CAUTION: This email originated from outside of the organization. Do not follow guidance, click links, or open attachments unless you recognize the sender and know the content is safe.


Hi Attila,

> Yes, you can use the same port for UDP and TCP.

while you *can* do that, you probably *should* not.

TCP/514 is the registered port fpr rsh (remote shell, an ancient ancestor of ssh without encryption).

There is no official registered port for syslog over TCP (https://tools.ietf.org/html/rfc6587), but a common practice (which I've been following as well for years without any collisions so far) is to use port 601, which is registered for syslog-conn. (http://networksorcery.com/enp/protocol/syslog.htm). The RFC also mentions using 514 plus a multiple of 1000 for the port number, i.e. 1514, 2514, ..., as a viable option.

> It would look something like this, in your config:
>
> source s_net {
>   syslog(ip(0.0.0.0) transport("udp") port(514));
>   syslog(ip(0.0.0.0) transport("tcp") port(514));
> };

So I'd change that to

source s_net {
  syslog(ip(0.0.0.0) transport("udp") port(514));
  syslog(ip(0.0.0.0) transport("tcp") port(601));
};

to be on the safe side. While rsh is somewhat out of fashion these days, auditors that find an open TCP port 514 tend to at least ask questions about it :-)

Best regards,

  Peter.
______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq