[syslog-ng] syslog-ng reset connection before data transfer
Dragan Zecevic
dragan.zecevic at live.com
Thu Feb 23 08:40:12 UTC 2023
Hi again,
Does somebody have an idea on this?
Thank you.
Br,
Dragan
________________________________
From: syslog-ng <syslog-ng-bounces at lists.balabit.hu> on behalf of Dragan Zecevic <dragan.zecevic at live.com>
Sent: Tuesday, February 14, 2023 2:33 PM
To: syslog-ng at lists.balabit.hu <syslog-ng at lists.balabit.hu>
Subject: [syslog-ng] syslog-ng reset connection before data transfer
Hi everybody,
I hope you are well.
I was hoping if you can help me with some issue.
I am trying to collect logs from some servers via syslog.
TLS session seems to be established - handshake, certs, ciphers all looking ok.
But when data need to be send it seems syslog-ng server disconnects the session from some reason.
In /var/log/messages I can only see start/stop messages even after turning on verbose logging:
Feb 10 16:11:48 xxx syslog-ng[21262]: Syslog connection accepted; fd='175', client='AF_INET(x.y.w.z:34986)', local='AF_INET(0.0.0.0:xxx)'
Feb 10 16:11:49 xxx syslog-ng[21262]: Syslog connection closed; fd='175', client='AF_INET(x.y.w.z:34986)', local='AF_INET(0.0.0.0:xxx)'
This is the configuration I am using:
source s_xxx {
syslog(
ip(0.0.0.0)
port(xxx)
transport("tls")
tls(
key-file("/etc/syslog-ng/key.d/xxx.key")
cert-file("/etc/syslog-ng/cert.d/xxx.cer")
ca-dir("/etc/syslog-ng/ca.d")
peer-verify(required-trusted)
cipher-suite("xxx...xxx")
)
flags(store-raw-message)
);
};
filter filter_xxx {
host("xxx") ... or host("xxx");
};
destination folder_xxx {
file(
"/var/log/xxx/${R_YEAR}${R_MONTH}${R_DAY}/${SOURCEIP}_${HOST}_${R_HOUR}.log"
template("${RAWMSG}\n")
dir-group(xxx)
dir-perm(0650)
group(xxx)
);
};
log {
source(s_xxx); filter(filter_xxx); destination(folder_xxx); flags(flow-control);
};
And bellow is last part of the session captured with tcpdump from source side.
It is interesting to me that there is 1h offset comparing to /var/log/messages on syslog-ng. Src and dst server are in same environment.
24 2023-02-10 15:11:49,073335 x.y.w.z x.y.w.z TLSv1.2 445 Application Data
Frame 24: 445 bytes on wire (3560 bits), 445 bytes captured (3560 bits)
Encapsulation type: Ethernet (1)
Arrival Time: Feb 10, 2023 15:11:49.073335000 Central Europe Standard Time
[Time shift for this packet: 0.000000000 seconds]
Epoch Time: 1676038309.073335000 seconds
[Time delta from previous captured frame: 0.906559000 seconds]
[Time delta from previous displayed frame: 0.906559000 seconds]
[Time since reference or first frame: 6.775677000 seconds]
Frame Number: 24
Frame Length: 445 bytes (3560 bits)
Capture Length: 445 bytes (3560 bits)
[Frame is marked: False]
[Frame is ignored: False]
[Protocols in frame: eth:ethertype:ip:tcp:tls]
[Coloring Rule Name: TCP]
[Coloring Rule String: tcp]
Ethernet II, Src: xxx, Dst: xxx
Destination: xxx
Address: xxx
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
Source: xxx
Address: xxx
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
Type: IPv4 (0x0800)
Internet Protocol Version 4, Src: x.y.z.w, Dst: x.y.z.w
0100 .... = Version: 4
.... 0101 = Header Length: 20 bytes (5)
Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)
0000 00.. = Differentiated Services Codepoint: Default (0)
.... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)
Total Length: 431
Identification: 0xeebc (61116)
010. .... = Flags: 0x2, Don't fragment
0... .... = Reserved bit: Not set
.1.. .... = Don't fragment: Set
..0. .... = More fragments: Not set
...0 0000 0000 0000 = Fragment Offset: 0
Time to Live: 64
Protocol: TCP (6)
