An image says more than 1000 words 😉
Basically, the log source continuously sends log messages encrypted via TLS to the NetEye server. 1
TLS is handled by stunnel and then content is internally forwarded unencrypted to an Elastic Agent Integration “Custom TCP Logs” inside the NetEye server.2
In this example, a firewall in the communication path was configured to silently drop TCP connections after 10 minutes if there was no traffic.
Telling stunnel to do TCP keepalives solved the issue. Please see the following stunnel configuration as an example3:
# cat /etc/stunnel/stunnel.conf
cert = /etc/stunnel/tls/certs/cert.crt
key = /etc/stunnel/tls/private/key.key
[logsource1]
accept = 5020
connect = 5021
TIMEOUTclose = 0
socket = l:SO_KEEPALIVE=1
socket = r:SO_KEEPALIVE=1
socket = a:TCP_KEEPINTVL=10
socket = a:TCP_KEEPIDLE=15
SO_KEEPALIVE is set to 1 for stunnel input and output, so keepalive is used.
SO_KEEPIDLE=15 means that stunnel will send keepalive packets to the client every 15 seconds
SO_KEEPINTVL=10 means that if keepalive packets fail for some reason, stunnel will retry sending keepalive packets after 10 seconds