<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<div class="moz-cite-prefix">You can listen for both protocols on a
single port with</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix">source s_both_protocols {</div>
<div class="moz-cite-prefix"> network(</div>
<div class="moz-cite-prefix"> localip("99.99.99.99")</div>
<div class="moz-cite-prefix"> port("5152")</div>
<div class="moz-cite-prefix"> transport("tcp")</div>
<div class="moz-cite-prefix"> flags(syslog-protocol)</div>
<div class="moz-cite-prefix"> );</div>
<div class="moz-cite-prefix">};<br>
</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix">If you need to support RFC3164 over UDP
at the same time you can add</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix">source s_udp_protocol {<br>
network(</div>
<div class="moz-cite-prefix"> localip("99.99.99.99")</div>
<div class="moz-cite-prefix"> port("5152")</div>
<div class="moz-cite-prefix"> transport("udp")</div>
<div class="moz-cite-prefix"> so-reuseport(1)</div>
<div class="moz-cite-prefix"> persist-name("udp1")</div>
<div class="moz-cite-prefix"> );<br>
network(
<div class="moz-cite-prefix"> localip("99.99.99.99")</div>
<div class="moz-cite-prefix"> port("5152")</div>
<div class="moz-cite-prefix"> transport("udp")</div>
<div class="moz-cite-prefix"> so-reuseport(1)</div>
<div class="moz-cite-prefix"> persist-name("udp2")</div>
<div class="moz-cite-prefix"> );<br>
network(
<div class="moz-cite-prefix"> localip("99.99.99.99")</div>
<div class="moz-cite-prefix"> port("5152")</div>
<div class="moz-cite-prefix"> transport("udp")</div>
<div class="moz-cite-prefix"> so-reuseport(1)</div>
<div class="moz-cite-prefix"> persist-name("udp3")</div>
<div class="moz-cite-prefix"> );</div>
<div class="moz-cite-prefix">};<br>
</div>
</div>
</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix">The multiple network stanzas are to
support multi-threading processing of UDP messages. You can add as
many entries here as you have CPU cores in your server.<br>
</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix">Evan.</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix">On 2023-01-24 06:02, Steve Bernacki
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:6af65fff-1170-cda7-4a29-9b3b535285e0@copacetic.net">
<div>
<p>I recently encountered the same situation. I did find a very
thorough post on one person's solution to this:<br>
</p>
<p><a class="moz-txt-link-freetext"
href="https://stackoverflow.com/questions/71660070/unable-to-parse-rfc6587-framed-syslog-from-pulsesecure-using-syslog-ng-ose-3-33"
moz-do-not-send="true">https://stackoverflow.com/questions/71660070/unable-to-parse-rfc6587-framed-syslog-from-pulsesecure-using-syslog-ng-ose-3-33</a></p>
<p>I ended up setting up a separate port for each protocol,
which felt like a cleaner solution to me. It would be great if
syslog-ng could more easily support this type of situation
natively.</p>
<p>Steve<br>
</p>
<div class="moz-cite-prefix">On 1/24/2023 8:12 AM, Matthias
Gruber wrote:<br>
</div>
<blockquote type="cite"
cite="mid:OF1B8A1507.F7DA5E61-ONC1258941.0047C55F-C1258941.00488676@metzler.com"><span
style=" font-size:10pt;font-family:sans-serif">Hi!</span> <br>
<br>
<span style=" font-size:10pt;font-family:sans-serif">We have
Appliances which are generating syslog-messages in both
formats, one in 3164 the other in 5424.</span>
<br>
<br>
<span style=" font-size:10pt;font-family:sans-serif">Would it
be possible to put them into one source?</span>
<br>
<br>
<span style=" font-size:10pt;font-family:sans-serif">Something
like</span> <br>
<br>
<span style=" font-size:10pt;font-family:sans-serif">source
s_remote_appl_tcp {</span>
<br>
<span style=" font-size:10pt;font-family:sans-serif"> syslog(</span>
<br>
<span style=" font-size:10pt;font-family:sans-serif">
ip("99.99.99.99")</span>
<br>
<span style=" font-size:10pt;font-family:sans-serif">
port("5152")</span> <br>
<span style=" font-size:10pt;font-family:sans-serif">
transport("tcp")</span> <br>
<span style=" font-size:10pt;font-family:sans-serif">
flags(no-parse)</span> <br>
<span style=" font-size:10pt;font-family:sans-serif"> );</span>
<br>
<span style=" font-size:10pt;font-family:sans-serif">};</span>
<br>
<br>
<span style=" font-size:10pt;font-family:sans-serif">and....
