
<div dir="ltr"><div>you can always use rate-limit: <a href="https://axoflow.com/docs/axosyslog-core/chapter-routing-filters/filters/reference-filters/filter-rate-limit/">https://axoflow.com/docs/axosyslog-core/chapter-routing-filters/filters/reference-filters/filter-rate-limit/</a></div><div><br></div><div>Balazs</div><div><br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Mon, Oct 21, 2024 at 9:58 PM Evan Rempel <<a href="mailto:erempel@uvic.ca">erempel@uvic.ca</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div class="msg-3622261664690451922">


<div dir="ltr">

<div style="font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)">

I don't want to filter them out completely. This still represents an issue and the client is unable to log the issue to the central log/SIEM/monitoring server. I just don't want to fill up my disks with message repeatedly. I only need to "hear about it" once

 every hour (or some other throttled period).</div>

<div style="font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)">

<br>

</div>

<div style="font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)">

Technically there are lots of ways to leverage syslog-ng configurations to address this but I thought that since this would be an issue for anyone that has a lot of syslog clients and then has an issue with their certificate, I thought there might be a cleaner

 and more simple way to address than the correlation/throttling/filtering tools of syslog-ng.</div>

<div id="m_-3622261664690451922Signature">

<div style="font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)">

<br>

</div>

<div style="font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)">

For me, the log rate is so large that if I have only a small % of my clients that have this issue, they will take the service off-line for all of the other clients.</div>

<div style="font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)">

<br>

</div>

<div style="font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif;font-size:12pt;color:rgb(153,153,153)">

--</div>

<div style="font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif;font-size:12pt;color:rgb(153,153,153)">

Evan</div>

</div>

<div id="m_-3622261664690451922appendonsend"></div>

<hr style="display:inline-block;width:98%">

<div id="m_-3622261664690451922divRplyFwdMsg" dir="ltr"><font face="Calibri, sans-serif" style="font-size:11pt" color="#000000"><b>From:</b> syslog-ng <<a href="mailto:syslog-ng-bounces@lists.balabit.hu" target="_blank">syslog-ng-bounces@lists.balabit.hu</a>> on behalf of Balazs Scheidler <<a href="mailto:bazsi77@gmail.com" target="_blank">bazsi77@gmail.com</a>><br>

<b>Sent:</b> October 21, 2024 12:47 PM<br>

<b>To:</b> Syslog-ng users' and developers' mailing list <<a href="mailto:syslog-ng@lists.balabit.hu" target="_blank">syslog-ng@lists.balabit.hu</a>><br>

<b>Subject:</b> Re: [syslog-ng] certificate errors result in excessive logging.</font>

<div> </div>

</div>

<div>

<table border="0" cellspacing="0" cellpadding="0" width="100%" align="left" style="background:revert;color:revert;direction:revert;font-size:revert;height:revert;letter-spacing:revert;line-height:revert;margin:revert;opacity:revert;outline:revert;overflow:revert;padding:revert;text-align:revert;text-indent:revert;text-orientation:revert;text-overflow:revert;text-transform:revert;vertical-align:revert;white-space:revert;word-break:revert;word-spacing:revert;writing-mode:revert;zoom:revert;border:0px;display:table;width:100%;table-layout:fixed;float:none;border-spacing:0px">

<tbody style="background:revert;border:revert;color:revert;direction:revert;font-size:revert;height:revert;letter-spacing:revert;line-height:revert;margin:revert;opacity:revert;outline:revert;overflow:revert;padding:revert;table-layout:revert;text-align:revert;text-indent:revert;text-orientation:revert;text-overflow:revert;text-transform:revert;vertical-align:revert;white-space:revert;width:revert;word-break:revert;word-spacing:revert;writing-mode:revert;zoom:revert;display:block">

<tr style="background:revert;border:revert;color:revert;direction:revert;display:revert;font-size:revert;height:revert;letter-spacing:revert;line-height:revert;margin:revert;opacity:revert;outline:revert;overflow:revert;padding:revert;table-layout:revert;text-align:revert;text-indent:revert;text-orientation:revert;text-overflow:revert;text-transform:revert;vertical-align:revert;white-space:revert;width:revert;word-break:revert;word-spacing:revert;writing-mode:revert;zoom:revert">

<td valign="middle" width="1px" bgcolor="#A6A6A6" cellpadding="7px 2px 7px 2px" style="background-position:revert;background-repeat:revert;background-image:revert;background-size:revert;background-origin:revert;background-clip:revert;border:revert;color:revert;direction:revert;display:revert;font-size:revert;height:revert;letter-spacing:revert;line-height:revert;margin:revert;opacity:revert;outline:revert;overflow:revert;table-layout:revert;text-align:revert;text-indent:revert;text-orientation:revert;text-overflow:revert;text-transform:revert;vertical-align:revert;white-space:revert;word-break:revert;word-spacing:revert;writing-mode:revert;zoom:revert;padding:7px 2px;background-color:rgb(166,166,166);width:0px">

</td>

<td valign="middle" width="100%" bgcolor="#EAEAEA" cellpadding="7px 5px 7px 15px" color="#212121" style="background-position:revert;background-repeat:revert;background-image:revert;background-size:revert;background-origin:revert;background-clip:revert;border:revert;direction:revert;display:revert;height:revert;letter-spacing:revert;line-height:revert;margin:revert;opacity:revert;outline:revert;overflow:revert;table-layout:revert;text-indent:revert;text-orientation:revert;text-overflow:revert;text-transform:revert;vertical-align:revert;white-space:revert;word-break:revert;word-spacing:revert;writing-mode:revert;zoom:revert;width:100%;background-color:rgb(234,234,234);padding:7px 5px 7px 15px;font-family:wf_segoe-ui_normal,Segoe UI,Segoe WP,Tahoma,Arial,sans-serif;font-size:12px;font-weight:normal;color:rgb(33,33,33);text-align:left">

