rsyslog/rsyslog
1
0
Fork 0
mirror of https://github.com/rsyslog/rsyslog.git synced 2025-12-17 09:20:41 +01:00
Code Issues Packages Projects Releases Wiki Activity
rsyslog/doc/imtcp.html
Rainer Gerhards d6da57ae03 Merge branch 'v5-stable-newstats' 
Conflicts:
	action.c
	configure.ac
	doc/imuxsock.html
	plugins/imklog/imklog.c
	plugins/imptcp/imptcp.c
	plugins/imtcp/imtcp.c
	plugins/imudp/imudp.c
	plugins/imuxsock/imuxsock.c
	runtime/glbl.c
	runtime/glbl.h
	runtime/net.c
	runtime/ruleset.c
	tcpsrv.h
	tools/syslogd.c
2012-04-07 15:42:46 +02:00

121 lines
7.3 KiB
HTML
Raw Blame History

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Language" content="en">
<title>TCP Syslog Input Module</title>
</head>
<body>
<a href="rsyslog_conf_modules.html">back to rsyslog module overview</a>
<h1>TCP Syslog Input Module</h1>
<p><b>Module Name:&nbsp;&nbsp;&nbsp; imtcp</b></p>
<p><b>Author: </b>Rainer Gerhards &lt;rgerhards@adiscon.com&gt;</p>
<p><b>Multi-Ruleset Support: </b>since 4.5.0 and 5.1.1
<p><b>Description</b>:</p>
<p>Provides the ability to receive syslog messages via TCP.
Encryption is natively provided by selecting the approprioate network stream driver and
can also be provided by using <a href="rsyslog_stunnel.html">stunnel</a>
(an alternative is the use the <a href="imgssapi.html">imgssapi</a> module).</p>
<p>Multiple receivers may be configured by specifying
$InputTCPServerRun multiple times. This is available since version 4.3.1, earlier
versions do NOT support it.
</p>
<p><b>Configuration Directives</b>:</p>
<ul>
<li><b>$InputTCPServerAddtlFrameDelimiter &lt;Delimiter&gt;</b><br>
This directive permits to specify an additional frame delimiter for plain tcp syslog.
The industry-standard specifies using the LF character as frame delimiter. Some vendors,
notable Juniper in their NetScreen products, use an invalid frame delimiter, in Juniper's
case the NUL character. This directive permits to specify the ASCII value of the delimiter
in question. Please note that this does not guarantee that all wrong implementations can
be cured with this directive. It is not even a sure fix with all versions of NetScreen,
as I suggest the NUL character is the effect of a (common) coding error and thus will
probably go away at some time in the future. But for the time being, the value 0 can
probably be used to make rsyslog handle NetScreen's invalid syslog/tcp framing.
For additional information, see this
<a href="http://kb.monitorware.com/problem-with-netscreen-log-t1652.html">forum thread</a>.
<br><b>If this doesn't work for you, please do not blame the rsyslog team. Instead file
a bug report with Juniper!</b>
<br>Note that a similar, but worse, issue exists with Cisco's IOS implementation. They do
not use any framing at all. This is confirmed from Cisco's side, but there seems to be
very limited interest in fixing this issue. This directive <b>can not</b> fix the Cisco bug.
That would require much more code changes, which I was unable to do so far. Full details
can be found at the <a href="http://www.rsyslog.com/Article321.phtml">Cisco tcp syslog anomaly</a>
page.
<li><b>$InputTCPServerDisableLFDelimiter</b> &lt;on/<b>off</b>&gt; (available since 5.5.3)<br>
Industry-strandard plain text tcp syslog uses the LF to delimit syslog frames. However,
some users brought up the case that it may be useful to define a different delimiter and
totally disable LF as a delimiter (the use case named were multi-line messages). This mode
is non-standard and will probably come with a lot of problems. However, as there is need
for it and it is relatively easy to support, we do so. Be sure to turn this setting to
"on" only if you exactly know what you are doing. You may run into all sorts of troubles,
so be prepared to wrangle with that!