(just excepts)</span>
<br>
<br>
<span style=" font-size:10pt;font-family:sans-serif">parser
p_0140_A_parser {</span>
<br>
<span style=" font-size:10pt;font-family:sans-serif">
syslog-parser();</span> <br>
<span style=" font-size:10pt;font-family:sans-serif">};</span>
<br>
<br>
<span style=" font-size:10pt;font-family:sans-serif">parser
p_0140_B_parser {</span>
<br>
<span style=" font-size:10pt;font-family:sans-serif">
syslog-parser(flags(syslog-protocol);</span>
<br>
<span style=" font-size:10pt;font-family:sans-serif">};</span>
<br>
<br>
<span style=" font-size:10pt;font-family:sans-serif">log {</span>
<br>
<span style=" font-size:10pt;font-family:sans-serif">
source(s_remote_appl_tcp);</span>
<br>
<span style=" font-size:10pt;font-family:sans-serif">
parser(p_0140_A_parser);</span>
<br>
<span style=" font-size:10pt;font-family:sans-serif">
destination(d_0140_all);</span>
<br>
<span style=" font-size:10pt;font-family:sans-serif">
flags(final);</span> <br>
<span style=" font-size:10pt;font-family:sans-serif">};</span>
<br>
<br>
<span style=" font-size:10pt;font-family:sans-serif">log {</span>
<br>
<span style=" font-size:10pt;font-family:sans-serif">
source(s_remote_appl_tcp);</span>
<br>
<span style=" font-size:10pt;font-family:sans-serif">
parser(p_0140_B_parser);</span>
<br>
<span style=" font-size:10pt;font-family:sans-serif">
destination(d_0140_all);</span>
<br>
<span style=" font-size:10pt;font-family:sans-serif">
flags(final);</span> <br>
<span style=" font-size:10pt;font-family:sans-serif">};</span>
<br>
<br>
<br>
<span style=" font-size:10pt;font-family:sans-serif">Any hints
are welcome...</span>
<br>
<br>
<span style=" font-size:10pt;font-family:sans-serif">Cheers</span>
<br>
<span style=" font-size:10pt;font-family:sans-serif">Matthias</span>
<br>
<br>
<span style=" font-size:10pt;font-family:sans-serif">P.S. Its
an OSE 3.38.1 running</span>
<br>
<br>
<br>
<span style=" font-size:10pt;font-family:sans-serif">------------------------------------------------------------------------------------<br>
METZLER <br>
Informationstechnologie<br>
<br>
Matthias Gruber <br>
IT-Infrastruktur & -Betrieb<br>
<br>
B. Metzler seel. Sohn & Co.<br>
Aktiengesellschaft<br>
Untermainanlage 1<br>
60329 Frankfurt am Main<br>
Telefon 069 21 04 - 43 30<br>
Telefax 069 21 04 - 40 40<br>
<a class="moz-txt-link-abbreviated moz-txt-link-freetext"
href="mailto:MGruber@metzler.com" moz-do-not-send="true">MGruber@metzler.com</a><br>
</span><a href="www.metzler.com" moz-do-not-send="true"><span
style=" font-size:10pt;font-family:sans-serif">www.metzler.com</span></a>
<br>
</blockquote>
</div>
</blockquote>
<br>
</body>
</html>