[syslog-ng]Syslog forwarding with TCP.

Davis, Jay syslog-ng@lists.balabit.hu
Tue, 19 Oct 2004 19:39:35 -0400


This is a multi-part message in MIME format.

------_=_NextPart_001_01C4B634.E408CF56
Content-Type: text/plain;
	charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

We are using syslog-ng in a test lab environment to get syslog messages
out of the testlab into another environment. So several systems are
forwarding messages to a bastion host of sorts, which then forwards by
traversing a firewall to another host. The messages have to traverse a
firewall (NAT). We decided to use TCP because it is a bit easier to get
past the security guys. We have noticed behavior which is the nature of
TCP. Of several (lines) of a syslog message ending up in the same packet
(using a sniffer). Although interesting, this is not the problem. We
have noticed that some messages are getting lost. So the questions.
=20
a) Can we change something to have one message per packet with syslog-ng
settings.
b) Has anyone else seen this behavior (or is anyone even using TCP)?
c) Any other clues as to why a TCP session that is stable would drop
packets?

------_=_NextPart_001_01C4B634.E408CF56
Content-Type: text/html;
	charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD><TITLE>Message</TITLE>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Dus-ascii">
<META content=3D"MSHTML 6.00.2800.1458" name=3DGENERATOR></HEAD>
<BODY>
<DIV><SPAN class=3D458413123-19102004><FONT face=3DArial size=3D2>We are =
using=20
syslog-ng in a test lab environment to get syslog messages out of the =
testlab=20
into another environment. So several systems are forwarding messages to =
a=20
bastion host of sorts, which then forwards by&nbsp;traversing a firewall =
to=20
another host. The messages have to traverse a firewall (NAT). We decided =
to use=20
TCP because it is a bit easier to get past the security guys. We have =
noticed=20
behavior which is the nature of TCP. Of several (lines) of a syslog =
message=20
ending up in the same packet (using a sniffer). Although interesting, =
this is=20
not the problem. We have noticed that some messages are getting lost. So =
the=20
questions.</FONT></SPAN></DIV>
<DIV><SPAN class=3D458413123-19102004><FONT face=3DArial=20
size=3D2></FONT></SPAN>&nbsp;</DIV>
<DIV><SPAN class=3D458413123-19102004><FONT face=3DArial size=3D2>a) Can =
we change=20
something to have one message per packet with syslog-ng=20
settings.</FONT></SPAN></DIV>
<DIV><SPAN class=3D458413123-19102004><FONT face=3DArial size=3D2>b) Has =
anyone else=20
seen this behavior (or is anyone even using TCP)?</FONT></SPAN></DIV>
<DIV><SPAN class=3D458413123-19102004><FONT face=3DArial size=3D2>c) Any =
other clues=20
as to why a TCP session that is stable would drop=20
packets?</FONT></SPAN></DIV></BODY></HTML>

------_=_NextPart_001_01C4B634.E408CF56--