rsyslog/rsyslog
1
0
Fork 0
mirror of https://github.com/rsyslog/rsyslog.git synced 2025-12-21 02:00:42 +01:00
Code Issues Packages Projects Releases Wiki Activity
rsyslog/doc/imptcp.html
Rainer Gerhards 2ff36f90b0 doc: describe new imptcp input parameter
2013-10-12 12:46:49 +02:00

183 lines
9.2 KiB
HTML
Raw Blame History

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html><head>
<meta http-equiv="Content-Language" content="en">
<title>Plain TCP Syslog Input Module (imptcp)</title></head>
<body>
<a href="rsyslog_conf_modules.html">back</a>
<h1>Plain TCP Syslog Input Module</h1>
<p><b>Module Name:&nbsp;&nbsp;&nbsp; imptcp</b></p>
<p><b>Available since: </b>4.7.3+, 5.5.8+
<p><b>Author: </b>Rainer Gerhards
&lt;rgerhards@adiscon.com&gt;</p>
<p><b>Description</b>:</p>
<p>Provides the ability to receive syslog messages via plain TCP syslog.
This is a specialised input plugin tailored for high performance on Linux. It will
probably not run on any other platform. Also, it does not provide TLS services.
Encryption can be provided by using <a href="rsyslog_stunnel.html">stunnel</a>.
<p>This module has no limit on the number of listeners and sessions that can be used.
</p>
<p><b>Configuration Directives</b>:</p>
<p>This plugin has config directives similar named as imtcp, but they all have <b>P</b>TCP in
their name instead of just TCP. Note that only a subset of the parameters are supported.
<ul>
<p><b>Module Parameters</b>:</p>
<p>These paramters can be used with the "module()" statement. They apply
globaly to all inputs defined by the module.
<ul>
<li>Threads &lt;number&gt;<br>
Number of helper worker threads to process incoming messages. These
threads are utilized to pull data off the network. On a busy system, additional
helper threads (but not more than there are CPUs/Cores) can help improving
performance. The default value is two, which means there
is a default thread count of three (the main input thread plus two
helpers).
No more than 16 threads can be set (if tried to, rsyslog always resorts to 16).
</ul>
<p><b>Input Parameters</b>:</p>
<p>These parameters can be used with the "input()" statement. They apply to the
input they are specified with.
<ul>
<li><b>AddtlFrameDelimiter</b> &lt;Delimiter&gt;<br>
This directive permits to specify an additional frame delimiter for plain tcp syslog.
The industry-standard specifies using the LF character as frame delimiter. Some vendors,
notable Juniper in their NetScreen products, use an invalid frame delimiter, in Juniper's
case the NUL character. This directive permits to specify the ASCII value of the delimiter
in question. Please note that this does not guarantee that all wrong implementations can
be cured with this directive. It is not even a sure fix with all versions of NetScreen,
as I suggest the NUL character is the effect of a (common) coding error and thus will
probably go away at some time in the future. But for the time being, the value 0 can
probably be used to make rsyslog handle NetScreen's invalid syslog/tcp framing.
For additional information, see this
<a href="http://kb.monitorware.com/problem-with-netscreen-log-t1652.html">forum thread</a>.
<br><b>If this doesn't work for you, please do not blame the rsyslog team. Instead file
a bug report with Juniper!</b>
<br>Note that a similar, but worse, issue exists with Cisco's IOS implementation. They do
not use any framing at all. This is confirmed from Cisco's side, but there seems to be
very limited interest in fixing this issue. This directive <b>can not</b> fix the Cisco bug.
That would require much more code changes, which I was unable to do so far. Full details
can be found at the <a href="http://www.rsyslog.com/Article321.phtml">Cisco tcp syslog anomaly</a>
page.
<li><b>SupportOctetCountedFraming</b> &lt;<b>on</b>|off&gt;<br>
If set to "on", the legacy octed-counted framing (similar to RFC5425 framing) is
activated. This is the default and should be left unchanged until you know
very well what you do. It may be useful to turn it off, if you know this framing
is not used and some senders emit multi-line messages into the message stream.
</li>
<li><b>ServerNotifyOnConnectionClose</b> [on/<b>off</b>]<br>
instructs imptcp to emit a message if the remote peer closes a connection.<br>
<li><b>KeepAlive</b> &lt;on/<b>off</b>&gt;<br>
enable of disable keep-alive packets at the tcp socket layer. The default is
to disable them.</li>
<li><b>KeepAlive.Probes</b> &lt;number&gt;<br>
The number of unacknowledged probes to send before considering the connection dead and notifying the application layer.
The default, 0, means that the operating system defaults are used. This has only
effect if keep-alive is enabled. The functionality may not be available on
all platforms.
<li><b>KeepAlive.Interval</b> &lt;number&gt;<br>
The interval between subsequent keepalive probes, regardless of what the connection has exchanged in the meantime.
The default, 0, means that the operating system defaults are used. This has only
effect if keep-alive is enabled. The functionality may not be available on
all platforms.
<li><b>KeepAlive.Time</b> &lt;number&gt;<br>
The interval between the last data packet sent (simple ACKs are not considered data) and the first keepalive probe; after the connection is marked to need keepalive, this counter is not used any further.
The default, 0, means that the operating system defaults are used. This has only
effect if keep-alive is enabled. The functionality may not be available on
all platforms.
<li><b>Port</b> &lt;number&gt;<br>
Select a port to listen on</li>
<li><b>Name</b> &lt;name&gt;<br>
Sets a name for the inputname property. If no name is set "imptcp" is used by default. Setting a
name is not strictly necessary, but can be useful to apply filtering based on which input
the message was received from.
<li><b>Ruleset</b> &lt;name&gt;<br>
Binds specified ruleset to next server defined.
<li><b>Address</b> &lt;name&gt;<br>
On multi-homed machines, specifies to which local address the listerner should be bound.
<li><b>defaultTZ</b> &lt;timezone-info&gt;<br>
This is an <b>experimental</b> parameter; details may change at any time and it may
also be discoutinued without any early warning.<br>
Permits to set a default timezone for this listener. This is useful when working with
legacy syslog (RFC3164 et al) residing in different timezones. If set it will be used as
timezone for all messages <b>that do not contain timezone info</b>.
Currently, the format <b>must</b> be "+/-hh:mm", e.g. "-05:00", "+01:30". Other formats,
including TZ names (like EST) are NOT yet supported. Note that consequently no daylight
saving settings are evaluated when working with timezones. If an invalid format is used,
"interesting" things can happen, among them malformed timestamps and rsyslogd segfaults.
This will obviously be changed at the time this feature becomes non-experimental.</li>
<li><b>RateLimit.Interval</b> [number] - (available since 7.3.1) specifies the rate-limiting
interval in seconds. Default value is 0, which turns off rate limiting. Set it to a number
of seconds (5 recommended) to activate rate-limiting.
</li>
<li><b>RateLimit.Burst</b> [number] - (available since 7.3.1) specifies the rate-limiting
burst in number of messages. Default is 10,000.
<li><b>compression.mode</b><i>mode</i><br>
<i>mode</i> is one of "none" or "stream:always".
It is the counterpart to the compression modes set in
<a href="omfile.html">omfile</a>.
Please see it's documentation for details.
</li>
</ul>
<b>Caveats/Known Bugs:</b>
<ul>
<li>module always binds to all interfaces</li>
</ul>
<p><b>Sample:</b></p>
<p>This sets up a TCP server on port 514:<br>
</p>
<textarea rows="4" cols="60">module(load="/folder/to/rsyslog/plugins/imptcp/.libs/imptcp") # needs to be done just once
input(type="imptcp" port="514")
</textarea>
<p><b>Legacy Configuration Directives</b>:</p>
<ul>
<li>$InputPTCPServerAddtlFrameDelimiter &lt;Delimiter&gt;<br>
Equivalent to: AddTLFrameDelimiter</li>
<li><b>$InputPTCPSupportOctetCountedFraming</b> &lt;<b>on</b>|off&gt;<br>
Equivalent to: SupportOctetCountedFraming
</li>
<li>$InputPTCPServerNotifyOnConnectionClose [on/<b>off</b>]<br>
Equivalent to: ServerNotifyOnConnectionClose.<br></li>
<li><b>$InputPTCPServerKeepAlive</b> &lt;on/<b>off</b>&gt;<br>
Equivalent to: KeepAlive </li>
<li><b>$InputPTCPServerKeepAlive_probes</b> &lt;number&gt;<br>
Equivalent to: KeepAlive.Probes</li>
<li><b>$InputPTCPServerKeepAlive_intvl</b> &lt;number&gt;<br>
Equivalent to: KeepAlive.Interval </li>
<li><b>$InputPTCPServerKeepAlive_time</b> &lt;number&gt;<br>
Equivalent to: KeepAlive.Time</li>
<li><b>$InputPTCPServerRun</b> &lt;port&gt;<br>
Equivalent to: Port </li>
<li>$InputPTCPServerInputName &lt;name&gt;<br>
Equivalent to: Name </li>
<li>$InputPTCPServerBindRuleset &lt;name&gt;<br>
Equivalent to: Ruleset </li>
<li>$InputPTCPServerHelperThreads &lt;number&gt;<br>
Equivalent to: threads </li>
<li>$InputPTCPServerListenIP &lt;name&gt;<br>
Equivalent to: Address </li>
</ul>
<b>Caveats/Known Bugs:</b>
<ul>
<li>module always binds to all interfaces</li>
</ul>
<p><b>Sample:</b></p>
<p>This sets up a TCP server on port 514:<br>
</p>
<textarea rows="3" cols="60">$ModLoad imptcp #
needs to be done just once
$InputPTCPServerRun 514
</textarea>
<p>[<a href="rsyslog_conf.html">rsyslog.conf overview</a>]
[<a href="manual.html">manual index</a>] [<a href="http://www.rsyslog.com/">rsyslog site</a>]</p>
<p><font size="2">This documentation is part of the
<a href="http://www.rsyslog.com/">rsyslog</a>
project.<br>
Copyright &copy; 2010-2013 by <a href="http://www.gerhards.net/rainer">Rainer
Gerhards</a> and
<a href="http://www.adiscon.com/">Adiscon</a>.
Released under the GNU GPL version 3 or higher.</font></p>
</body></html>
Reference in New Issue View Git Blame Copy Permalink