MonitorWare Knowledge Base

Is it possible to run multiple instances on the same machine?

Here are some idea's I would like to explore:
Receiving from multiple machines on one isntance
Sending to one machine with a seperate instance

How do I change the ports so they aren't stepping on each other if so?

Bruce D. Meyer

• Custom written rsyslog.conf?
• Maintenance Contract?
• Installation support?

Hi Bruce,

yes, multiple instances are fully supported. There is a limitation on the UDP listeners, that should be in the doc set. You can set the port in the -r and -t options (e.g. -r2048 to start a UDP listener at port 2048).

But now the question I got: why do you intend to run these two instances? And would you like to forward messages from the one instance to the other? I am asking because the answer could provide some ideas for further development (or even prove what I am currently working on).

Rainer

Ranier,
My thoughts are as such, (Perhaps naively)

We are tossing around ideas on how to overcome the limitation imposed by the syslog protocol of only local 0 to local 7 facilities.
(I need to visio this?)
Imagine a very large aggregated network intrusion detection system with 100 or more snort sensors all sending their data via syslog to a central server running an application that dumps everything to a database, and provides real time reporting of attacks. If someone is slow scanning across 50 of the locations, you would be able to spot it. To pull this off, you can only handle about 4 instances of snort per box, so you are sending the data via (syslog?) from each four instance snort sensor to a central log aggregator. On the senders, so far, we are well within the 8 facility limitation. But what about the central aggregator? How does it handle 100 inbound facilities? Remember, each facility in our case denotes a separate snort sensor (physical location being monitored) If the ability existed, We could take advantage of being able to send more than 8 facilities per physical box where monitored locations are of a light enough resource usage to allow for more than eight at a location.

Mental digram: we can send events from box 1, to box 2, to box 3 | box 6, to box 5, to box 4, to box 3, and aggregate all on box 3. (thats four per box except 3 for 20 facilities all being sent to box three.)


----
What I hate about Google, It is now 1:30 am, I am tired, and not sure what I just wrote makes any sense. If not, my daughter, wife, parents, friends, coworkers etc, will see in 2020 that I wasn't making nay sense tonight....

Bruce D. Meyer

Bruce,

sorry for the very brief reply (been coding on Saturdays too long ). Before I can give advise. Do you intend to run rsyslog on all boxes including the sensors? I hope so, because I am pretty sure we than can find an elegant solution

Rainer

EDIT: oops, I just saw this is the multiple instance thread. If everything is rsyslog, you do not need multiple instances. But of course you could (one port per each 8 facilities, but waaaaay too much overhead for may taste...).