<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
</head>
<body>
Hi Peter,<br>
<br>
Thank you for correcting me! :)<br>
<br>
For some reason, I misinterpreted the question of Bryan... Reading it back now, nowhere is mentioned to have the TCP and UDP sources on the same port.<br>
<br>
Although it is possible to work on the same 514 port (as we do with default-network-drivers), it is surely much safer to handle the TCP connections on 601.<br>
<br>
Cheers,<br>
Attila
<hr style="display:inline-block;width:98%" tabindex="-1">
<div id="divRplyFwdMsg" dir="ltr"><font face="Calibri, sans-serif" style="font-size:11pt" color="#000000"><b>From:</b> syslog-ng <syslog-ng-bounces@lists.balabit.hu> on behalf of Peter Eckel <lists@eckel-edv.de><br>
<b>Sent:</b> Monday, July 1, 2019 3:21:50 PM<br>
<b>To:</b> Syslog-ng users' and developers' mailing list<br>
<b>Subject:</b> Re: [syslog-ng] Missing messages</font>
<div> </div>
</div>
<div class="BodyFragment"><font size="2"><span style="font-size:11pt;">
<div class="PlainText">CAUTION: This email originated from outside of the organization. Do not follow guidance, click links, or open attachments unless you recognize the sender and know the content is safe.<br>
<br>
<br>
Hi Attila,<br>
<br>
> Yes, you can use the same port for UDP and TCP.<br>
<br>
while you *can* do that, you probably *should* not.<br>
<br>
TCP/514 is the registered port fpr rsh (remote shell, an ancient ancestor of ssh without encryption).<br>
<br>
There is no official registered port for syslog over TCP (<a href="https://tools.ietf.org/html/rfc6587">https://tools.ietf.org/html/rfc6587</a>), but a common practice (which I've been following as well for years without any collisions so far) is to use port
601, which is registered for syslog-conn. (<a href="http://networksorcery.com/enp/protocol/syslog.htm">http://networksorcery.com/enp/protocol/syslog.htm</a>). The RFC also mentions using 514 plus a multiple of 1000 for the port number, i.e. 1514, 2514, ...,
as a viable option.<br>
<br>
> It would look something like this, in your config:<br>
><br>
> source s_net {<br>
> syslog(ip(0.0.0.0) transport("udp") port(514));<br>
> syslog(ip(0.0.0.0) transport("tcp") port(514));<br>
> };<br>
<br>
So I'd change that to<br>
<br>
source s_net {<br>
syslog(ip(0.0.0.0) transport("udp") port(514));<br>
syslog(ip(0.0.0.0) transport("tcp") port(601));<br>
};<br>
<br>
to be on the safe side. While rsh is somewhat out of fashion these days, auditors that find an open TCP port 514 tend to at least ask questions about it :-)<br>
<br>
Best regards,<br>
<br>
Peter.<br>
______________________________________________________________________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng">
http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq">http://www.balabit.com/wiki/syslog-ng-faq</a><br>
<br>
</div>
</span></font></div>
</body>
</html>