
<html>


<head>


<meta http-equiv="Content-Type" content="text/html; charset=utf-8">


<style type="text/css" style="display:none;"> P {margin-top:0;margin-bottom:0;} </style>


</head>


<body dir="ltr">


<div class="elementToProof" style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">


I don't want to filter them out completely. This still represents an issue and the client is unable to log the issue to the central log/SIEM/monitoring server. I just don't want to fill up my disks with message repeatedly. I only need to "hear about it" once


 every hour (or some other throttled period).</div>


<div class="elementToProof" style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">


<br>


</div>


<div class="elementToProof" style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">


Technically there are lots of ways to leverage syslog-ng configurations to address this but I thought that since this would be an issue for anyone that has a lot of syslog clients and then has an issue with their certificate, I thought there might be a cleaner


 and more simple way to address than the correlation/throttling/filtering tools of syslog-ng.</div>


<div id="Signature" class="elementToProof">


<div style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">


<br>


</div>


<div style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">


For me, the log rate is so large that if I have only a small % of my clients that have this issue, they will take the service off-line for all of the other clients.</div>


<div style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">


<br>


</div>


<div style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(153, 153, 153);">


--</div>


<div style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(153, 153, 153);">


Evan</div>


</div>


<div id="appendonsend"></div>


<hr style="display:inline-block;width:98%" tabindex="-1">


<div id="divRplyFwdMsg" dir="ltr"><font face="Calibri, sans-serif" style="font-size:11pt" color="#000000"><b>From:</b> syslog-ng <syslog-ng-bounces@lists.balabit.hu> on behalf of Balazs Scheidler <bazsi77@gmail.com><br>


<b>Sent:</b> October 21, 2024 12:47 PM<br>


<b>To:</b> Syslog-ng users' and developers' mailing list <syslog-ng@lists.balabit.hu><br>


<b>Subject:</b> Re: [syslog-ng] certificate errors result in excessive logging.</font>


<div> </div>


</div>


<div>


<table border="0" cellspacing="0" cellpadding="0" width="100%" align="left" style="background:revert!important; border:revert!important; bottom:revert!important; color:revert!important; direction:revert!important; display:revert!important; font-size:revert!important; height:revert!important; letter-spacing:revert!important; line-height:revert!important; margin:revert!important; opacity:revert!important; order:revert!important; outline:revert!important; overflow:revert!important; padding:revert!important; position:revert!important; tab-size:revert!important; table-layout:revert!important; text-align:revert!important; text-indent:revert!important; text-orientation:revert!important; text-overflow:revert!important; text-transform:revert!important; top:revert!important; vertical-align:revert!important; visibility:revert!important; white-space:revert!important; width:revert!important; word-break:revert!important; word-spacing:revert!important; writing-mode:revert!important; zoom:revert!important; border:0!important; display:table!important; width:100%!important; table-layout:fixed!important; border-collapse:seperate!important; float:none!important; border-spacing:0px 0px!important">


<tbody style="background:revert!important; border:revert!important; bottom:revert!important; color:revert!important; direction:revert!important; display:revert!important; font-size:revert!important; height:revert!important; letter-spacing:revert!important; line-height:revert!important; margin:revert!important; opacity:revert!important; order:revert!important; outline:revert!important; overflow:revert!important; padding:revert!important; position:revert!important; tab-size:revert!important; table-layout:revert!important; text-align:revert!important; text-indent:revert!important; text-orientation:revert!important; text-overflow:revert!important; text-transform:revert!important; top:revert!important; vertical-align:revert!important; visibility:revert!important; white-space:revert!important; width:revert!important; word-break:revert!important; word-spacing:revert!important; writing-mode:revert!important; zoom:revert!important; display:block!important">


<tr style="background:revert!important; border:revert!important; bottom:revert!important; color:revert!important; direction:revert!important; display:revert!important; font-size:revert!important; height:revert!important; letter-spacing:revert!important; line-height:revert!important; margin:revert!important; opacity:revert!important; order:revert!important; outline:revert!important; overflow:revert!important; padding:revert!important; position:revert!important; tab-size:revert!important; table-layout:revert!important; text-align:revert!important; text-indent:revert!important; text-orientation:revert!important; text-overflow:revert!important; text-transform:revert!important; top:revert!important; vertical-align:revert!important; visibility:revert!important; white-space:revert!important; width:revert!important; word-break:revert!important; word-spacing:revert!important; writing-mode:revert!important; zoom:revert!important">


<td valign="middle" width="1px" bgcolor="#A6A6A6" cellpadding="7px 2px 7px 2px" style="background:revert!important; border:revert!important; bottom:revert!important; color:revert!important; direction:revert!important; display:revert!important; font-size:revert!important; height:revert!important; letter-spacing:revert!important; line-height:revert!important; margin:revert!important; opacity:revert!important; order:revert!important; outline:revert!important; overflow:revert!important; padding:revert!important; position:revert!important; tab-size:revert!important; table-layout:revert!important; text-align:revert!important; text-indent:revert!important; text-orientation:revert!important; text-overflow:revert!important; text-transform:revert!important; top:revert!important; vertical-align:revert!important; visibility:revert!important; white-space:revert!important; width:revert!important; word-break:revert!important; word-spacing:revert!important; writing-mode:revert!important; zoom:revert!important; padding:7px 2px 7px 2px!important; background-color:#A6A6A6!important; width:0px!important">


