______________________________________________________________________________Yes, there is a flag "syslog-protocol" that will allow this. The rfc5124 only applies to TCP, so the flagis only on the tcp source.
Our configuration for the source is
source s_network_udp {
network(localip(1.2.3.4) port(514) so_rcvbuf(33554432) log_fetch_limit(20000) log_iw_size(1000000) transport("udp") tags("unix_network") flags(no-multi-line) );
};
source s_network_tcp {
network(localip(1.2.3.4) port(514) max_connections(5000) log_fetch_limit(20000) log_iw_size(1000000) transport("tcp") flags(no-multi-line,syslog-protocol) tags("unix_network") );
};
Hope that helps.
Evan.
On 2/23/19 5:07 PM, Carlan Philippe wrote:
Hi all,
Is there a way to configure syslog-ng to process properly both RFC3164 and RFC5124 on the same listening port ?
The scenario is a bunch of devices sending traffic to one syslog server port (both udp + tcp) with the senders typically not knowing what protocol they are sending.
We are running syslog-ng 3.13 with this setup:
source s_syslog { udp(ip(0.0.0.0) port(514)) ;tcp(ip(0.0.0.0) port(514)); }
If needed we could upgrade syslog-ng to 3.19.1 but having checked the doc for 3.19, it seems that the solution would be to create 2 source entries, 1 for RFC3164 with network() and 1 for RFC5124 with syslog(). Neverthless, these 2 sources would have to listen on *different* ports and that is the problem for us.
Note that we also have an identical issue with cisco traffic, since it's not RFC compliant, syslog-ng adds automatically a header with timestamp and hostname.
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq