-
InfoSec Handlers Diary Blog - Are you losing system logging information (and don't know it)?
April 16, 2015 at 3:42:24 PM GMT+2 - permalink -Pour voir si on drop des messages rsyslog :
grep -c 'imuxsock lost' /var/log/messages
Pour custo le rate limiting :
$SystemLogRateLimitInterval 10
$SystemLogRateLimitBurst 500
-
https://isc.sans.edu/diary/Are+you+losing+system+logging+information+(and+don%27t+know+it)%3F/15106
-
![thumbnail]()
6.10.1. tcp(), tcp6(), udp() and udp6() source options
November 7, 2014 at 10:50:10 AM GMT+1 - permalink -When receiving messages using the UDP protocol, increase the size of the UDP receive buffer on the receiver host (that is, the syslog-ng OSE server or relay receiving the messages). Note that on certain platforms, for example, on Red Hat Enterprise Linux 5, even low message load (~200 messages per second) can result in message loss, unless the so_rcvbuf() option of the source is increased. In such cases, you will need to increase the net.core.rmem_max parameter of the host (for example, to 1024000), but do not modify net.core.rmem_default parameter.
As a general rule, increase the so_rcvbuf() so that the buffer size in kilobytes is higher than the rate of incoming messages per second. For example, to receive 2000 messages per second, set the so_rcvbuf() at least to 2 097 152 bytes.
-
http://www.balabit.com/sites/default/files/documents/syslog-ng-ose-3.3-guides/en/syslog-ng-ose-v3.3-guide-admin-en/html/reference_source_tcpudp.html
-
When Logstash and Syslog go wrong – Kartar.Net
November 5, 2014 at 5:45:02 PM GMT+1 - permalink -Ok j'ai eu le meme probleme : le syslog input de logstash tombe systématiquement en grok failure..
Remplaçable facilement par un udp input !
-
http://kartar.net/2014/09/when-logstash-and-syslog-go-wrong/
-
Utiliser une commande en destination de syslog
October 30, 2014 at 3:26:27 PM GMT+1 - permalink -destination mail-alert-perl { program("/usr/local/bin/syslog-mail-perl"); };
-
http://www.softpanorama.org/Logs/Syslog_ng/configuration_examples.shtml
