[syslog-ng] certificate errors result in excessive logging.
Balazs Scheidler
bazsi77 at gmail.com
Mon Oct 21 20:32:54 UTC 2024
you can always use rate-limit:
https://axoflow.com/docs/axosyslog-core/chapter-routing-filters/filters/reference-filters/filter-rate-limit/
Balazs
On Mon, Oct 21, 2024 at 9:58 PM Evan Rempel <erempel at uvic.ca> wrote:
> I don't want to filter them out completely. This still represents an issue
> and the client is unable to log the issue to the central
> log/SIEM/monitoring server. I just don't want to fill up my disks with
> message repeatedly. I only need to "hear about it" once every hour (or some
> other throttled period).
>
> Technically there are lots of ways to leverage syslog-ng configurations to
> address this but I thought that since this would be an issue for anyone
> that has a lot of syslog clients and then has an issue with their
> certificate, I thought there might be a cleaner and more simple way to
> address than the correlation/throttling/filtering tools of syslog-ng.
>
> For me, the log rate is so large that if I have only a small % of my
> clients that have this issue, they will take the service off-line for all
> of the other clients.
>
> --
> Evan
> ------------------------------
> *From:* syslog-ng <syslog-ng-bounces at lists.balabit.hu> on behalf of
> Balazs Scheidler <bazsi77 at gmail.com>
> *Sent:* October 21, 2024 12:47 PM
> *To:* Syslog-ng users' and developers' mailing list <
> syslog-ng at lists.balabit.hu>
> *Subject:* Re: [syslog-ng] certificate errors result in excessive logging.
>
> You don't often get email from bazsi77 at gmail.com. Learn why this is
> important <https://aka.ms/LearnAboutSenderIdentification>
> hi,
>
> I literally submitted a patch this morning to mute #3 from the list above.
> https://github.com/axoflow/axosyslog/pull/352
>
> As for the other two, you can filter these out from your internal() source
> using regexps.
> Bazsi
>
> On Mon, Oct 21, 2024 at 9:30 PM Evan Rempel <erempel at uvic.ca> wrote:
>
> I am using tls configuration with a locally signed certificate. This mans
> that I have to configure a custom root CA on to all client systems for them
> to be able to establish the tls connection to my syslog server.
>
> When the clients are unable to verify the server certificate, the server
> logs three messages for every connection attempt
>
> syslog-ng[452597]: SSL error while reading stream;
> tls_error='error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown
> ca', location='/etc/syslog-ng/syslog-ng.server.conf:71:17'
> syslog-ng[452597]: Error reading RFC6587 style framed data; fd='21',
> error='Connection reset by peer (104)'
> syslog-ng[452597]: Syslog connection closed; fd='21',
> client='AF_INET(1.2.3.4:1234)', local='AF_INET(1.2.3.4:1234)'
>
> If there are 100's of clients, and they try to reconnect at a fast rate
> (every 5 seconds) this can result in a large volume of messages.
>
> Is there any way to configure the logging rate of these types of errors or
> get rid of it altogether.
>
> Anyone have any comments on this?
>
>
>
> --
> Evan
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation:
> http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
>
>
> --
> Bazsi
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation:
> http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
>
--
Bazsi
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20241021/d30724ea/attachment.htm>
More information about the syslog-ng
mailing list