<div style="background:revert;border:revert;color:revert;direction:revert;display:revert;font-size:revert;height:revert;letter-spacing:revert;line-height:revert;margin:revert;opacity:revert;outline:revert;overflow:revert;padding:revert;table-layout:revert;text-align:revert;text-indent:revert;text-orientation:revert;text-overflow:revert;text-transform:revert;vertical-align:revert;white-space:revert;width:revert;word-break:revert;word-spacing:revert;writing-mode:revert;zoom:revert">

You don't often get email from <a href="mailto:bazsi77@gmail.com" target="_blank">bazsi77@gmail.com</a>. <a href="https://aka.ms/LearnAboutSenderIdentification" style="background:revert;color:revert;direction:revert;display:revert;font-size:revert;opacity:revert" target="_blank">

Learn why this is important</a> </div>

</td>

<td valign="middle" align="left" width="75px" bgcolor="#EAEAEA" cellpadding="7px 5px 7px 5px" color="#212121" style="background-position:revert;background-repeat:revert;background-image:revert;background-size:revert;background-origin:revert;background-clip:revert;border:revert;direction:revert;display:revert;height:revert;letter-spacing:revert;line-height:revert;margin:revert;opacity:revert;outline:revert;overflow:revert;table-layout:revert;text-indent:revert;text-orientation:revert;text-overflow:revert;text-transform:revert;vertical-align:revert;white-space:revert;word-break:revert;word-spacing:revert;writing-mode:revert;zoom:revert;width:75px;background-color:rgb(234,234,234);padding:7px 5px;font-family:wf_segoe-ui_normal,Segoe UI,Segoe WP,Tahoma,Arial,sans-serif;font-size:12px;font-weight:normal;color:rgb(33,33,33);text-align:left">

</td>

</tr>

</tbody>

</table>

<div>

<div dir="ltr">

<div>hi,</div>

<div><br>

</div>

<div>I literally submitted a patch this morning to mute #3 from the list above.</div>

<div><a href="https://github.com/axoflow/axosyslog/pull/352" target="_blank">https://github.com/axoflow/axosyslog/pull/352</a></div>

<div><br>

</div>

<div>As for the other two, you can filter these out from your internal() source using regexps.</div>

<div>Bazsi<br>

</div>

</div>

<br>

<div>

<div dir="ltr">On Mon, Oct 21, 2024 at 9:30 PM Evan Rempel <<a href="mailto:erempel@uvic.ca" target="_blank">erempel@uvic.ca</a>> wrote:<br>

</div>

<blockquote style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">

<div>

<div dir="ltr">

<div style="font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)">

I am using tls configuration with a locally signed certificate. This mans that I have to configure a custom root CA on to all client systems for them to be able to establish the tls connection to my syslog server.</div>

<div style="font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)">

<br>

</div>

<div style="font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)">

When the clients are unable to verify the server certificate, the server logs three messages for every connection attempt</div>

<div style="font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)">

<br>

</div>

<div style="font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)">

syslog-ng[452597]: SSL error while reading stream; tls_error='error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca', location='/etc/syslog-ng/syslog-ng.server.conf:71:17'</div>

<div style="font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)">

syslog-ng[452597]: Error reading RFC6587 style framed data; fd='21', error='Connection reset by peer (104)'</div>

<div style="font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)">

syslog-ng[452597]: Syslog connection closed; fd='21', client='AF_INET(1.2.3.4:1234)', local='AF_INET(<a href="http://1.2.3.4:1234/" target="_blank">1.2.3.4:1234</a>)'</div>

<div style="font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)">

<br>

</div>

<div style="font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)">

If there are 100's of clients, and they try to reconnect at a fast rate (every 5 seconds) this can result in a large volume of messages.</div>

<div style="font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)">

<br>

</div>

<div style="font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)">

Is there any way to configure the logging rate of these types of errors or get rid of it altogether.</div>

<div style="font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)">

<br>

</div>

<div style="font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)">

Anyone have any comments on this?</div>

<div style="font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)">

<br>

</div>

<div style="font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)">

<br>

</div>

<div id="m_-3622261664690451922x_m_4590914075091254945Signature">

<div style="font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)">

<br>

</div>

<div style="font-family:"Courier New",monospace;font-size:14.6667px;color:rgb(153,153,153)">

<span style="background-color:rgb(255,255,255)">--</span></div>

<div style="font-family:"Courier New",monospace;font-size:14.6667px;color:rgb(153,153,153)">

<span style="background-color:rgb(255,255,255)">Evan</span></div>

</div>

</div>

______________________________________________________________________________<br>

Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" rel="noreferrer" target="_blank">

https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>

Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" rel="noreferrer" target="_blank">

http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>

FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" rel="noreferrer" target="_blank">

http://www.balabit.com/wiki/syslog-ng-faq</a><br>

<br>

</div>

</blockquote>

</div>

<br clear="all">

<br>

<span>-- </span><br>

<div dir="ltr">Bazsi</div>

</div>

</div>

</div>


______________________________________________________________________________<br>

Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" rel="noreferrer" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>

Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" rel="noreferrer" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>

FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" rel="noreferrer" target="_blank">http://www.balabit.com/wiki/syslog-ng-faq</a><br>

<br>

</div></blockquote></div><br clear="all"><br><span class="gmail_signature_prefix">-- </span><br><div dir="ltr" class="gmail_signature">Bazsi</div>