Chat now with support
Chat with Support

syslog-ng Premium Edition 6.0.18 - Administration Guide

Preface Chapter 1. Introduction to syslog-ng Chapter 2. The concepts of syslog-ng Chapter 3. Installing syslog-ng Chapter 4. The syslog-ng PE quick-start guide Chapter 5. The syslog-ng PE configuration file Chapter 6. Collecting log messages — sources and source drivers Chapter 7. Sending and storing log messages — destinations and destination drivers Chapter 8. Routing messages: log paths, reliability, and filters Chapter 9. Global options of syslog-ng PE Chapter 10. TLS-encrypted message transfer Chapter 11. FIPS-compliant syslog-ng Chapter 12.  Reliable Log Transfer Protocol™ Chapter 13. Reliability and minimizing the loss of log messages Chapter 14. Manipulating messages Chapter 15. Parsing and segmenting structured messages Chapter 16. Processing message content with a pattern database Chapter 17. Statistics and metrics of syslog-ng Chapter 18. Multithreading and scaling in syslog-ng PE Chapter 19. Troubleshooting syslog-ng Chapter 20. Best practices and examples

Legal Notice of FIPS Compliance of Syslog-ng Premium Edition

Syslog-ng Premium Edition version 5.0.4 and the subsequent releases may claim FIPS compliance by use of the OpenSSL FIPS Object Module v2.0.5 cryptographic component. This component was certified by the Open Source Software Institute and obtained the FIPS-140-2 validation Level 1 (certificate number 1747) from the U.S. National Institute of Standards and Technology (NIST) and the Communications Security Establishment Canada (CSEC).

The FIPS-compliant version of syslog-ng Premium Edition v5.0.4 and the subsequent releases exclusively use the OpenSSL FIPS Object Module indicated above for crypthograpy. The build process of the FIPS-compliant version of syslog-ng Premium Edition complies with the OpenSSL FIPS 140-2 Security Policy Version 2.0.5f.

Chapter 12.  Reliable Log Transfer Protocol™

Logging using RLTP

The syslog-ng PE application can send and receive log messages in a reliable way over the TCP transport layer using the Reliable Log Transfer Protocol™ (RLTP™). RLTP™ is a proprietary transport protocol that prevents message loss during connection breaks. The transport is used between syslog-ng PE hosts (for example, a client and a server, or a client-relay-server), and interoperates with the flow-control and reliable disk-buffer mechanisms of syslog-ng PE, thus providing the best way to prevent message loss. The sender detects which messages has the receiver successfully received. If messages are lost during the transfer, the sender resends the missing messages, starting from the last successfully received message. Therefore, messages are not duplicated at the receiving end in case of a connection break (however, in failover mode this is not completely ensured). RLTP™ also allows to receive encrypted and non-encrypted connections on the same port, using a single source driver.

NOTE:

Because of the communication overhead, the RLTP™ protocol is slower than other transport protocols, which might be a problem if you need to collect a high amount (over 200000 messages per second) of log messages on your log server. For performance details of syslog-ng PE see the syslog-ng Premium Edition Performance Guideline at the syslog-ng Documentation page.

NOTE:

Make sure that you have set the value of the log_msg_size() parameter large enough in your configuration. If its size is less than the size of the sent messages, it might result in disk fill-up and no incoming logs.

Caution:

In the following cases, it is possible to lose log messages even if you use RLTP™:

  • If you use RLTP™ together with non-reliable disk-buffer, it is possible to lose logs.

  • When sending logs through a relay that is using a non-reliable disk-buffer, it is possible to lose logs if the relay crashes.

  • When sending logs through a relay that is using a non-reliable disk-buffer, it is possible that logs are duplicated if the relay crashes, or it is stopped.

  • If the underlying disk system of syslog-ng PE fails to write the log messages to the disk, but it does not return a write error, or some other hardware or operating-system error happens.

The RLTP™ protocol works on top of TCP, and can use STARTTLS for encryption. RLTP™ supports IPv4 and IPv6 addresses. Inside the RLTP™ message, the message can use any format, for example, RFC3164 (BSD-syslog) or RFC5424 (IETF-syslog). The default port of RLTP™ is 35514.

RLTP™ can be added to the configuration like a transport protocol within the syslog() driver and the network() driver.

Procedure 12.1. How RLTP™ connections work

Purpose: 

This procedure summarizes how two syslog-ng PE hosts (a sender and a receiver) communicate using the Reliable Log Transfer Protocol™ (RLTP™).

Prerequisites: 

The sender (also called the client) is the host that has RLTP™ configured in its destination driver. The receiver (also called the server) is the host that has RLTP™ configured in its source driver.

Steps: 

  1. The sender initiates the connection to the receiver.

  2. The sender and the receiver negotiate whether to encrypt the connection and to use compression or not.

  3. If the connection should be encrypted, the sender and the receiver perform authentication (as configured in the tls() options of their configuration).

  4. If the sender and the receiver have communicated earlier using RLTP™, the receiver indicates which was the last message received from the sender.

  5. The sender starts sending messages in batches. Batch size depends on the flush-lines() parameter of the sender.

    For optimal performance when sending messages to an syslog-ng PE server, make sure that the flush-lines() is smaller than the window size set using the log-iw-size() option in the source of your server.

  6. When the receiver has successfully processed the messages in the batch, it sends an acknowledgement of the processed messages to the sender.

    What "successfully processed" means depends on the configuration of the receiver, for example, written to disk in a destination, forwarded to a remote destination using notRLTP™, dropped because of filter settings, or written to the disk-buffer. (If the messages are forwarded using RLTP™, see the section called “Using RLTP™ in a client-relay-server scenario”.)

