Re: [syslog-ng] syslog-ng Digest, Vol 166, Issue 8
Could you please clarify why the sources don't know what protocol they are sending? Are they relaying from other unknown sources?
Date: Sun, 24 Feb 2019 01:07:01 +0000 (UTC) From: Carlan Philippe <philrmls@yahoo.fr> To: "syslog-ng@lists.balabit.hu" <syslog-ng@lists.balabit.hu> Subject: [syslog-ng] Syslog-ng setup for both RFC3164 and RFC5124 Message-ID: <1313969407.6661190.1550970421020@mail.yahoo.com> Content-Type: text/plain; charset="utf-8"
Hi all, Is there a way to configure syslog-ng to process properly both RFC3164 and RFC5124 on the same listening port ? The scenario is a bunch of devices sending traffic to one syslog server port (both udp + tcp) with the senders typically not knowing what protocol they are sending. We are running syslog-ng 3.13 with this setup: source s_syslog { udp(ip(0.0.0.0) port(514)) ; tcp(ip(0.0.0.0) port(514)); }
If needed we could upgrade syslog-ng to 3.19.1 but having checked the doc for 3.19, it seems that the solution would be to create 2 source entries, 1 for RFC3164 with network() and 1 for RFC5124 with syslog(). Neverthless, these 2 sources would have to listen on *different* ports and that is the problem for us. Note that we also have an identical issue with cisco traffic, since it's not RFC compliant, syslog-ng adds automatically a header with timestamp and hostname.
Thank you.
Hello Nathan! This topic is also discussed in: https://lists.balabit.hu/pipermail/syslog-ng/2019-February/025068.html You can't avoid having 2 sources, as udp and tcp would need 2 different drivers. However, you can use 1 driver for TCP messages both RFC3164 and RFC5424 if you use network() driver with flags(syslog-protocol). The question is how are the RFC5424 logs are sent over, if they are send according to RFC6587 (as syslog() destination driver uses), they will be prefixed with a message length value: 110 <13>1 2019-02-01T09:44:21.386965+01:00 somehost somemachine - - [timeQuality tzKnown="1" isSynced="0"] RFC5424 format message https://tools.ietf.org/html/rfc6587 Regards, Gabor On Sun, Feb 24, 2019 at 3:56 PM Nathan Fish <lordcirth@gmail.com> wrote:
Could you please clarify why the sources don't know what protocol they are sending? Are they relaying from other unknown sources?
Date: Sun, 24 Feb 2019 01:07:01 +0000 (UTC) From: Carlan Philippe <philrmls@yahoo.fr> To: "syslog-ng@lists.balabit.hu" <syslog-ng@lists.balabit.hu> Subject: [syslog-ng] Syslog-ng setup for both RFC3164 and RFC5124 Message-ID: <1313969407.6661190.1550970421020@mail.yahoo.com> Content-Type: text/plain; charset="utf-8"
Hi all, Is there a way to configure syslog-ng to process properly both RFC3164 and RFC5124 on the same listening port ? The scenario is a bunch of devices sending traffic to one syslog server port (both udp + tcp) with the senders typically not knowing what protocol they are sending. We are running syslog-ng 3.13 with this setup: source s_syslog { udp(ip(0.0.0.0) port(514)) ; tcp(ip(0.0.0.0) port(514)); }
If needed we could upgrade syslog-ng to 3.19.1 but having checked the doc for 3.19, it seems that the solution would be to create 2 source entries, 1 for RFC3164 with network() and 1 for RFC5124 with syslog(). Neverthless, these 2 sources would have to listen on *different* ports and that is the problem for us. Note that we also have an identical issue with cisco traffic, since it's not RFC compliant, syslog-ng adds automatically a header with timestamp and hostname.
Thank you.
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
participants (2)
-
Nagy, Gábor
-
Nathan Fish