[syslog-ng] certificate errors result in excessive logging.
Evan Rempel
erempel at uvic.ca
Mon Oct 21 19:58:15 UTC 2024
I don't want to filter them out completely. This still represents an issue and the client is unable to log the issue to the central log/SIEM/monitoring server. I just don't want to fill up my disks with message repeatedly. I only need to "hear about it" once every hour (or some other throttled period).
Technically there are lots of ways to leverage syslog-ng configurations to address this but I thought that since this would be an issue for anyone that has a lot of syslog clients and then has an issue with their certificate, I thought there might be a cleaner and more simple way to address than the correlation/throttling/filtering tools of syslog-ng.
For me, the log rate is so large that if I have only a small % of my clients that have this issue, they will take the service off-line for all of the other clients.
--
Evan
________________________________
From: syslog-ng <syslog-ng-bounces at lists.balabit.hu> on behalf of Balazs Scheidler <bazsi77 at gmail.com>
Sent: October 21, 2024 12:47 PM
To: Syslog-ng users' and developers' mailing list <syslog-ng at lists.balabit.hu>
Subject: Re: [syslog-ng] certificate errors result in excessive logging.
You don't often get email from bazsi77 at gmail.com. Learn why this is important<https://aka.ms/LearnAboutSenderIdentification>
hi,
I literally submitted a patch this morning to mute #3 from the list above.
https://github.com/axoflow/axosyslog/pull/352
As for the other two, you can filter these out from your internal() source using regexps.
Bazsi
On Mon, Oct 21, 2024 at 9:30 PM Evan Rempel <erempel at uvic.ca<mailto:erempel at uvic.ca>> wrote:
I am using tls configuration with a locally signed certificate. This mans that I have to configure a custom root CA on to all client systems for them to be able to establish the tls connection to my syslog server.
When the clients are unable to verify the server certificate, the server logs three messages for every connection attempt
syslog-ng[452597]: SSL error while reading stream; tls_error='error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca', location='/etc/syslog-ng/syslog-ng.server.conf:71:17'
syslog-ng[452597]: Error reading RFC6587 style framed data; fd='21', error='Connection reset by peer (104)'
syslog-ng[452597]: Syslog connection closed; fd='21', client='AF_INET(1.2.3.4:1234)', local='AF_INET(1.2.3.4:1234<http://1.2.3.4:1234/>)'
If there are 100's of clients, and they try to reconnect at a fast rate (every 5 seconds) this can result in a large volume of messages.
Is there any way to configure the logging rate of these types of errors or get rid of it altogether.
Anyone have any comments on this?
--
Evan
______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq
--
Bazsi
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20241021/da4bea10/attachment-0001.htm>
More information about the syslog-ng
mailing list