<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<p>I recently encountered the same situation. I did find a very
thorough post on one person's solution to this:<br>
</p>
<p><a class="moz-txt-link-freetext" href="https://stackoverflow.com/questions/71660070/unable-to-parse-rfc6587-framed-syslog-from-pulsesecure-using-syslog-ng-ose-3-33">https://stackoverflow.com/questions/71660070/unable-to-parse-rfc6587-framed-syslog-from-pulsesecure-using-syslog-ng-ose-3-33</a></p>
<p>I ended up setting up a separate port for each protocol, which
felt like a cleaner solution to me. It would be great if syslog-ng
could more easily support this type of situation natively.</p>
<p>Steve<br>
</p>
<div class="moz-cite-prefix">On 1/24/2023 8:12 AM, Matthias Gruber
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:OF1B8A1507.F7DA5E61-ONC1258941.0047C55F-C1258941.00488676@metzler.com">
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<span style=" font-size:10pt;font-family:sans-serif">Hi!</span>
<br>
<br>
<span style=" font-size:10pt;font-family:sans-serif">We have
Appliances
which are generating syslog-messages in both formats, one in
3164 the other
in 5424.</span>
<br>
<br>
<span style=" font-size:10pt;font-family:sans-serif">Would it be
possible
to put them into one source?</span>
<br>
<br>
<span style=" font-size:10pt;font-family:sans-serif">Something
like</span>
<br>
<br>
<span style=" font-size:10pt;font-family:sans-serif">source
s_remote_appl_tcp
{</span>
<br>
<span style=" font-size:10pt;font-family:sans-serif"> syslog(</span>
<br>
<span style=" font-size:10pt;font-family:sans-serif">
ip("99.99.99.99")</span>
<br>
<span style=" font-size:10pt;font-family:sans-serif">
port("5152")</span>
<br>
<span style=" font-size:10pt;font-family:sans-serif">
transport("tcp")</span>
<br>
<span style=" font-size:10pt;font-family:sans-serif">
flags(no-parse)</span>
<br>
<span style=" font-size:10pt;font-family:sans-serif"> );</span>
<br>
<span style=" font-size:10pt;font-family:sans-serif">};</span>
<br>
<br>
<span style=" font-size:10pt;font-family:sans-serif">and.... (just
excepts)</span>
<br>
<br>
<span style=" font-size:10pt;font-family:sans-serif">parser
p_0140_A_parser
{</span>
<br>
<span style=" font-size:10pt;font-family:sans-serif">
syslog-parser();</span>
<br>
<span style=" font-size:10pt;font-family:sans-serif">};</span>
<br>
<br>
<span style=" font-size:10pt;font-family:sans-serif">parser
p_0140_B_parser
{</span>
<br>
<span style=" font-size:10pt;font-family:sans-serif">
syslog-parser(flags(syslog-protocol);</span>
<br>
<span style=" font-size:10pt;font-family:sans-serif">};</span>
<br>
<br>
<span style=" font-size:10pt;font-family:sans-serif">log {</span>
<br>
<span style=" font-size:10pt;font-family:sans-serif">
source(s_remote_appl_tcp);</span>
<br>
<span style=" font-size:10pt;font-family:sans-serif">
parser(p_0140_A_parser);</span>
<br>
<span style=" font-size:10pt;font-family:sans-serif">
destination(d_0140_all);</span>
<br>
<span style=" font-size:10pt;font-family:sans-serif">
flags(final);</span>
<br>
<span style=" font-size:10pt;font-family:sans-serif">};</span>
<br>
<br>
<span style=" font-size:10pt;font-family:sans-serif">log {</span>
<br>
<span style=" font-size:10pt;font-family:sans-serif">
source(s_remote_appl_tcp);</span>
<br>
<span style=" font-size:10pt;font-family:sans-serif">
parser(p_0140_B_parser);</span>
<br>
<span style=" font-size:10pt;font-family:sans-serif">