<li><b>$InputTCPServerNotifyOnConnectionClose</b> [on/<b>off</b>] (available since 4.5.5)<br>
instructs imtcp to emit a message if the remote peer closes a connection.<br>
<b>Important:</b> This directive is global to all listeners and must be given right
after loading imtcp, otherwise it may have no effect.</li>
<li><b>$InputTCPServerKeepAlive</b> &lt;on/<b>off</b>&gt;<br>
enable of disable keep-alive packets at the tcp socket layer. The default is
to disable them.</li>
<li><b>$InputTCPServerRun</b> &lt;port&gt;<br>
Starts a TCP server on selected port</li>
<li><b>$InputTCPFlowControl</b> &lt;<b>on</b>/off&gt;<br>
This setting specifies whether some message flow control shall be exercised on the
related TCP input. If set to on, messages are handled as "light delayable", which means
the sender is throttled a bit when the queue becomes near-full. This is done in order
to preserve some queue space for inputs that can not throttle (like UDP), but it
may have some undesired effect in some configurations. Still, we consider this as
a useful setting and thus it is the default. To turn the handling off, simply
configure that explicitely.
</li>
<li><b>$InputTCPMaxListeners</b> &lt;number&gt;<br>
Sets the maximum number of listeners (server ports) supported. Default is 20. This must be set before the first $InputTCPServerRun directive.</li>
<li><b>$InputTCPMaxSessions</b> &lt;number&gt;<br> Sets the maximum number of sessions supported. Default is 200. This must be set before the first $InputTCPServerRun directive</li>
<li><b>$InputTCPServerStreamDriverMode</b> &lt;number&gt;<br>
Sets the driver mode for the currently selected <a href="netstream.html">network stream driver</a>. &lt;number&gt; is driver specifc.</li>
<li><b>$InputTCPServerInputName</b> &lt;name&gt;<br>
Sets a name for the inputname property. If no name is set "imtcp" is used by default. Setting a
name is not strictly necessary, but can be useful to apply filtering based on which input
the message was received from.
<li><b>$InputTCPServerStreamDriverAuthMode</b> &lt;mode-string&gt;<br>
Sets the authentication mode for the currently selected <a href="netstream.html">network stream driver</a>. &lt;mode-string&gt; is driver specifc.</li>
<li><b>$InputTCPServerStreamDriverPermittedPeer</b> &lt;id-string&gt;<br>
Sets permitted peer IDs. Only these peers are able to connect to the
listener. &lt;id-string&gt; semantics depend on the currently selected
AuthMode and&nbsp; <a href="netstream.html">network stream driver</a>. PermittedPeers may not be set in anonymous modes.</li>
<li><b>$InputTCPServerBindRuleset</b> &lt;ruleset&gt;<br>
Binds the listener to a specific <a href="multi_ruleset.html">ruleset</a>.</li>
<li><b>$InputTCPSupportOctetCountedFraming</b> &lt;<b>on</b>|off&gt;<br>
If set to "on", the legacy octed-counted framing (similar to RFC5425 framing) is
activated. This is the default and should be left unchanged until you know
very well what you do. It may be useful to turn it off, if you know this framing
is not used and some senders emit multi-line messages into the message stream.
</li>
</ul>
<b>Caveats/Known Bugs:</b>
<ul>
<li>module always binds to all interfaces</li>
<li>can not be loaded together with <a href="imgssapi.html">imgssapi</a>
(which includes the functionality of imtcp)</li>
</ul>
<p><b>Example:</b></p>
<p>This sets up a TCP server on port 514 and permits it to accept up to 500 connections:<br>
</p>
<textarea rows="15" cols="60">$ModLoad imtcp # needs to be done just once
$InputTCPMaxSessions 500
$InputTCPServerRun 514
</textarea>
<p>Note that the parameters (here: max sessions) need to be set <b>before</b> the listener
is activated. Otherwise, the parameters will not apply.
</p>
<p>[<a href="rsyslog_conf.html">rsyslog.conf overview</a>]
[<a href="manual.html">manual index</a>] [<a href="http://www.rsyslog.com/">rsyslog site</a>]</p>
<p><font size="2">This documentation is part of the <a href="http://www.rsyslog.com/">rsyslog</a>
project.<br>
Copyright &copy; 2008,2009 by <a href="http://www.gerhards.net/rainer">Rainer Gerhards</a> and
<a href="http://www.adiscon.com/">Adiscon</a>.
Released under the GNU GPL version 3 or higher.</font></p>
</body>
</html>
Reference in New Issue View Git Blame Copy Permalink