Hi,

The problem that I am facing in a VRF aware system (which is working as syslog-ng relay) is the following:

- I have two network interfaces eth0 and eth1.

- eth0 is bound to internal/default VRF, and it must receive log messages from an "Internal network" where some syslog-ng clients are connected.

- eth1 is bound to MGMT VRF, and it must send log messages to an external syslog-ng server.

Currently, syslog-ng does not support the binding of interfaces in both VRFs.

From the information I gathered:

- Application can talk across VRF, for this to happen it has to bind the socket to the specific INTERFACE belonging to the different VRF.

- If Application want use INTERFACE_ANY option they have to assign to specific VRF and there connectivity will be limited to that VRF.

Right now, I overcome this problem by using an architecture composed of 2 syslog-ng services:

- one working in the default VRF, which receives messages from eth0 and send the messages to an unix domain socket. Like a default Debian service.

- the other syslog-ng service is running in the MGMT VRF:

/sbin/ip vrf exec MGMT /usr/bin/syslog-ng -F --cfgfile=/etc/syslog-ng/mgmt-syslog-ng.conf --pidfile=/var/lib/syslog-ng/mgmt-syslog-ng.pid --persist-file=/var/lib/syslog-ng/mgmt-syslog-ng.persist --control=/var/lib/syslog-ng/mgmt-syslog-ng.ctl

This service reads log messages from the unix domain socket and sends it to the external syslog-ng server via eth1.

Some documentation on VRF:

https://cumulusnetworks.com/blog/vrf-for-linux/

Cheers,

Alex

On Wed, Aug 5, 2020 at 11:08 PM PÁSZTOR György <pasztor@linux.gyakg.u-szeged.hu> wrote:

Hi,

"Alexandre Santos" <alexandre.rosas.santos@gmail.com> írta 2020-07-24 11:03-kor:
> Any plans to make syslog-ng VRF aware?

Can you define your expectations as vrf-aware?

To make things clear, I suggest to provide a pcap from two different vrfs,
or one pcap with two syslog packet in it, and an example what gots into the
logfile in both case, and what would be your exepctation.
Or if they should not get to a logfile, than define that.
This kind of approach helps a lot:
- describe what is your current input (with examples from two different vrfs)
- describe the behaviour what you are experiencing now (two logfile part,
what you got out of the example messages)
- define the behaviour what you expect. (eg. another two txt files, but now
with the content you would see in them)
This is defining behaviour.

If you copy message parts into the body of the message, that will be
displayed in various ways depending on the mailer.
I suggest for this few exceptions to use attachments.
I'm not aware of the mailinglist would filter attachments out.
A don't think one or two small pcap and txt attachment would violate coc
here.

Or if you don't want to "spam" mailinglist with attachments, that is still
an option that you open an issue on github and attach the files there
Than we discuss the subject here, in that case you only have to shere the
link to your issue here.

I worked with ciscos earlier, though not that deep that I had to use vrfs,
but still don't understand, what is your expectation here.
Also, if you can openly share what models / ios versions you are using, it
could help a lot. Eg. if that model supports ietf syslog protocol, maybe we
don't even need to hack an old legacy format (rfc 3164), what cisco
implements in so creative ways that it isn't even consistent with
themselves.

Cheers,
Gyu
______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq