> Time to Live: 52</div>
<div> Protocol: TCP
(6)</div>
<div> Header Checksum:
0x1cbc [validation disabled]</div>
<div> [Header checksum
status: Unverified]</div>
<div> Source Address:
x.y.z.w</div>
<div> Destination
Address: x.y.z.w</div>
<div>Transmission Control
Protocol, Src Port: xxx, Dst Port: 34986, Seq:
5750, Ack: 2771, Len: 0</div>
<div> Source Port: xxx</div>
<div> Destination
Port: 34986</div>
<div> [Stream index:
1]</div>
<div> [Conversation
completeness: Complete, WITH_DATA (63)]</div>
<div> [TCP Segment
Len: 0]</div>
<div> Sequence Number:
5750 (relative sequence number)</div>
<div> Sequence Number
(raw): 2509794849</div>
<div> [Next Sequence
Number: 5751 (relative sequence number)]</div>
<div> Acknowledgment
Number: 2771 (relative ack number)</div>
<div> Acknowledgment
number (raw): 2630184931</div>
<div> 0101 .... =
Header Length: 20 bytes (5)</div>
<div> Flags: 0x011
(FIN, ACK)</div>
<div> 000. ....
.... = Reserved: Not set</div>
<div> ...0 ....
.... = Accurate ECN: Not set</div>
<div> .... 0...
.... = Congestion Window Reduced: Not set</div>
<div> .... .0..
.... = ECN-Echo: Not set</div>
<div> .... ..0.
.... = Urgent: Not set</div>
<div> .... ...1
.... = Acknowledgment: Set</div>
<div> .... ....
0... = Push: Not set</div>
<div> .... ....
.0.. = Reset: Not set</div>
<div> .... ....
..0. = Syn: Not set</div>
<div> .... ....
...1 = Fin: Set</div>
<div> [TCP Flags:
·······A···F]</div>
<div> Window: 4</div>
<div> [Calculated
window size: 65536]</div>
<div> [Window size
scaling factor: 16384]</div>
<div> Checksum: 0xc512
[unverified]</div>
<div> [Checksum
Status: Unverified]</div>
<div> Urgent Pointer:
0</div>
<div> [Timestamps]</div>
<div> [Time since
first frame in this TCP stream: 1.010209000
seconds]</div>
<div> [Time since
previous frame in this TCP stream: 0.002879000
seconds]</div>
<div> [SEQ/ACK
analysis]</div>
<div> [This is an
ACK to the segment in frame: 24]</div>
<div> [The RTT to
ACK the segment was: 0.002879000 seconds]</div>
<div> [iRTT:
0.003010000 seconds]</div>
<div><br>
</div>
<div><br>
</div>
<div>26 2023-02-10
15:11:49,117776 x.y.z.w x.y.z.w TCP 54 34986
→ xxx [ACK] Seq=2771 Ack=5751 Win=40704 Len=0</div>
<div>Frame 26: 54 bytes
on wire (432 bits), 54 bytes captured (432 bits)</div>
<div> Encapsulation
type: Ethernet (1)</div>
<div> Arrival Time:
Feb 10, 2023 15:11:49.117776000 Central Europe
Standard Time</div>
<div> [Time shift for
this packet: 0.000000000 seconds]</div>
<div> Epoch Time:
1676038309.117776000 seconds</div>
<div> [Time delta from
previous captured frame: 0.041562000 seconds]</div>
<div> [Time delta from
previous displayed frame: 0.041562000 seconds]</div>
<div> [Time since
reference or first frame: 6.820118000 seconds]</div>
<div> Frame Number: 26</div>
<div> Frame Length: 54
bytes (432 bits)</div>
<div> Capture Length:
54 bytes (432 bits)</div>
<div> [Frame is
marked: False]</div>
<div> [Frame is
ignored: False]</div>
<div> [Protocols in
frame: eth:ethertype:ip:tcp]</div>
<div> [Coloring Rule
Name: TCP]</div>
<div> [Coloring Rule
String: tcp]</div>
<div>Ethernet II, Src:
Mellanox_69:6f:47 (1c:34:da:69:6f:47), Dst:
ICANNIAN_00:40:20 (00:00:5e:00:40:20)</div>
<div> Destination:
ICANNIAN_00:40:20 (00:00:5e:00:40:20)</div>
<div> Address:
ICANNIAN_00:40:20 (00:00:5e:00:40:20)</div>
<div> .... ..0.