Header Checksum: 0x0a89 [validation disabled]
[Header checksum status: Unverified]
Source Address: x.y.z.w
Destination Address: x.y.z.w
Transmission Control Protocol, Src Port: 34986, Dst Port: xxx, Seq: 2380, Ack: 5750, Len: 391
Source Port: 34986
Destination Port: xxx
[Stream index: 1]
[Conversation completeness: Complete, WITH_DATA (63)]
[TCP Segment Len: 391]
Sequence Number: 2380 (relative sequence number)
Sequence Number (raw): 2630184540
[Next Sequence Number: 2771 (relative sequence number)]
Acknowledgment Number: 5750 (relative ack number)
Acknowledgment number (raw): 2509794849
0101 .... = Header Length: 20 bytes (5)
Flags: 0x018 (PSH, ACK)
000. .... .... = Reserved: Not set
...0 .... .... = Accurate ECN: Not set
.... 0... .... = Congestion Window Reduced: Not set
.... .0.. .... = ECN-Echo: Not set
.... ..0. .... = Urgent: Not set
.... ...1 .... = Acknowledgment: Set
.... .... 1... = Push: Set
.... .... .0.. = Reset: Not set
.... .... ..0. = Syn: Not set
.... .... ...0 = Fin: Not set
[TCP Flags: ·······AP···]
Window: 318
[Calculated window size: 40704]
[Window size scaling factor: 128]
Checksum: 0x41a5 [unverified]
[Checksum Status: Unverified]
Urgent Pointer: 0
[Timestamps]
[Time since first frame in this TCP stream: 1.007330000 seconds]
[Time since previous frame in this TCP stream: 0.906559000 seconds]
[SEQ/ACK analysis]
[iRTT: 0.003010000 seconds]
[Bytes in flight: 391]
[Bytes sent since last PSH flag: 391]
TCP payload (391 bytes)
Transport Layer Security
TLSv1.2 Record Layer: Application Data Protocol: Application Data
Content Type: Application Data (23)
Version: TLS 1.2 (0x0303)
Length: 386
Encrypted Application Data: 000000000000000146f17ff0e884c81f9317ba9e01c3b48763944e3905fb27fc96ce76fc…
25 2023-02-10 15:11:49,076214 x.y.z.w x.y.z.w TCP 60 xxx → 34986 [FIN, ACK] Seq=5750 Ack=2771 Win=65536 Len=0
Frame 25: 60 bytes on wire (480 bits), 60 bytes captured (480 bits)
Encapsulation type: Ethernet (1)
Arrival Time: Feb 10, 2023 15:11:49.076214000 Central Europe Standard Time
[Time shift for this packet: 0.000000000 seconds]
Epoch Time: 1676038309.076214000 seconds
[Time delta from previous captured frame: 0.002879000 seconds]
[Time delta from previous displayed frame: 0.002879000 seconds]
[Time since reference or first frame: 6.778556000 seconds]
Frame Number: 25
Frame Length: 60 bytes (480 bits)
Capture Length: 60 bytes (480 bits)
[Frame is marked: False]
[Frame is ignored: False]
[Protocols in frame: eth:ethertype:ip:tcp]
[Coloring Rule Name: TCP SYN/FIN]
[Coloring Rule String: tcp.flags & 0x02 || tcp.flags.fin == 1]
Ethernet II, Src: xxx, Dst: xxx
Destination: xxx
Address: xxx
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
Source: xxx
Address: xxx
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
Type: IPv4 (0x0800)
Trailer: 000085725dce
Internet Protocol Version 4, Src: x.y.z.w, Dst: x.y.z.w
0100 .... = Version: 4
.... 0101 = Header Length: 20 bytes (5)
Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)
0000 00.. = Differentiated Services Codepoint: Default (0)
.... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)
Total Length: 40
Identification: 0xea10 (59920)
010. .... = Flags: 0x2, Don't fragment
0... .... = Reserved bit: Not set
.1.. .... = Don't fragment: Set
..0. .... = More fragments: Not set
...0 0000 0000 0000 = Fragment Offset: 0
Time to Live: 52
Protocol: TCP (6)
Header Checksum: 0x1cbc [validation disabled]
[Header checksum status: Unverified]
Source Address: x.y.z.w
Destination Address: x.y.z.w
Transmission Control Protocol, Src Port: xxx, Dst Port: 34986, Seq: 5750, Ack: 2771, Len: 0
Source Port: xxx
Destination Port: 34986
[Stream index: 1]
