[syslog-ng] syslog-ng Digest, Vol 166, Issue 8

[Nathan Fish]

Could you please clarify why the sources don't know what protocol they
are sending? Are they relaying from other unknown sources?

> Date: Sun, 24 Feb 2019 01:07:01 +0000 (UTC)
> From: Carlan Philippe <philrmls at yahoo.fr>
> To: "syslog-ng at lists.balabit.hu" <syslog-ng at lists.balabit.hu>
> Subject: [syslog-ng] Syslog-ng setup for both RFC3164 and RFC5124
> Message-ID: <1313969407.6661190.1550970421020 at mail.yahoo.com>
> Content-Type: text/plain; charset="utf-8"
>
> Hi all,
> Is there a way to configure syslog-ng to process properly both RFC3164 and RFC5124 on the same listening port ?
> The scenario is a bunch of devices sending traffic to one  syslog server port (both udp + tcp) with the senders typically not knowing what protocol they are sending.
> We are running syslog-ng 3.13 with this setup:
> source s_syslog { udp(ip(0.0.0.0) port(514)) ;                              tcp(ip(0.0.0.0)  port(514)); }
>
>  If needed we could upgrade syslog-ng to 3.19.1 but having checked the doc for 3.19, it seems that the solution would be to create 2 source entries, 1 for RFC3164 with network() and 1 for RFC5124 with  syslog().  Neverthless, these 2 sources would have to listen on *different* ports and that is the problem for us.
> Note that we also have an identical issue with cisco traffic, since it's not RFC compliant, syslog-ng adds automatically a header with  timestamp and hostname.
>
> Thank you.