.... .... .... .... = LG bit: Globally unique
address (factory default)</div>
<div> .... ...0
.... .... .... .... = IG bit: Individual address
(unicast)</div>
<div> Source:
Mellanox_69:6f:47 (1c:34:da:69:6f:47)</div>
<div> Address:
Mellanox_69:6f:47 (1c:34:da:69:6f:47)</div>
<div> .... ..0.
.... .... .... .... = LG bit: Globally unique
address (factory default)</div>
<div> .... ...0
.... .... .... .... = IG bit: Individual address
(unicast)</div>
<div> Type: IPv4
(0x0800)</div>
<div>Internet Protocol
Version 4, Src: x.y.z.w, Dst: x.y.z.w</div>
<div> 0100 .... =
Version: 4</div>
<div> .... 0101 =
Header Length: 20 bytes (5)</div>
<div> Differentiated
Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)</div>
<div> 0000 00.. =
Differentiated Services Codepoint: Default (0)</div>
<div> .... ..00 =
Explicit Congestion Notification: Not ECN-Capable
Transport (0)</div>
<div> Total Length: 40</div>
<div> Identification:
0xeebd (61117)</div>
<div> 010. .... =
Flags: 0x2, Don't fragment</div>
<div> 0... .... =
Reserved bit: Not set</div>
<div> .1.. .... =
Don't fragment: Set</div>
<div> ..0. .... =
More fragments: Not set</div>
<div> ...0 0000 0000
0000 = Fragment Offset: 0</div>
<div> Time to Live: 64</div>
<div> Protocol: TCP
(6)</div>
<div> Header Checksum:
0x0c0f [validation disabled]</div>
<div> [Header checksum
status: Unverified]</div>
<div> Source Address:
x.y.z.w</div>
<div> Destination
Address: x.y.z.w</div>
<div>Transmission Control
Protocol, Src Port: 34986, Dst Port: xxx, Seq:
2771, Ack: 5751, Len: 0</div>
<div> Source Port:
34986</div>
<div> Destination
Port: xxx</div>
<div> [Stream index:
1]</div>
<div> [Conversation
completeness: Complete, WITH_DATA (63)]</div>
<div> [TCP Segment
Len: 0]</div>
<div> Sequence Number:
2771 (relative sequence number)</div>
<div> Sequence Number
(raw): 2630184931</div>
<div> [Next Sequence
Number: 2771 (relative sequence number)]</div>
<div> Acknowledgment
Number: 5751 (relative ack number)</div>
<div> Acknowledgment
number (raw): 2509794850</div>
<div> 0101 .... =
Header Length: 20 bytes (5)</div>
<div> Flags: 0x010
(ACK)</div>
<div> 000. ....
.... = Reserved: Not set</div>
<div> ...0 ....
.... = Accurate ECN: Not set</div>
<div> .... 0...
.... = Congestion Window Reduced: Not set</div>
<div> .... .0..
.... = ECN-Echo: Not set</div>
<div> .... ..0.
.... = Urgent: Not set</div>
<div> .... ...1
.... = Acknowledgment: Set</div>
<div> .... ....
0... = Push: Not set</div>
<div> .... ....
.0.. = Reset: Not set</div>
<div> .... ....
..0. = Syn: Not set</div>
<div> .... ....
...0 = Fin: Not set</div>
<div> [TCP Flags:
·······A····]</div>
<div> Window: 318</div>
<div> [Calculated
window size: 40704]</div>
<div> [Window size
scaling factor: 128]</div>
<div> Checksum: 0x401e
[unverified]</div>
<div> [Checksum
Status: Unverified]</div>
<div> Urgent Pointer:
0</div>
<div> [Timestamps]</div>
<div> [Time since
first frame in this TCP stream: 1.051771000
seconds]</div>
<div> [Time since
previous frame in this TCP stream: 0.041562000
seconds]</div>
<div> [SEQ/ACK
analysis]</div>
<div> [This is an
ACK to the segment in frame: 25]</div>
<div> [The RTT to
ACK the segment was: 0.041562000 seconds]</div>
<div> [iRTT:
0.003010000 seconds]</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
<div>27 2023-02-10
15:12:10,183395 x.y.w.z x.y.w.z TLSv1.2 457 Application
Data</div>
<div>Frame 27: 457 bytes
on wire (3656 bits), 457 bytes captured (3656
bits)</div>
<div> Encapsulation
type: Ethernet (1)</div>
<div> Arrival Time:
Feb 10, 2023 15:12:10.183395000 Central Europe
Standard Time</div>
<div> [Time shift for
this packet: 0.000000000 seconds]</div>
<div> Epoch Time:
1676038330.183395000 seconds</div>
<div> [Time delta from
previous captured frame: 21.065619000 seconds]</div>
<div> [Time delta from
previous displayed frame: 21.065619000 seconds]</div>
<div> [Time since
reference or first frame: 27.885737000 seconds]</div>
<div> Frame Number: 27</div>
<div> Frame Length:
457 bytes (3656 bits)</div>
<div> Capture Length:
457 bytes (3656 bits)</div>
<div> [Frame is
marked: False]</div>
<div> [Frame is
ignored: False]</div>
<div> [Protocols in
frame: eth:ethertype:ip:tcp:tls]</div>
<div> [Coloring Rule
Name: TCP]</div>
<div> [Coloring Rule
String: tcp]</div>
<div>Ethernet II, Src:
xxx, Dst: xxx</div>
<div> Destination: xxx</div>
<div> Address: xxx</div>
<div> .... ..0.
.... .... .... .... = LG bit: Globally unique
address (factory default)</div>
<div> .... ...0
.... .... .... .... = IG bit: Individual address
(unicast)</div>
<div> Source: xxx</div>
<div> Address: xxx</div>
<div> .... ..0.
.... .... .... .... = LG bit: Globally unique
address (factory default)</div>
<div> .... ...0
.... .... .... .... = IG bit: Individual address
(unicast)</div>
<div> Type: IPv4
(0x0800)</div>
<div>Internet Protocol
Version 4, Src: x.y.w.z, Dst: x.y.w.z</div>
<div> 0100 .... =
Version: 4</div>
<div> .... 0101 =
Header Length: 20 bytes (5)</div>
<div> Differentiated
Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)</div>
<div> 0000 00.. =
Differentiated Services Codepoint: Default (0)</div>
<div> .... ..00 =
Explicit Congestion Notification: Not ECN-Capable
Transport (0)</div>
<div> Total Length:
443</div>
<div> Identification:
0xeebe (61118)</div>
<div> 010. .... =
Flags: 0x2, Don't fragment</div>
<div> 0... .... =
Reserved bit: Not set</div>
<div> .1.. .... =
Don't fragment: Set</div>
<div> ..0. .... =
More fragments: Not set</div>
<div> ...0 0000 0000
0000 = Fragment Offset: 0</div>
<div> Time to Live: 64</div>
<div> Protocol: TCP
(6)</div>
<div> Header Checksum:
0x0a7b [validation disabled]</div>
<div> [Header checksum
status: Unverified]</div>
<div> Source Address:
x.y.w.z</div>
<div> Destination
Address: x.y.w.z</div>
<div>Transmission Control
Protocol, Src Port: 34986, Dst Port: xxx, Seq:
2771, Ack: 5751, Len: 403</div>
<div> Source Port:
34986</div>
<div> Destination
Port: xxx</div>
<div> [Stream index:
1]</div>
<div> [Conversation
completeness: Complete, WITH_DATA (63)]</div>
<div> [TCP Segment
Len: 403]</div>
<div> Sequence Number:
2771 (relative sequence number)</div>
<div> Sequence Number
(raw): 2630184931</div>
<div> [Next Sequence
Number: 3174 (relative sequence number)]</div>
<div> Acknowledgment
Number: 5751 (relative ack number)</div>
<div> Acknowledgment
number (raw): 2509794850</div>
<div> 0101 .... =
Header Length: 20 bytes (5)</div>
<div> Flags: 0x018
(PSH, ACK)</div>
<div> 000. ....
.... = Reserved: Not set</div>
<div> ...0 ....
.... = Accurate ECN: Not set</div>
<div> .... 0...
.... = Congestion Window Reduced: Not set</div>
<div> .... .0..
.... = ECN-Echo: Not set</div>
<div> .... ..0.
.... = Urgent: Not set</div>
<div> .... ...1
.... = Acknowledgment: Set</div>
<div> .... ....
1... = Push: Set</div>
<div> .... ....
.0.. = Reset: Not set</div>
<div> .... ....
..0. = Syn: Not set</div>
<div> .... ....
...0 = Fin: Not set</div>
<div> [TCP Flags:
·······AP···]</div>
<div> Window: 318</div>
<div> [Calculated
window size: 40704]</div>
<div> [Window size
scaling factor: 128]</div>
<div> Checksum: 0x41b1
[unverified]</div>
<div> [Checksum
Status: Unverified]</div>
<div> Urgent Pointer:
0</div>
<div> [Timestamps]</div>
<div> [Time since
first frame in this TCP stream: 22.117390000
seconds]</div>
<div> [Time since
previous frame in this TCP stream: 21.065619000
seconds]</div>
<div> [SEQ/ACK
analysis]</div>
<div> [iRTT:
0.003010000 seconds]</div>
<div> [Bytes in
flight: 403]</div>
<div> [Bytes sent
since last PSH flag: 403]</div>
<div> TCP payload (403
bytes)</div>
<div>Transport Layer
Security</div>
<div> TLSv1.2 Record
Layer: Application Data Protocol: Application Data</div>
<div> Content
Type: Application Data (23)</div>
<div> Version: TLS
1.2 (0x0303)</div>
<div> Length: 398</div>
<div> Encrypted
Application Data:
0000000000000002be4aae5822b205849734ad881717619991987bc9817d0b0417781265…</div>
<div><br>
</div>
<div><br>
</div>
<div>28 2023-02-10
15:12:10,185930 x.y.w.z x.y.w.z TCP 60 xxx
→ 34986 [RST] Seq=5751 Win=0 Len=0</div>
<div>Frame 28: 60 bytes
on wire (480 bits), 60 bytes captured (480 bits)</div>
<div> Encapsulation
type: Ethernet (1)</div>
<div> Arrival Time:
Feb 10, 2023 15:12:10.185930000 Central Europe
Standard Time</div>
<div> [Time shift for
this packet: 0.000000000 seconds]</div>
<div> Epoch Time:
1676038330.185930000 seconds</div>
<div> [Time delta from
previous captured frame: 0.002535000 seconds]</div>
<div> [Time delta from
previous displayed frame: 0.002535000 seconds]</div>
<div> [Time since
reference or first frame: 27.888272000 seconds]</div>
<div> Frame Number: 28</div>
<div> Frame Length: 60
bytes (480 bits)</div>
<div> Capture Length:
60 bytes (480 bits)</div>
<div> [Frame is
marked: False]</div>
<div> [Frame is
ignored: False]</div>
<div> [Protocols in
frame: eth:ethertype:ip:tcp]</div>
<div> [Coloring Rule
Name: TCP RST]</div>
<div> [Coloring Rule
String: tcp.flags.reset eq 1]</div>
<div>Ethernet II, Src:
xxx, Dst: xxx</div>
<div> Destination: xxx</div>
<div> Address: xxx</div>
<div> .... ..0.
.... .... .... .... = LG bit: Globally unique
address (factory default)</div>
<div> .... ...0
.... .... .... .... = IG bit: Individual address
(unicast)</div>
<div> Source: xxx</div>
<div> Address: xxx</div>
<div> .... ..0.