destination(d_0140_all);</span>
<br>
<span style=" font-size:10pt;font-family:sans-serif">
flags(final);</span>
<br>
<span style=" font-size:10pt;font-family:sans-serif">};</span>
<br>
<br>
<br>
<span style=" font-size:10pt;font-family:sans-serif">Any hints are
welcome...</span>
<br>
<br>
<span style=" font-size:10pt;font-family:sans-serif">Cheers</span>
<br>
<span style=" font-size:10pt;font-family:sans-serif">Matthias</span>
<br>
<br>
<span style=" font-size:10pt;font-family:sans-serif">P.S. Its an
OSE
3.38.1 running</span>
<br>
<br>
<br>
<span style=" font-size:10pt;font-family:sans-serif">------------------------------------------------------------------------------------<br>
METZLER <br>
Informationstechnologie<br>
<br>
Matthias Gruber <br>
IT-Infrastruktur & -Betrieb<br>
<br>
B. Metzler seel. Sohn & Co.<br>
Aktiengesellschaft<br>
Untermainanlage 1<br>
60329 Frankfurt am Main<br>
Telefon 069 21 04 - 43 30<br>
Telefax 069 21 04 - 40 40<br>
<a class="moz-txt-link-abbreviated" href="mailto:MGruber@metzler.com">MGruber@metzler.com</a><br>
</span><a href="www.metzler.com" moz-do-not-send="true"><span
style=" font-size:10pt;font-family:sans-serif">www.metzler.com</span></a>
<br>
<font size="2" face="Arial"><font size="2" face="Arial"> </font></font><br>
<br>
<font size="2" face="Arial">Vorstand: Stefanie Buchmann, Kim
Comperl, Mario Mattera, Franz von Metzler, Emmerich Müller, Dr.
Marco Schulmerich, Gerhard Wiesheu</font><br>
<font size="2" face="Arial">Vorsitzender des Aufsichtsrats:
Wolfgang Kirsch</font><br>
<font size="2" face="Arial">Sitz der Gesellschaft: Frankfurt am
Main, Handelsregister-Nr. HRB 123 365</font>
<p><br>
<font size="2" face="Arial"><font size="2" face="Arial">Diese
Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene
Empfänger sein, so bitten wir Sie höflich, dies unverzüglich
dem Absender mitzuteilen und die Nachricht zu löschen. Es
ist unzulässig, die Nachricht unbefugt weiterzuleiten oder
zu kopieren. Da wir nicht die Echtheit oder Vollständigkeit
der in dieser Nachricht enthaltenen Informationen
garantieren oder zusichern können, sind die vorstehenden
Ausführungen rechtlich nicht bindend. Eine Haftung hierfür
wird ausgeschlossen.</font></font><br>
<font size="2" face="Arial"><font size="2" face="Arial">This
message is confidential. If you are not the intended
recipient, we kindly ask you to inform the sender and delete
the information. Any unauthorised dissemination or copying
hereof is prohibited. As we cannot guarantee or assure the
genuineness or completeness of the information contained in
this message, the statements set forth above are not legally
binding. Accordingly we cannot accept any liability for
their contents.</font></font>
</p>
<br>
<fieldset class="moz-mime-attachment-header"></fieldset>
<pre class="moz-quote-pre" wrap="">______________________________________________________________________________
Member info: <a class="moz-txt-link-freetext" href="https://lists.balabit.hu/mailman/listinfo/syslog-ng">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a>
Documentation: <a class="moz-txt-link-freetext" href="http://www.balabit.com/support/documentation/?product=syslog-ng">http://www.balabit.com/support/documentation/?product=syslog-ng</a>
FAQ: <a class="moz-txt-link-freetext" href="http://www.balabit.com/wiki/syslog-ng-faq">http://www.balabit.com/wiki/syslog-ng-faq</a>
</pre>
</blockquote>
</body>
</html>