rsyslog to resend event from client after abnormal server crash

347 views Asked by At
Rsyslog Server IP: 192.168.122.94
Rsyslog Client IP: 192.168.122.93

1) Done rsyslog server force reboot

root@rsyslogserver:~# reboot -f
Write failed: Broken pipe

2) After reboot I have sent an event from rsyslog client.

3) Server is running on port 1014 and client is configured to forward logs to server on 1014

3) Ran tcpdump on rsyslog server to listen the communication on port 1014. For the first time when we send event after force reboot, rsyslog client is not able to forward event to rsyslog server. Then after, rsyslog client is able to forward logs to rsyslog server.

root@rsyslogserver:~# tcpdump -i eth1 "src port 1014"
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 65535 bytes
11:03:05.687971 IP 192.168.122.94.1014 > 192.168.122.93.40036: Flags [R], seq 3944299399, win 0, length 0
11:05:28.096264 IP 192.168.122.94.1014 > 192.168.122.93.52079: Flags [S.], seq 3014852900, ack 1286331701, win 14480, options [mss 1460,sackOK,TS val 4294939924 ecr 149156552,nop,wscale 6], length 0
11:05:28.096605 IP 192.168.122.94.1014 > 192.168.122.93.52079: Flags [.], ack 394, win 243, options [nop,nop,TS val 4294939924 ecr 149156552], length 0

Reason: This seems general behavior of any TCP connection. If any System crashes or terminates abnormally and after that if we send any TCP request then it resets old pre-cash connection and establishes new connection. This will not happen for normal reboot.

RefLink: https://en.wikipedia.org/wiki/TCP_reset_attack (Section TCP resets)

But here my question is how to prevent loss of that event for the first time. Will there be any configurations in rsyslog server/client side to prevent event loss.

0

There are 0 answers