All

 

First off, I’m in way over my head.  $dayjob we have a redhat 8 box.  We are looking to take in syslog messages and sent them out to one/two different IP addresses.  We tried using https://github.com/sleinen/samplicator and while it works perfectly and a one banana job to setup, we seem to be dropping a significant amount of traffic on the box.  At least 10% of the logs are missing and we have not loaded up the system yet.  We tuned out the network buffers and added 25MB of memory without any improvement.

 

https://github.com/sleinen/samplicator/issues/72

 

Seems at a high rate of logs (which I think we would fall under) there seems to be some issues.

 

We looked at this option -

https://zapier.com/engineering/iptables-replication/

 

Redhat 8 seems to be using firewalld and backended with nfttables so we can’t directly use this method so we tried this.

 

 

firewall-cmd --permanent --direct --add-rule ipv4 mangle PREROUTING 0 -i ens192 -p udp --dport 514 -j TEE --gateway 127.0.0.1

firewall-cmd --permanent --direct --add-rule ipv4 nat PREROUTING 1 -i ens192 -p udp --dport 514 -j DNAT --to-destination 10.137.241.79:514

firewall-cmd –reload

 

With no luck, packets are not getting sent to 10.137.241.79.

 

When it works with samplicator this is what we get.

 

11:53:04.382233 IP 10.240.136.4.24277 > 10.240.1.1.syslog: SYSLOG local7.notice, length: 670

11:53:04.382408 IP 10.240.136.4.24277 > 10.137.241.79.syslog: SYSLOG local7.notice, length: 697

 

sysctl net.ipv4.ip_forward

net.ipv4.ip_forward = 1

 

IP Forwarding is enabled.

 

I’m not at all familiar with any of this and cutting and pasting from the internet and chatgpt has come up empty.

 

Anyone have any suggestions on what we are doing wrong?

 

Patrick