Provides the ability to receive syslog messages via TCP. Encryption is natively provided by selecting the approprioate network stream driver and can also be provided by using stunnel (an alternative is the use the imgssapi module).
Author:Rainer Gerhards <rgerhards@adiscon.com>
This directive permits to specify an additional frame delimiter for Multiple receivers may be configured by specifying $InputTCPServerRun multiple times. This is available since version 4.3.1, earlier versions do NOT support it.
Default is off
Industry-strandard plain text tcp syslog uses the LF to delimit syslog frames. However, some users brought up the case that it may be useful to define a different delimiter and totally disable LF as a delimiter (the use case named were multi-line messages). This mode is non-standard and will probably come with a lot of problems. However, as there is need for it and it is relatively easy to support, we do so. Be sure to turn this setting to “on” only if you exactly know what you are doing. You may run into all sorts of troubles, so be prepared to wrangle with that!
Default is off
Instructs imtcp to emit a message if the remote peer closes a connection.
Important: This directive is global to all listeners and must be given right after loading imtcp, otherwise it may have no effect.
Default is off
enable of disable keep-alive packets at the tcp socket layer. The default is to disable them.
The number of unacknowledged probes to send before considering the connection dead and notifying the application layer. The default, 0, means that the operating system defaults are used. This has only effect if keep-alive is enabled. The functionality may not be available on all platforms.
The interval between subsequential keepalive probes, regardless of what the connection has exchanged in the meantime. The default, 0, means that the operating system defaults are used. This has only effect if keep-alive is enabled. The functionality may not be available on all platforms.
The interval between the last data packet sent (simple ACKs are not considered data) and the first keepalive probe; after the connection is marked to need keepalive, this counter is not used any further. The default, 0, means that the operating system defaults are used. This has only effect if keep-alive is enabled. The functionality may not be available on all platforms.
Default is on
This setting specifies whether some message flow control shall be exercised on the related TCP input. If set to on, messages are handled as “light delayable”, which means the sender is throttled a bit when the queue becomes near-full. This is done in order to preserve some queue space for inputs that can not throttle (like UDP), but it may have some undesired effect in some configurations. Still, we consider this as a useful setting and thus it is the default. To turn the handling off, simply configure that explicitely.
Default is 20
Sets the maximum number of listeners (server ports) supported. This must be set before the first $InputTCPServerRun directive.
Default is 200
Sets the maximum number of sessions supported. This must be set before the first $InputTCPServerRun directive
Sets the driver mode for the currently selected network stream driver. <number> is driver specific.
Sets permitted peer IDs. Only these peers are able to connect to the listener. <id-string> semantics depend on the currently selected AuthMode and network stream driver. PermittedPeers may not be set in anonymous modes.
Sets permitted peer IDs. Only these peers are able to connect to the listener. <id-string> semantics depend on the currently selected AuthMode and network stream driver. PermittedPeer may not be set in anonymous modes. PermittedPeer may be set either to a single peer or an array of peers either of type IP or name, depending on the tls certificate.
Single peer: PermittedPeer=”127.0.0.1”
Array of peers: PermittedPeer=[“test1.example.net”,”10.1.2.3”,”test2.example.net”,”...”]
Starts a TCP server on selected port
Default: all interfaces
On multi-homed machines, specifies to which local address the listerner should be bound.
Sets a name for the inputname property. If no name is set “imtcp” is used by default. Setting a name is not strictly necessary, but can be useful to apply filtering based on which input the message was received from.
Binds the listener to a specific ruleset.
Default is on
If set to “on”, the legacy octed-counted framing (similar to RFC5425 framing) is activated. This should be left unchanged until you know very well what you do. It may be useful to turn it off, if you know this framing is not used and some senders emit multi-line messages into the message stream.
Specifies the rate-limiting interval in seconds. Default value is 0, which turns off rate limiting. Set it to a number of seconds (5 recommended) to activate rate-limiting.
Specifies the rate-limiting burst in number of messages. Default is 10,000.
This sets up a TCP server on port 514 and permits it to accept up to 500 connections:
module(load="imtcp" MaxSessions="500")
input(type="imtcp" port="514")
Note that the global parameters (here: max sessions) need to be set when the module is loaded. Otherwise, the parameters will not apply.
equivalent to: AddtlFrameDelimiter
equivalent to: DisableLFDelimiter
equivalent to: NotifyOnConnectionClose
equivalent to: KeepAlive
Equivalent to: KeepAlive.Probes
Equivalent to: KeepAlive.Interval
Equivalent to: KeepAlive.Time
equivalent to: Port
equivalent to: FlowControl
equivalent to: MaxListeners
equivalent to: MaxSessions
equivalent to: StreamDriver.Mode
equivalent to: Name
equivalent to: StreamDriver.AuthMode
equivalent to: PermittedPeer.
equivalent to: Ruleset.
equivalent to: SupportOctetCountedFraming
This sets up a TCP server on port 514 and permits it to accept up to 500 connections:
$ModLoad imtcp # needs to be done just once
$InputTCPMaxSessions 500
$InputTCPServerRun 514
Note that the parameters (here: max sessions) need to be set before the listener is activated. Otherwise, the parameters will not apply.