Haven't used either of those. syslog over tcp will ensure delivery but if volume precludes that use I would use nginx for forwarding UDP if you need something quickly and dirty, but fluentd is kind of made for this. It can do parsing and transforms but it's all modularized with a fairly simple DSL, you can just do forwards. There's a gelf for graylog if that's where you're sending but it'll do s3, stdout, http, etc. https://docs.fluentd.org/how-to-guides/graylog2 There's a mess of how-tos for the popular use cases. good hunting, soup On Tue, Feb 6, 2024 at 1:18 PM Patrick McEvilly via WLUG < wlug@lists.wlug.org> wrote:
All
First off, I’m in way over my head. $dayjob we have a redhat 8 box. We are looking to take in syslog messages and sent them out to one/two different IP addresses. We tried using https://github.com/sleinen/samplicator and while it works perfectly and a one banana job to setup, we seem to be dropping a significant amount of traffic on the box. At least 10% of the logs are missing and we have not loaded up the system yet. We tuned out the network buffers and added 25MB of memory without any improvement.
https://github.com/sleinen/samplicator/issues/72
Seems at a high rate of logs (which I think we would fall under) there seems to be some issues.
We looked at this option -
https://zapier.com/engineering/iptables-replication/
Redhat 8 seems to be using firewalld and backended with nfttables so we can’t directly use this method so we tried this.
firewall-cmd --permanent --direct --add-rule ipv4 mangle PREROUTING 0 -i ens192 -p udp --dport 514 -j TEE --gateway 127.0.0.1
firewall-cmd --permanent --direct --add-rule ipv4 nat PREROUTING 1 -i ens192 -p udp --dport 514 -j DNAT --to-destination 10.137.241.79:514
firewall-cmd –reload
With no luck, packets are not getting sent to 10.137.241.79.
When it works with samplicator this is what we get.
11:53:04.382233 IP 10.240.136.4.24277 > 10.240.1.1.syslog: SYSLOG local7.notice, length: 670
11:53:04.382408 IP 10.240.136.4.24277 > 10.137.241.79.syslog: SYSLOG local7.notice, length: 697
sysctl net.ipv4.ip_forward
net.ipv4.ip_forward = 1
IP Forwarding is enabled.
I’m not at all familiar with any of this and cutting and pasting from the internet and chatgpt has come up empty.
Anyone have any suggestions on what we are doing wrong?
Patrick
_______________________________________________ WLUG mailing list -- wlug@lists.wlug.org To unsubscribe send an email to wlug-leave@lists.wlug.org Create Account: https://wlug.mailman3.com/accounts/signup/ Change Settings: https://wlug.mailman3.com/postorius/lists/wlug.lists.wlug.org/ Web Forum/Archive: https://wlug.mailman3.com/hyperkitty/list/wlug@lists.wlug.org/message/M2BHGY...