</td>


<td valign="middle" width="100%" bgcolor="#EAEAEA" cellpadding="7px 5px 7px 15px" color="#212121" style="background:revert!important; border:revert!important; bottom:revert!important; color:revert!important; direction:revert!important; display:revert!important; font-size:revert!important; height:revert!important; letter-spacing:revert!important; line-height:revert!important; margin:revert!important; opacity:revert!important; order:revert!important; outline:revert!important; overflow:revert!important; padding:revert!important; position:revert!important; tab-size:revert!important; table-layout:revert!important; text-align:revert!important; text-indent:revert!important; text-orientation:revert!important; text-overflow:revert!important; text-transform:revert!important; top:revert!important; vertical-align:revert!important; visibility:revert!important; white-space:revert!important; width:revert!important; word-break:revert!important; word-spacing:revert!important; writing-mode:revert!important; zoom:revert!important; width:100%!important; background-color:#EAEAEA!important; padding:7px 5px 7px 15px!important; font-family:wf_segoe-ui_normal,Segoe UI,Segoe WP,Tahoma,Arial,sans-serif!important; font-size:12px!important; font-weight:normal!important; color:#212121!important; text-align:left!important; word-wrap:break-word!important">


<div style="background:revert!important; border:revert!important; bottom:revert!important; color:revert!important; direction:revert!important; display:revert!important; font-size:revert!important; height:revert!important; letter-spacing:revert!important; line-height:revert!important; margin:revert!important; opacity:revert!important; order:revert!important; outline:revert!important; overflow:revert!important; padding:revert!important; position:revert!important; tab-size:revert!important; table-layout:revert!important; text-align:revert!important; text-indent:revert!important; text-orientation:revert!important; text-overflow:revert!important; text-transform:revert!important; top:revert!important; vertical-align:revert!important; visibility:revert!important; white-space:revert!important; width:revert!important; word-break:revert!important; word-spacing:revert!important; writing-mode:revert!important; zoom:revert!important">


You don't often get email from bazsi77@gmail.com. <a href="https://aka.ms/LearnAboutSenderIdentification" style="background:revert!important; color:revert!important; direction:revert!important; display:revert!important; font-size:revert!important; opacity:revert!important; visibility:revert!important">


Learn why this is important</a> </div>


</td>


<td valign="middle" align="left" width="75px" bgcolor="#EAEAEA" cellpadding="7px 5px 7px 5px" color="#212121" style="background:revert!important; border:revert!important; bottom:revert!important; color:revert!important; direction:revert!important; display:revert!important; font-size:revert!important; height:revert!important; letter-spacing:revert!important; line-height:revert!important; margin:revert!important; opacity:revert!important; order:revert!important; outline:revert!important; overflow:revert!important; padding:revert!important; position:revert!important; tab-size:revert!important; table-layout:revert!important; text-align:revert!important; text-indent:revert!important; text-orientation:revert!important; text-overflow:revert!important; text-transform:revert!important; top:revert!important; vertical-align:revert!important; visibility:revert!important; white-space:revert!important; width:revert!important; word-break:revert!important; word-spacing:revert!important; writing-mode:revert!important; zoom:revert!important; width:75px!important; background-color:#EAEAEA!important; padding:7px 5px 7px 5px!important; font-family:wf_segoe-ui_normal,Segoe UI,Segoe WP,Tahoma,Arial,sans-serif!important; font-size:12px!important; font-weight:normal!important; color:#212121!important; text-align:left!important; word-wrap:break-word!important">


</td>


</tr>


</tbody>


</table>


<div>


<div dir="ltr">


<div>hi,</div>


<div><br>


</div>


<div>I literally submitted a patch this morning to mute #3 from the list above.</div>


<div><a href="https://github.com/axoflow/axosyslog/pull/352" originalsrc="https://github.com/axoflow/axosyslog/pull/352" shash="NbW2cepzYvwag5STs5h8qWKVSMtPbnAQCGgjLGzbKTqHfgf5czaZ4PMmTNh6uq9Axh9jx39L5eoTE0MiWOQ9J7Fs4yEB3BiTYJCQgMuntTTk3DidT0I4XBuF/GUBCDNgWhjsoVAtZMhpLOkUBfIYiyrqJBMMbwaVDZYb20ePr48=">https://github.com/axoflow/axosyslog/pull/352</a></div>


<div><br>


</div>


<div>As for the other two, you can filter these out from your internal() source using regexps.</div>


<div>Bazsi<br>


</div>


</div>


<br>


<div class="x_gmail_quote">


<div dir="ltr" class="x_gmail_attr">On Mon, Oct 21, 2024 at 9:30 PM Evan Rempel <<a href="mailto:erempel@uvic.ca">erempel@uvic.ca</a>> wrote:<br>


</div>


<blockquote class="x_gmail_quote" style="margin:0px 0px 0px 0.8ex; border-left:1px solid rgb(204,204,204); padding-left:1ex">


<div class="x_msg4590914075091254945">


<div dir="ltr">


<div style="font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">


I am using tls configuration with a locally signed certificate. This mans that I have to configure a custom root CA on to all client systems for them to be able to establish the tls connection to my syslog server.</div>


<div style="font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">


<br>


</div>


<div style="font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">


When the clients are unable to verify the server certificate, the server logs three messages for every connection attempt</div>


<div style="font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">


<br>


</div>


<div style="font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">


syslog-ng[452597]: SSL error while reading stream; tls_error='error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca', location='/etc/syslog-ng/syslog-ng.server.conf:71:17'</div>


<div style="font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">


syslog-ng[452597]: Error reading RFC6587 style framed data; fd='21', error='Connection reset by peer (104)'</div>


<div style="font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">


syslog-ng[452597]: Syslog connection closed; fd='21', client='AF_INET(1.2.3.4:1234)', local='AF_INET(<a href="http://1.2.3.4:1234/" originalsrc="http://1.2.3.4:1234/" shash="Su6P/QLKxj2vgv5I8gDTmoiBlMnE3RSsxUB1J6aagvEmsxCJC1jfZn3HU4nFDfPNVo2bR+O6s9fKvk3w1qs/dpHjVmqY9vAb+Cr7QeLfsGdAvu2H7V5P3oU8NvaA0LX8z++ox4PK3/NlaBrW3+iZe+gufmn0EQ7bZGxz/BL0Fvk=" target="_blank">1.2.3.4:1234</a>)'</div>


<div style="font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">


<br>


</div>


<div style="font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">


If there are 100's of clients, and they try to reconnect at a fast rate (every 5 seconds) this can result in a large volume of messages.</div>


<div style="font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">


<br>


</div>


<div style="font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">


Is there any way to configure the logging rate of these types of errors or get rid of it altogether.</div>


<div style="font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">


<br>


</div>


<div style="font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">


Anyone have any comments on this?</div>


<div style="font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">


<br>


</div>


<div style="font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">


<br>


</div>


<div id="x_m_4590914075091254945Signature">


<div style="font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">


<br>


</div>


<div style="font-family:"Courier New",monospace; font-size:14.6667px; color:rgb(153,153,153)">


<span style="background-color:rgb(255,255,255)">--</span></div>


<div style="font-family:"Courier New",monospace; font-size:14.6667px; color:rgb(153,153,153)">


<span style="background-color:rgb(255,255,255)">Evan</span></div>


</div>


</div>


______________________________________________________________________________<br>


Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" originalsrc="https://lists.balabit.hu/mailman/listinfo/syslog-ng" shash="x2eBwrINXL9m0RPIsmT1t44eQngSH8P//d8UrXiE/EHbdswTQRfxrRBV2vXeoxfv2PJlYgczr5edzksVS4Mjr+LsT4lxKZENLbUWJ8I6mwDYHC0DKgfjiNveBLtw9g/aBCirmsSNemhxb5RFCspLBQc36WOe7qOrlq02vlVb//4=" rel="noreferrer" target="_blank">


https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>


Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" originalsrc="http://www.balabit.com/support/documentation/?product=syslog-ng" shash="GmZc2oGuHRQPVn4drTyaHxZO7ZUmKMfdxBu/UWoyPR8bC3Um3ciGKSK3apJWlF2e0VixiMkFaWwMkHQsjJcIz4kXYIZE5FO+5ECCDT7F31wSrkBN0Qiqjjjc5ddIAApx4FDa8+MuJ/YhQxXbNGzFwo5Z/ytsFnp3+xEzJo0JgvY=" rel="noreferrer" target="_blank">


http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>


FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" originalsrc="http://www.balabit.com/wiki/syslog-ng-faq" shash="rOyVYcVwAx5YKQ0Vv/npRPucNJelUqaAETsxoKZEwhsL4T9ju4RtlbbG+1CNDwVtkmkZIXAMstezTrHx5k91/tbfJP67ZH8HxsGhTQzqkz25HoZWUllliHgtCD3mQ+yC2zl4ZjhYSAXDTl4Rj5ARJ31MSJvd/ikm9C+f9aW/Tik=" rel="noreferrer" target="_blank">


http://www.balabit.com/wiki/syslog-ng-faq</a><br>


<br>


</div>


</blockquote>


</div>


<br clear="all">


<br>


<span class="x_gmail_signature_prefix">-- </span><br>


<div dir="ltr" class="x_gmail_signature">Bazsi</div>


</div>


</div>


</body>


</html>