[Conversation completeness: Complete, WITH_DATA (63)]
[TCP Segment Len: 0]
Sequence Number: 5750 (relative sequence number)
Sequence Number (raw): 2509794849
[Next Sequence Number: 5751 (relative sequence number)]
Acknowledgment Number: 2771 (relative ack number)
Acknowledgment number (raw): 2630184931
0101 .... = Header Length: 20 bytes (5)
Flags: 0x011 (FIN, ACK)
000. .... .... = Reserved: Not set
...0 .... .... = Accurate ECN: Not set
.... 0... .... = Congestion Window Reduced: Not set
.... .0.. .... = ECN-Echo: Not set
.... ..0. .... = Urgent: Not set
.... ...1 .... = Acknowledgment: Set
.... .... 0... = Push: Not set
.... .... .0.. = Reset: Not set
.... .... ..0. = Syn: Not set
.... .... ...1 = Fin: Set
[TCP Flags: ·······A···F]
Window: 4
[Calculated window size: 65536]
[Window size scaling factor: 16384]
Checksum: 0xc512 [unverified]
[Checksum Status: Unverified]
Urgent Pointer: 0
[Timestamps]
[Time since first frame in this TCP stream: 1.010209000 seconds]
[Time since previous frame in this TCP stream: 0.002879000 seconds]
[SEQ/ACK analysis]
[This is an ACK to the segment in frame: 24]
[The RTT to ACK the segment was: 0.002879000 seconds]
[iRTT: 0.003010000 seconds]
26 2023-02-10 15:11:49,117776 x.y.z.w x.y.z.w TCP 54 34986 → xxx [ACK] Seq=2771 Ack=5751 Win=40704 Len=0
Frame 26: 54 bytes on wire (432 bits), 54 bytes captured (432 bits)
Encapsulation type: Ethernet (1)
Arrival Time: Feb 10, 2023 15:11:49.117776000 Central Europe Standard Time
[Time shift for this packet: 0.000000000 seconds]
Epoch Time: 1676038309.117776000 seconds
[Time delta from previous captured frame: 0.041562000 seconds]
[Time delta from previous displayed frame: 0.041562000 seconds]
[Time since reference or first frame: 6.820118000 seconds]
Frame Number: 26
Frame Length: 54 bytes (432 bits)
Capture Length: 54 bytes (432 bits)
[Frame is marked: False]
[Frame is ignored: False]
[Protocols in frame: eth:ethertype:ip:tcp]
[Coloring Rule Name: TCP]
[Coloring Rule String: tcp]
Ethernet II, Src: Mellanox_69:6f:47 (1c:34:da:69:6f:47), Dst: ICANNIAN_00:40:20 (00:00:5e:00:40:20)
Destination: ICANNIAN_00:40:20 (00:00:5e:00:40:20)
Address: ICANNIAN_00:40:20 (00:00:5e:00:40:20)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
Source: Mellanox_69:6f:47 (1c:34:da:69:6f:47)
Address: Mellanox_69:6f:47 (1c:34:da:69:6f:47)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
Type: IPv4 (0x0800)
Internet Protocol Version 4, Src: x.y.z.w, Dst: x.y.z.w
0100 .... = Version: 4
.... 0101 = Header Length: 20 bytes (5)
Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)
0000 00.. = Differentiated Services Codepoint: Default (0)
.... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)
Total Length: 40
Identification: 0xeebd (61117)
010. .... = Flags: 0x2, Don't fragment
0... .... = Reserved bit: Not set
.1.. .... = Don't fragment: Set
..0. .... = More fragments: Not set
...0 0000 0000 0000 = Fragment Offset: 0
Time to Live: 64
Protocol: TCP (6)
Header Checksum: 0x0c0f [validation disabled]
[Header checksum status: Unverified]
Source Address: x.y.z.w
Destination Address: x.y.z.w
Transmission Control Protocol, Src Port: 34986, Dst Port: xxx, Seq: 2771, Ack: 5751, Len: 0
Source Port: 34986
Destination Port: xxx
[Stream index: 1]
[Conversation completeness: Complete, WITH_DATA (63)]
[TCP Segment Len: 0]
Sequence Number: 2771 (relative sequence number)
Sequence Number (raw): 2630184931
[Next Sequence Number: 2771 (relative sequence number)]
Acknowledgment Number: 5751 (relative ack number)
Acknowledgment number (raw): 2509794850
0101 .... = Header Length: 20 bytes (5)
Flags: 0x010 (ACK)
000. .... .... = Reserved: Not set
...0 .... .... = Accurate ECN: Not set
.... 0... .... = Congestion Window Reduced: Not set
.... .0.. .... = ECN-Echo: Not set
.... ..0. .... = Urgent: Not set
.... ...1 .... = Acknowledgment: Set
.... .... 0... = Push: Not set
.... .... .0.. = Reset: Not set
.... .... ..0. = Syn: Not set
.... .... ...0 = Fin: Not set
[TCP Flags: ·······A····]
Window: 318
[Calculated window size: 40704]
[Window size scaling factor: 128]
Checksum: 0x401e [unverified]
[Checksum Status: Unverified]
Urgent Pointer: 0
[Timestamps]
[Time since first frame in this TCP stream: 1.051771000 seconds]
[Time since previous frame in this TCP stream: 0.041562000 seconds]
[SEQ/ACK analysis]
[This is an ACK to the segment in frame: 25]
[The RTT to ACK the segment was: 0.041562000 seconds]
[iRTT: 0.003010000 seconds]
27 2023-02-10 15:12:10,183395 x.y.w.z x.y.w.z TLSv1.2 457 Application Data
Frame 27: 457 bytes on wire (3656 bits), 457 bytes captured (3656 bits)
Encapsulation type: Ethernet (1)
Arrival Time: Feb 10, 2023 15:12:10.183395000 Central Europe Standard Time
[Time shift for this packet: 0.000000000 seconds]
Epoch Time: 1676038330.183395000 seconds
[Time delta from previous captured frame: 21.065619000 seconds]
[Time delta from previous displayed frame: 21.065619000 seconds]
[Time since reference or first frame: 27.885737000 seconds]
Frame Number: 27
Frame Length: 457 bytes (3656 bits)
Capture Length: 457 bytes (3656 bits)
[Frame is marked: False]
[Frame is ignored: False]
[Protocols in frame: eth:ethertype:ip:tcp:tls]
[Coloring Rule Name: TCP]
[Coloring Rule String: tcp]
Ethernet II, Src: xxx, Dst: xxx
Destination: xxx
Address: xxx
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
Source: xxx
Address: xxx
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
Type: IPv4 (0x0800)
Internet Protocol Version 4, Src: x.y.w.z, Dst: x.y.w.z
0100 .... = Version: 4
.... 0101 = Header Length: 20 bytes (5)
Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)
0000 00.. = Differentiated Services Codepoint: Default (0)
.... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)
Total Length: 443
Identification: 0xeebe (61118)
010. .... = Flags: 0x2, Don't fragment
0... .... = Reserved bit: Not set
.1.. .... = Don't fragment: Set
..0. .... = More fragments: Not set
...0 0000 0000 0000 = Fragment Offset: 0
Time to Live: 64
Protocol: TCP (6)
Header Checksum: 0x0a7b [validation disabled]
[Header checksum status: Unverified]
Source Address: x.y.w.z
Destination Address: x.y.w.z
Transmission Control Protocol, Src Port: 34986, Dst Port: xxx, Seq: 2771, Ack: 5751, Len: 403
Source Port: 34986
Destination Port: xxx
[Stream index: 1]
[Conversation completeness: Complete, WITH_DATA (63)]
[TCP Segment Len: 403]
Sequence Number: 2771 (relative sequence number)
Sequence Number (raw): 2630184931
[Next Sequence Number: 3174 (relative sequence number)]
Acknowledgment Number: 5751 (relative ack number)
Acknowledgment number (raw): 2509794850
0101 .... = Header Length: 20 bytes (5)
Flags: 0x018 (PSH, ACK)
000. .... .... = Reserved: Not set
...0 .... .... = Accurate ECN: Not set
.... 0... .... = Congestion Window Reduced: Not set
.... .0.. .... = ECN-Echo: Not set
.... ..0. .... = Urgent: Not set
.... ...1 .... = Acknowledgment: Set
.... .... 1... = Push: Set
.... .... .0.. = Reset: Not set
.... .... ..0. = Syn: Not set
.... .... ...0 = Fin: Not set
[TCP Flags: ·······AP···]
Window: 318
[Calculated window size: 40704]
[Window size scaling factor: 128]
Checksum: 0x41b1 [unverified]
[Checksum Status: Unverified]
Urgent Pointer: 0
[Timestamps]
[Time since first frame in this TCP stream: 22.117390000 seconds]