  7. After receiving the acknowledgement, the sender sends another batch of messages.

Using RLTP™ in a client-relay-server scenario

You can use RLTP™ between multiple syslog-ng PE hosts, for example, in a client-relay-server scenario. In such case, the communication described in Procedure 12.1, “How RLTP™ connections work” applies both between the client and the relay, and the relay and the server. However, note the following points:

  • Unless you use disk-buffer on the relay, the relay waits for acknowledgement from the server before acknowledging the messages to the client. If you send the messages in large batches, and the server can process the messages slowly (or the network connection is slow), you might have to adjust the message-acknowledgement-timeout() on the client.

  • If you use reliable disk-buffer on the relay, the relay will acknowledge the messages when the messages are written to the disk-buffer. That way, the client does not have to wait while the server acknowledges the messages.

RLTP™ options

RLTP™ options

The following options are specific to the RLTP™ protocol. Note that when using RLTP™ in a source or a destination, the options of the syslog() or the network() driver can be used as well.

allow-compress()
Accepted values: yes | no
Default: no

Description: Enable on-the-wire compression in the RLTP communication. Note that this option must be enabled both on the server and the client side to have any effect. Enabling compression can significantly reduce the bandwidth required to transport the messages, but can slightly decrease the performance of syslog-ng PE, reducing the number of transferred messages. The allow-compress() option can be used in source and destination drivers as well. Available in syslog-ng PE 5.0 and later.

message-acknowledgement-timeout()
Type: number (seconds)
Default: 900

Description: When the receiver (syslog-ng PE server) receives and successfully processes a message, it sends an acknowledgement to the sender (the syslog-ng PE client). If the receiver does not acknowledge receiving the messages within this period, the sender terminates the connection with the receiver. Use this option only in destination drivers.

response-timeout()
Type: number (seconds)
Default: 60

Description: If syslog-ng PE does not receive any protocol-related message in the given timeframe (except for message acknowledgement, which is governed by the message-acknowledgement-timeout() option), syslog-ng PE terminates the connection with the peer, and the "Connection broken" message appears in the logs of the sender (the syslog-ng PE client). This is normal, and happens when the sender does not send any new message to the receiver.

Under normal circumstances, you should not change the value of this option. The response-timeout() option can be used in source and destination drivers as well.

tls-required()
Type: yes, optional, no
Default: optional

Description: Determines whether STARTTLS is to be used during communication. If the option is set to yes, you must also configure the tls() option to specify other parameters of the TLS connection (for example, the authentication of the server and the client).

The tls-required() option can be used in source and destination drivers as well.

For example, if you configure tls-required(yes) on server side and tls-required(no) on client side, the connection is dropped. If one of them is set to optional, the configuration of the other side will decide if TLS is used or not. If both sides are set to optional, and the tls() option is properly configured, TLS encryption will be used. The following table summarizes the possible options and their results.

Note that the various parameters of the tls() option are considered in the connection only if the tls-required() settings of the peers result in TLS-encryption in the following table. In other words: the tls-required() option of RLTP™ determines if TLS should be used at all, while the peer-verify() option of the tls()setting determines if the TLS connection can be actually established.

tls-required() setting on the server
yes no optional
tls-required() setting on the client yes TLS-encryption rejected connection TLS-encryption
no rejected connection unencrypted connection unencrypted connection
optional TLS-encryption unencrypted connection TLS-encryption if the tls() option is set, unencrypted connection otherwise

Setting tls-required(optional) on your server allows you to receive both encrypted and unencrypted connections on the same port.

Examples for using RLTP™

Examples for using RLTP

Example 12.1. Simple RLTP™ connection

The sender and the receiver use RLTP™ over the network() protocol. Since the tls() option is not configured neither on the sender nor on the receiver, the communication will be unencrypted.

Receiver configuration (syslog-ng PE server):

source s_network_rltp {
        network(
            ip("127.0.0.1")
            port("5555")
            transport(rltp)
            ip-protocol(4)
        );
};

Sender configuration (syslog-ng PE client):

destination d_network_rltp {
        network(
            "127.0.0.1"
            port("5555")
            transport(rltp)
            ip-protocol(4)
        );
};

Example 12.2. RLTP™ with TLS encryption

The following example configure a sender and a receiver to communicate using RLTP™. Since the tls-required() option is set to optional on the receiver and yes on the sender, and the tls() option is configured, the communication will be TLS-encrypted. For the sender (syslog-ng PE client), reliable disk-buffering is enabled to prevent data loss.

Receiver configuration (syslog-ng PE server):

source s_syslog_rltp {
        syslog(
            ip("127.0.0.1")
            port("4444")
            transport(rltp(tls-required(optional)))
            ip-protocol(4)
            tls(
                peer-verify(required-trusted)
                ca-dir("/var/tmp/client/")
                key-file("/var/tmp/server/server_priv.key")
                cert-file("/var/tmp/server/server.crt")
            )
        );
};

Sender configuration (syslog-ng PE client):

destination d_syslog_rltp {
        syslog(
            "127.0.0.1"
            port("4444")
            transport(rltp(tls-required(yes)))
            ip-protocol(4)
            disk-buffer( mem-buf-size(200000) disk-buf-size(2000000) reliable(yes) )
            tls(
                peer-verify(required-trusted)
                ca-dir("/var/tmp/server/")
                key-file("/var/tmp/client/client_priv.key")
                cert-file("/var/tmp/client/client.crt")
            )
        );
};

Related Documents