Today I finally got my macOS Catalina VM working again on Debian Sid. I basically did a complete fresh install using macOS-Simple-KVM, tweaked some settings, imported it to virt-manager then optimised. Looking at it, what was breaking VFIO on 5.6/5.7/5.8.0 (yes I even compiled 5.8.0-rc5!) was probably the clock/pit settings, as kvm-pit using a lot of CPU was one of the symptons of the crashing, qemu did the whole install fine, then as soon as I imported into virt-manager it crashed.

In my earlier post about ELK over TLS, I left syslog as plaintext over UDP. I’ve since been looking into how to use TLS to encrypt the TCP transport for syslog, and mutual authentication using certificates as laid out in RFC 5425. I’m not really interested in using DTLS. I just happen to be using the same VM as the CA and the rsyslog server, but the CA server should be a totally separate machine, probably even air-gapped; the client is a different VM.

After the recent shenanigans regarding macos VFIO being broken in 5.6/5.7 kernels, the Debian qemu 5.0-6 package stopped booting macos whatsoever! Rolling back to 5.0-5 fixes things, as does compiling from source the release tagged v5.0.0 or even v4.2.1 So I raised a bug report to the Debian packagers, who identified the patches they got from upstream since 5.0-5 but with no real idea which one broke things. Next I raised a bug on the upstream qemu launchpad where they recommended a git bisect, which basically consists of working backwards from git/master to tag/v5.

Like a lot of people, I’m wanting to replace Splunk. To that end I’ve been looking into Elasticsearch. My prerequisites are: Replace Splunk Enterprise (or Splunk Free) with Elastic and its web UI Kibana; Replace Splunk Forwarder with Filebeat; Consume syslog over UDP using rsyslog; Use TLSv1.2 or better; Have an easy to deploy, low-resource client; Not use the resource-hungry Logstash. So I’ve downloaded the RPM’s for the stack I want to use (some extra beats to play with too) and we’ll also install a JDK and a couple of rsyslog modules for later, this was all for CentOS 8.

I decided to go all SSD in my T5610 as I could use the speed and wanted to get rid of the extra SATA cables, power splitters, 5.25" caddy, hard disk and an old SSD running on SATA2 etc; it also will pave the way for adding an NVMe when the prices fall a bit, and passing through an SSD to KVM for nested ESXi, although I found it doesn’t speed up a SUSE install at all over qcow2.