[rsyslog] imptcp statistics

Discussion:

John Chivian

2018-11-08 13:03:51 UTC

Hello Experts:

I was looking here...

https://www.rsyslog.com/doc/v8-stable/configuration/modules/imptcp.html#imptcp-statistic-counter

...for documentation on the fields found in this pstats line...

{ "name": "tcp-5144-in(*\/5144\/IPv4)", "origin": "imptcp", "submitted":
7, "sessions.opened": 0, "sessions.openfailed": 0, "sessions.closed": 0,
"bytes.received": 997, "bytes.decompressed": 0 }

...but the documentation only shows an entry for "submitted". I was
hoping to find clues as to what specifically I would investigate if
positive values for "sessions.openfailed" should ever start to appear.
Is there any specific reason this error would occur, or is it a catchall?

Thanks in advance!

_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DO

David Lang

2018-11-08 21:21:01 UTC

Permalink

Post by John Chivian
I was looking here...
https://www.rsyslog.com/doc/v8-stable/configuration/modules/imptcp.html#imptcp-statistic-counter
...for documentation on the fields found in this pstats line...
7, "sessions.opened": 0, "sessions.openfailed": 0, "sessions.closed": 0,
"bytes.received": 997, "bytes.decompressed": 0 }
...but the documentation only shows an entry for "submitted". I was
hoping to find clues as to what specifically I would investigate if
positive values for "sessions.openfailed" should ever start to appear.
Is there any specific reason this error would occur, or is it a catchall?

I believe that it just means that rsyslog was unable to open a connection to the
destination (with .open and .closed being how many sessions were opened and
closed)

open failing would probably be a network/firewall problem (or someone scanning
for vulnerabilities that doesn't do a full 3-way handshake to open the
connection)

David Lang
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIK

John Chivian

2018-11-08 22:50:50 UTC

Permalink

Hmm. Given that these are on a TCP input, not on establishment of an
outbound connection, I will assume this means an unsolicited connection
attempt from a client couldn't be completed for some reason external to
rsyslog. Okay thanks, I understand that normal, start from square one,
network connection diagnostics would apply.

Any chance rsyslog would toss an error message out to /var/log/messages?

Post by David Lang

Post by John Chivian
I was looking here...
https://www.rsyslog.com/doc/v8-stable/configuration/modules/imptcp.html#imptcp-statistic-counter
...for documentation on the fields found in this pstats line...
{ "name": "tcp-5144-in(*\/5144\/IPv4)", "origin": "imptcp",
"submitted": 7, "sessions.opened": 0, "sessions.openfailed": 0,
"sessions.closed": 0, "bytes.received": 997, "bytes.decompressed": 0 }
...but the documentation only shows an entry for "submitted". I was
hoping to find clues as to what specifically I would investigate if
positive values for "sessions.openfailed" should ever start to
appear. Is there any specific reason this error would occur, or is
it a catchall?

_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and

Rainer Gerhards

2018-11-09 07:37:14 UTC

Permalink

El jue., 8 nov. 2018 a las 23:50, John Chivian

Hmm. Given that these are on a TCP input, not on establishment of an
outbound connection, I will assume this means an unsolicited connection
attempt from a client couldn't be completed for some reason external to
rsyslog. Okay thanks, I understand that normal, start from square one,
network connection diagnostics would apply.
Any chance rsyslog would toss an error message out to /var/log/messages?

It does so by default. I guess you simply do not record syslog.* messages?

Rainer

Post by David Lang

Post by John Chivian
I was looking here...
https://www.rsyslog.com/doc/v8-stable/configuration/modules/imptcp.html#imptcp-statistic-counter
...for documentation on the fields found in this pstats line...
{ "name": "tcp-5144-in(*\/5144\/IPv4)", "origin": "imptcp",
"submitted": 7, "sessions.opened": 0, "sessions.openfailed": 0,
"sessions.closed": 0, "bytes.received": 997, "bytes.decompressed": 0 }
...but the documentation only shows an entry for "submitted". I was
hoping to find clues as to what specifically I would investigate if
positive values for "sessions.openfailed" should ever start to
appear. Is there any specific reason this error would occur, or is
it a catchall?