[Time since previous frame in this TCP stream: 21.065619000 seconds]
[SEQ/ACK analysis]
[iRTT: 0.003010000 seconds]
[Bytes in flight: 403]
[Bytes sent since last PSH flag: 403]
TCP payload (403 bytes)
Transport Layer Security
TLSv1.2 Record Layer: Application Data Protocol: Application Data
Content Type: Application Data (23)
Version: TLS 1.2 (0x0303)
Length: 398
Encrypted Application Data: 0000000000000002be4aae5822b205849734ad881717619991987bc9817d0b0417781265…
28 2023-02-10 15:12:10,185930 x.y.w.z x.y.w.z TCP 60 xxx → 34986 [RST] Seq=5751 Win=0 Len=0
Frame 28: 60 bytes on wire (480 bits), 60 bytes captured (480 bits)
Encapsulation type: Ethernet (1)
Arrival Time: Feb 10, 2023 15:12:10.185930000 Central Europe Standard Time
[Time shift for this packet: 0.000000000 seconds]
Epoch Time: 1676038330.185930000 seconds
[Time delta from previous captured frame: 0.002535000 seconds]
[Time delta from previous displayed frame: 0.002535000 seconds]
[Time since reference or first frame: 27.888272000 seconds]
Frame Number: 28
Frame Length: 60 bytes (480 bits)
Capture Length: 60 bytes (480 bits)
[Frame is marked: False]
[Frame is ignored: False]
[Protocols in frame: eth:ethertype:ip:tcp]
[Coloring Rule Name: TCP RST]
[Coloring Rule String: tcp.flags.reset eq 1]
Ethernet II, Src: xxx, Dst: xxx
Destination: xxx
Address: xxx
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
Source: xxx
Address: xxx
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
Type: IPv4 (0x0800)
Trailer: 00003b22a540
Internet Protocol Version 4, Src: x.y.w.z, Dst: x.y.w.z
0100 .... = Version: 4
.... 0101 = Header Length: 20 bytes (5)
Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)
0000 00.. = Differentiated Services Codepoint: Default (0)
.... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)
Total Length: 40
Identification: 0xd52f (54575)
010. .... = Flags: 0x2, Don't fragment
0... .... = Reserved bit: Not set
.1.. .... = Don't fragment: Set
..0. .... = More fragments: Not set
...0 0000 0000 0000 = Fragment Offset: 0
Time to Live: 52
Protocol: TCP (6)
Header Checksum: 0x319d [validation disabled]
[Header checksum status: Unverified]
Source Address: x.y.w.z
Destination Address: x.y.w.z
Transmission Control Protocol, Src Port: xxx, Dst Port: 34986, Seq: 5751, Len: 0
Source Port: xxx
Destination Port: 34986
[Stream index: 1]
[Conversation completeness: Complete, WITH_DATA (63)]
[TCP Segment Len: 0]
Sequence Number: 5751 (relative sequence number)
Sequence Number (raw): 2509794850
[Next Sequence Number: 5751 (relative sequence number)]
Acknowledgment Number: 0
Acknowledgment number (raw): 0
0101 .... = Header Length: 20 bytes (5)
Flags: 0x004 (RST)
000. .... .... = Reserved: Not set
...0 .... .... = Accurate ECN: Not set
.... 0... .... = Congestion Window Reduced: Not set
.... .0.. .... = ECN-Echo: Not set
.... ..0. .... = Urgent: Not set
.... ...0 .... = Acknowledgment: Not set
.... .... 0... = Push: Not set
.... .... .1.. = Reset: Set
.... .... ..0. = Syn: Not set
.... .... ...0 = Fin: Not set
[TCP Flags: ·········R··]
Window: 0
[Calculated window size: 0]
[Window size scaling factor: 16384]
Checksum: 0xd1cb [unverified]
[Checksum Status: Unverified]
Urgent Pointer: 0
[Timestamps]
[Time since first frame in this TCP stream: 22.119925000 seconds]
[Time since previous frame in this TCP stream: 0.002535000 seconds]
I have other log collections working fine with TLS.
Can you please give me some hint what could cause this?
Thank you.
Br,
Dragan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20230223/71b7b35c/attachment-0001.htm>
More information about the syslog-ng
mailing list