6 Aug
2020
6 Aug
'20
9 p.m.
Hi, The problem that I am facing in a VRF aware system (which is working as syslog-ng relay) is the following: - I have two network interfaces eth0 and eth1. - eth0 is bound to internal/default VRF, and it must receive log messages from an "Internal network" where some syslog-ng clients are connected. - eth1 is bound to MGMT VRF, and it must send log messages to an external syslog-ng server. Currently, syslog-ng does not support the binding of interfaces in both VRFs. >From the information I gathered: - Application can talk across VRF, for this to happen it has to bind the socket to the specific INTERFACE belonging to the different VRF. - If Application want use INTERFACE_ANY option they have to assign to specific VRF and there connectivity will be limited to that VRF. Right now, I overcome this problem by using an architecture composed of 2 syslog-ng services: - one working in the default VRF, which receives messages from eth0 and send the messages to an unix domain socket. Like a default Debian service. - the other syslog-ng service is running in the MGMT VRF: /sbin/ip vrf exec MGMT /usr/bin/syslog-ng -F --cfgfile=/etc/syslog-ng/mgmt-syslog-ng.conf --pidfile=/var/lib/syslog-ng/mgmt-syslog-ng.pid --persist-file=/var/lib/syslog-ng/mgmt-syslog-ng.persist --control=/var/lib/syslog-ng/mgmt-syslog-ng.ctl This service reads log messages from the unix domain socket and sends it to the external syslog-ng server via eth1. Some documentation on VRF: https://cumulusnetworks.com/blog/vrf-for-linux/ Cheers, Alex On Wed, Aug 5, 2020 at 11:08 PM PÁSZTOR György < pasztor@linux.gyakg.u-szeged.hu> wrote: > Hi, > > "Alexandre Santos" <alexandre.rosas.santos@gmail.com> írta 2020-07-24 > 11:03-kor: > > Any plans to make syslog-ng VRF aware? > > Can you define your expectations as vrf-aware? > > To make things clear, I suggest to provide a pcap from two different vrfs, > or one pcap with two syslog packet in it, and an example what gots into the > logfile in both case, and what would be your exepctation. > Or if they should not get to a logfile, than define that. > This kind of approach helps a lot: > - describe what is your current input (with examples from two different > vrfs) > - describe the behaviour what you are experiencing now (two logfile part, > what you got out of the example messages) > - define the behaviour what you expect. (eg. another two txt files, but now > with the content you would see in them) > This is defining behaviour. > > If you copy message parts into the body of the message, that will be > displayed in various ways depending on the mailer. > I suggest for this few exceptions to use attachments. > I'm not aware of the mailinglist would filter attachments out. > A don't think one or two small pcap and txt attachment would violate coc > here. > > Or if you don't want to "spam" mailinglist with attachments, that is still > an option that you open an issue on github and attach the files there > Than we discuss the subject here, in that case you only have to shere the > link to your issue here. > > I worked with ciscos earlier, though not that deep that I had to use vrfs, > but still don't understand, what is your expectation here. > Also, if you can openly share what models / ios versions you are using, it > could help a lot. Eg. if that model supports ietf syslog protocol, maybe we > don't even need to hack an old legacy format (rfc 3164), what cisco > implements in so creative ways that it isn't even consistent with > themselves. > > Cheers, > Gyu > > ______________________________________________________________________________ > Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng > Documentation: > http://www.balabit.com/support/documentation/?product=syslog-ng > FAQ: http://www.balabit.com/wiki/syslog-ng-faq > >