.... .... .... .... = LG bit: Globally unique
address (factory default)</div>
<div> .... ...0
.... .... .... .... = IG bit: Individual address
(unicast)</div>
<div> Type: IPv4
(0x0800)</div>
<div> Trailer:
00003b22a540</div>
<div>Internet Protocol
Version 4, Src: x.y.w.z, Dst: x.y.w.z</div>
<div> 0100 .... =
Version: 4</div>
<div> .... 0101 =
Header Length: 20 bytes (5)</div>
<div> Differentiated
Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)</div>
<div> 0000 00.. =
Differentiated Services Codepoint: Default (0)</div>
<div> .... ..00 =
Explicit Congestion Notification: Not ECN-Capable
Transport (0)</div>
<div> Total Length: 40</div>
<div> Identification:
0xd52f (54575)</div>
<div> 010. .... =
Flags: 0x2, Don't fragment</div>
<div> 0... .... =
Reserved bit: Not set</div>
<div> .1.. .... =
Don't fragment: Set</div>
<div> ..0. .... =
More fragments: Not set</div>
<div> ...0 0000 0000
0000 = Fragment Offset: 0</div>
<div> Time to Live: 52</div>
<div> Protocol: TCP
(6)</div>
<div> Header Checksum:
0x319d [validation disabled]</div>
<div> [Header checksum
status: Unverified]</div>
<div> Source Address:
x.y.w.z</div>
<div> Destination
Address: x.y.w.z</div>
<div>Transmission Control
Protocol, Src Port: xxx, Dst Port: 34986, Seq:
5751, Len: 0</div>
<div> Source Port: xxx</div>
<div> Destination
Port: 34986</div>
<div> [Stream index:
1]</div>
<div> [Conversation
completeness: Complete, WITH_DATA (63)]</div>
<div> [TCP Segment
Len: 0]</div>
<div> Sequence Number:
5751 (relative sequence number)</div>
<div> Sequence Number
(raw): 2509794850</div>
<div> [Next Sequence
Number: 5751 (relative sequence number)]</div>
<div> Acknowledgment
Number: 0</div>
<div> Acknowledgment
number (raw): 0</div>
<div> 0101 .... =
Header Length: 20 bytes (5)</div>
<div> Flags: 0x004
(RST)</div>
<div> 000. ....
.... = Reserved: Not set</div>
<div> ...0 ....
.... = Accurate ECN: Not set</div>
<div> .... 0...
.... = Congestion Window Reduced: Not set</div>
<div> .... .0..
.... = ECN-Echo: Not set</div>
<div> .... ..0.
.... = Urgent: Not set</div>
<div> .... ...0
.... = Acknowledgment: Not set</div>
<div> .... ....
0... = Push: Not set</div>
<div> .... ....
.1.. = Reset: Set</div>
<div> .... ....
..0. = Syn: Not set</div>
<div> .... ....
...0 = Fin: Not set</div>
<div> [TCP Flags:
·········R··]</div>
<div> Window: 0</div>
<div> [Calculated
window size: 0]</div>
<div> [Window size
scaling factor: 16384]</div>
<div> Checksum: 0xd1cb
[unverified]</div>
<div> [Checksum
Status: Unverified]</div>
<div> Urgent Pointer:
0</div>
<div> [Timestamps]</div>
<div> [Time since
first frame in this TCP stream: 22.119925000
seconds]</div>
<div> [Time since
previous frame in this TCP stream: 0.002535000
seconds]</div>
<div><br>
</div>
<div>I have other log
collections working fine with TLS.</div>
<div><br>
</div>
<div>Can you please give
me some hint what could cause this?</div>
<div><br>
</div>
<div>Thank you.</div>
<div><br>
</div>
<div>Br,</div>
Dragan<br>
</div>
<div>
<div id="m_954874743524945210x_x_Signature">
<div><br>
</div>
</div>
</div>
</div>
</blockquote>
</div>
</blockquote>
<br>
</div>
</div>
</blockquote>
<br>
</div>
______________________________________________________________________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" rel="noreferrer noreferrer" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" rel="noreferrer noreferrer" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" rel="noreferrer noreferrer" target="_blank">http://www.balabit.com/wiki/syslog-ng-faq</a><br>
<br>
</blockquote></div>